Config & env

A condensed reference. For prose and examples see Configuration.

Keys

Key Env Type Default Constraint / note
mode IAM_CLIENT_MODE string local http selects the remote transport; any other value → local
http.base_url IAM_CLIENT_BASE_URL string null versioned API root; client appends /decisions/check
http.token IAM_CLIENT_TOKEN string|null null Bearer; omitted from request when null
http.timeout int 5 Guzzle timeout, seconds
subject_type string user sent as subject.type
default_application IAM_CLIENT_APP string|null null default application
default_organization IAM_CLIENT_ORG string|null null default organization
cache.enabled bool true wrap transport in CachingDecider
cache.ttl int 30 seconds; <= 0 disables caching
cache.store string|null null Laravel cache store; null = default
gate.enabled bool true register Gate::before adapter
gate.intercept string namespaced namespaced (only : abilities) or all

Env-only quick start

http
local
IAM_CLIENT_MODE=http
IAM_CLIENT_BASE_URL=https://iam.example.com/api/iam/v1
IAM_CLIENT_TOKEN=${IAM_SERVICE_TOKEN}
IAM_CLIENT_APP=billing
IAM_CLIENT_ORG=org_acme
IAM_CLIENT_MODE=local
IAM_CLIENT_APP=billing
IAM_CLIENT_ORG=org_acme

Defaulting rules (how config is read)

The service provider reads config defensively — a value of the wrong type falls back to the default:

Reader Falls back when
string keys (mode, http.*, gate.intercept, …) value is not a non-empty string
cache.enabled, gate.enabled value is not a bool → the documented default
http.timeout, cache.ttl value is not an int → the documented default

So a malformed env value can’t silently produce undefined behavior — it produces the safe default.

Behavior toggles at a glance

Want to… Set
Use the remote server mode=http + http.base_url (+ http.token)
Use the in-process PDP mode=local (needs an AuthorizationEngine binding)
Disable decision caching cache.enabled=false or cache.ttl=0
Share cache across nodes cache.store=redis (or another shared store)
Stop the Gate adapter (e.g. shadow mode) gate.enabled=false
Centralize every ability gate.intercept=all (only after all are declared)

See also