Site configuration

Site configuration defines how various Sourcegraph features behave. See the full reference below for a comprehensive list of site configuration options.

Configuration overview

Go here for an overview of configuring Sourcegraph.

View and edit site configuration

Site admins can view and edit site configuration on a Sourcegraph instance:

  1. Go to User menu > Site admin.
  2. Open the Configuration page. (The URL is


All site configuration options and their default values are shown below.


	// Prompts user to install new browser for non es5
	"RedirectUnsupportedBrowser": false,

	// Configuration for API rate limiting
	"api.ratelimit": null,

	// Enables and configures password policy. This will allow admins to enforce password complexity and length requirements.
	"auth.passwordPolicy": null,

	// When true, site admins will only be able to see private code they have access to via our authz system.
	"authz.enforceForSiteAdmins": false,

	// Time interval (in seconds) of how often each component picks up authorization changes in external services.
	"authz.refreshInterval": 5,

	// EXPERIMENTAL: Number of sync job records to retain. Set to a negative value to disable sync jobs records entirely.
	"authz.syncJobsRecordsLimit": 100,

	// Customize Sourcegraph homepage logo and search icon.
	// Only available in Sourcegraph Enterprise.
	"branding": null,
	// Other example values:
	// - {
	//     "dark": {
	//       "logo": "",
	//       "symbol": ""
	//     },
	//     "disableSymbolSpin": true,
	//     "favicon": "",
	//     "light": {
	//       "logo": "",
	//       "symbol": ""
	//     }
	//   }

	// Whether clone progress should be logged to a file. If enabled, logs are written to files in the OS default path for temporary files.
	"cloneProgress.log": false,

	// The rate limit (in requests per hour) for the default rate limiter in the rate limiters registry. By default this is disabled and the default rate limit is infinity.
	"defaultRateLimit": -1,

	// Configuration for encryption keys used to encrypt data at rest in the database.
	"encryption.keys": null,

	// The shared secret between Sourcegraph and executors.
	"executors.accessToken": null,

	// The image to use for batch changes in executors. Use this value to pull from a custom image registry.
	"executors.batcheshelperImage": "sourcegraph/batcheshelper",

	// The tag to use for the batcheshelper image in executors. Use this value to use a custom tag. Sourcegraph by default uses the best match, so use this setting only if you really need to overwrite it and make sure to keep it updated.
	"executors.batcheshelperImageTag": null,
	// Other example values:
	// - "4.1.0"

	// The URL where Sourcegraph executors can reach the Sourcegraph instance. If not set, defaults to externalURL. URLs with a path (other than `/`) are not allowed. For Docker executors, the special hostname `host.docker.internal` can be used to refer to the Docker container's host.
	"executors.frontendURL": null,
	// Other example values:
	// - ""

	// The image to use for src-cli in executors. Use this value to pull from a custom image registry.
	"executors.srcCLIImage": "sourcegraph/src-cli",

	// The tag to use for the src-cli image in executors. Use this value to use a custom tag. Sourcegraph by default uses the best match, so use this setting only if you really need to overwrite it and make sure to keep it updated.
	"executors.srcCLIImageTag": null,
	// Other example values:
	// - "4.1.0"

	"exportUsageTelemetry": null,

	// Enable to allow users to add external services for public and private repositories to the Sourcegraph instance.
	"externalService.userMode": "disabled",

	// The externally accessible URL for Sourcegraph (i.e., what you type into your browser). Previously called `appURL`. Only root URLs are allowed.
	"externalURL": null,
	// Other example values:
	// - ""

	// The config options for Sourcegraph GitHub App.
	"gitHubApp": null,

	// Record git operations that are executed on configured repositories. The following commands are not recorded: show, log, rev-parse and diff.
	"gitRecorder": null,

	// Configuration for logging and alerting, including to external services.
	"log": null,

	// Configure notifications for Sourcegraph's built-in alerts.
	"observability.alerts": null,

	// EXPERIMENTAL: Configuration for client observability
	"observability.client": null,

	// Silence individual Sourcegraph alerts by identifier.
	"observability.silenceAlerts": null,

	// Configures distributed tracing within Sourcegraph. To learn more, refer to
	"observability.tracing": null,

	// Configuration for organization invitations.
	"organizationInvitations": null,

	// The maximum number of outbound requests to retain. This is a global limit across all outbound requests. If the limit is exceeded, older items will be deleted. If the limit is 0, no outbound requests are logged.
	"outboundRequestLogLimit": 50,

	// Time interval (in seconds) of how often cleanup worker should remove old jobs from permissions sync jobs table.
	"permissions.syncJobCleanupInterval": 60,

	// The number of last repo/user permission jobs to keep for history.
	"permissions.syncJobsHistorySize": 5,

	// Number of repo permissions to schedule for syncing in single scheduler iteration.
	"permissions.syncOldestRepos": 10,

	// Number of user permissions to schedule for syncing in single scheduler iteration.
	"permissions.syncOldestUsers": 10,

	// Don't sync a repo's permissions if it has synced within the last n seconds.
	"permissions.syncReposBackoffSeconds": 60,

	// Time interval (in seconds) of how often each component picks up authorization changes in external services.
	"permissions.syncScheduleInterval": 15,

	// Don't sync a user's permissions if they have synced within the last n seconds.
	"permissions.syncUsersBackoffSeconds": 60,

	// The maximum number of user-centric permissions syncing jobs that can be spawned concurrently. Service restart is required to take effect for changes.
	"permissions.syncUsersMaxConcurrency": 1,

	// Enables redacting sensitive information from outbound requests. Important: We only respect this setting in development environments. In production, we always redact outbound requests.
	"redactOutboundRequestHeaders": null,

	// Syntax highlighting configuration
	"syntaxHighlighting": null,

	// Configuration for logging incoming webhooks.
	"webhook.logging": null,

// Authentication

	// Enables users to change their username after account creation. Warning: setting this to be true has security implications if you have enabled (or will at any point in the future enable) repository permissions with an option that relies on username equivalency between Sourcegraph and an external service or authentication provider. Do NOT set this to true if you are using non-built-in authentication OR rely on username equivalency for repository permissions.
	"auth.enableUsernameChanges": false,

	// The config options for account lockout
	"auth.lockout": null,

	// The minimum number of Unicode code points that a password must contain.
	"auth.minPasswordLength": 12,

	// The duration (in seconds) that a password reset link is considered valid.
	"auth.passwordResetLinkExpiry": 14400,

	// The authentication providers to use for identifying and signing in users. See instructions below for configuring SAML, OpenID Connect (including Google Workspace), and HTTP authentication proxies. Multiple authentication providers are supported (by specifying multiple elements in this array).
	"auth.providers": [
			"allowSignup": true,
			"type": "builtin"

	// WARNING: This option has been removed as of 3.8.
	"auth.public": false,

	// The duration of a user session, after which it expires and the user is required to re-authenticate. The default is 90 days. There is typically no need to set this, but some users may have specific internal security requirements.
	// The string format is that of the Duration type in the Go time package ( E.g., "720h", "43200m", "2592000s" all indicate a timespan of 30 days.
	// Note: changing this field does not affect the expiration of existing sessions. If you would like to enforce this limit for existing sessions, you must log out currently signed-in users. You can force this by removing all keys beginning with "session_" from the Redis store:
	// * For deployments using `sourcegraph/server`: `docker exec $CONTAINER_ID redis-cli --raw keys 'session_*' | xargs docker exec $CONTAINER_ID redis-cli del`
	// * For cluster deployments: 
	//   ```
	//   REDIS_POD="$(kubectl get pods -l app=redis-store -o jsonpath={.items[0]})";
	//   kubectl exec "$REDIS_POD" -- redis-cli --raw keys 'session_*' | xargs kubectl exec "$REDIS_POD" -- redis-cli --raw del;
	//   ```
	"auth.sessionExpiry": "2160h",
	// Other example values:
	// - "168h"

	// Validity expressed in minutes of the unlock account token
	"auth.unlockAccountLinkExpiry": 5,

	// Base64-encoded HMAC signing key to sign the JWT token for account unlock URLs
	"auth.unlockAccountLinkSigningKey": null,

// BatchChanges

	// How long changesets will be retained after they have been detached from a batch change.
	"batchChanges.changesetsRetention": null,
	// Other example values:
	// - "336h"
	// - "48h"
	// - "5h30m40s"

	// Hides Batch Changes warnings about webhooks not being configured.
	"batchChanges.disableWebhooksWarning": false,

	// Enables/disables the Batch Changes feature.
	"batchChanges.enabled": true,

	// When enabled, all branches created by batch changes will be pushed to forks of the original repository.
	"batchChanges.enforceForks": false,

	// When enabled, only site admins can create and apply batch changes.
	"batchChanges.restrictToAdmins": false,

	// Specifies specific windows, which can have associated rate limits, to be used when publishing changesets. All days and times are handled in UTC.
	"batchChanges.rolloutWindows": null,

// Code intelligence

	// Whether auto-indexing policies may apply to all repositories on the Sourcegraph instance. Default is false. The policyRepositoryMatchLimit setting still applies to such auto-indexing policies.
	"codeIntelAutoIndexing.allowGlobalPolicies": false,

	// Enables/disables the code intel auto-indexing feature. Currently experimental.
	"codeIntelAutoIndexing.enabled": false,

	// Overrides the default Docker images used by auto-indexing.
	"codeIntelAutoIndexing.indexerMap": null,

	// The maximum number of repositories to which a single auto-indexing policy can apply. Default is -1, which is unlimited.
	"codeIntelAutoIndexing.policyRepositoryMatchLimit": -1,

// CodeInsights

	// The size of the buffer for aggregations ran in-memory. A higher limit might strain memory for the frontend
	"insights.aggregations.bufferSize": 500,

	// The maximum number of results a proactive search aggregation can accept before stopping
	"insights.aggregations.proactiveResultLimit": 50000,

	// Set the number of seconds an insight series will spend backfilling before being interrupted. Series are interrupted to prevent long running insights from exhausting all of the available workers. Interrupted series will be placed back in the queue and retried based on their priority.
	"insights.backfill.interruptAfter": 60,

	// Maximum number of historical Code Insights data frames that may be analyzed per second.
	"insights.historical.worker.rateLimit": 20,
	// Other example values:
	// - 50
	// - 0.5

	// The allowed burst rate for the Code Insights historical worker rate limiter.
	"insights.historical.worker.rateLimitBurst": 20,
	// Other example values:
	// - 10
	// - 20

	// The maximum number of data points that will be available to view for a series on a code insight. Points beyond that will be stored in a separate table and available for data export.
	"insights.maximumSampleSize": 30,
	// Other example values:
	// - 12
	// - 24
	// - 50

	// Number of concurrent executions of a code insight query on a worker node
	"insights.query.worker.concurrency": 1,
	// Other example values:
	// - 10

	// Maximum number of Code Insights queries initiated per second on a worker node.
	"insights.query.worker.rateLimit": 20,
	// Other example values:
	// - 10
	// - 0.5

	// The allowed burst rate for the Code Insights queries per second rate limiter.
	"insights.query.worker.rateLimitBurst": 20,
	// Other example values:
	// - 10
	// - 20

// Debug

	// (debug) controls the amount of symbol search parallelism. Defaults to 20. It is not recommended to change this outside of debugging scenarios. This option will be removed in a future version.
	"": null,
	// Other example values:
	// - ["20"]

	// (debug) Set a limit to the amount of captured slow GraphQL requests being stored for visualization. For defining the threshold for a slow GraphQL request, see observability.logSlowGraphQLRequests.
	"observability.captureSlowGraphQLRequestsLimit": null,
	// Other example values:
	// - 2000

	// (debug) logs all GraphQL requests slower than the specified number of milliseconds.
	"observability.logSlowGraphQLRequests": null,
	// Other example values:
	// - 10000

	// (debug) logs all search queries (issued by users, code intelligence, or API requests) slower than the specified number of milliseconds.
	"observability.logSlowSearches": null,
	// Other example values:
	// - 10000

// Email

	// The "from" address for emails sent by this server.
	// Please see
	"email.address": "[email protected]",

	// The SMTP server used to send transactional emails.
	// Please see
	"email.smtp": null,
	// Other example values:
	// - {
	//     "authentication": "PLAIN",
	//     "host": "",
	//     "password": "mypassword",
	//     "port": 465,
	//     "username": "alice"
	//   }

	// Configurable templates for some email types sent by Sourcegraph.
	"email.templates": null,

// Experimental

	// Experimental features and settings.
	"experimentalFeatures": null,
	// Other example values:
	// - {
	//     "customGitFetch": [
	//       {
	//         "domainPath": "",
	//         "fetch": "customgitbinary someflag"
	//       },
	//       {
	//         "domainPath": "",
	//         "fetch": "customgitbinary someflag anotherflag"
	//       }
	//     ]
	//   }
	// - {
	//     "tls.external": {
	//       "certificates": [
	//         "-----BEGIN CERTIFICATE-----\n..."
	//       ],
	//       "insecureSkipVerify": true
	//     }
	//   }

// Extensions

	// Configures Sourcegraph extensions.
	"extensions": {
		"remoteRegistry": ""
	// Other example values:
	// - {
	//     "allowRemoteExtensions": [
	//       "sourcegraph/java"
	//     ],
	//     "remoteRegistry": ""
	//   }

// External services

	// Disable periodic syncs of configured code host connections (repository metadata, permissions, batch changes changesets, etc)
	"disableAutoCodeHostSyncs": false,

	// Disable periodically fetching git contents for existing repositories.
	"disableAutoGitUpdates": false,

	// Disable redirects to when visiting public repositories that can't exist on this server.
	"disablePublicRepoRedirects": null,

	// JSON array of configuration that maps from Git clone URL to repository name. Sourcegraph automatically resolves remote clone URLs to their proper code host. However, there may be non-remote clone URLs (e.g., in submodule declarations) that Sourcegraph cannot automatically map to a code host. In this case, use this field to specify the mapping. The mappings are tried in the order they are specified and take precedence over automatic mappings.
	"git.cloneURLToRepositoryName": null,

	// Maximum number of seconds that a long Git command (e.g. clone or remote update) is allowed to execute. The default is 3600 seconds, or 1 hour.
	"gitLongCommandTimeout": 3600,

	// Maximum number of remote code host git operations (e.g. clone or ls-remote) to be run per second per gitserver. Default is -1, which is unlimited.
	"gitMaxCodehostRequestsPerSecond": -1,

	// Maximum number of git clone processes that will be run concurrently per gitserver to update repositories. Note: the global git update scheduler respects gitMaxConcurrentClones. However, we allow each gitserver to run upto gitMaxConcurrentClones to allow for urgent fetches. Urgent fetches are used when a user is browsing a PR and we do not have the commit yet.
	"gitMaxConcurrentClones": 5,

	// JSON array of repo name patterns and update intervals. If a repo matches a pattern, the associated interval will be used. If it matches no patterns a default backoff heuristic will be used. Pattern matches are attempted in the order they are provided.
	"gitUpdateInterval": null,

	// URL to fetch unreachable repository details from. Defaults to ""
	"parentSourcegraph": null,

	// The number of concurrent external service syncers that can run.
	"repoConcurrentExternalServiceSyncers": 3,

	// Interval (in minutes) for checking code hosts (such as GitHub, Gitolite, etc.) for new repositories.
	"repoListUpdateInterval": 1,

	// Configuration for repository purge worker.
	"repoPurgeWorker": {
		"deletedTTL": 60,
		"interval": 15

	// DISCLAIMER: UNDER DEVELOPMENT. THE ENDPOINT DOES NOT COMPLY WITH THE SCIM STANDARD YET. The SCIM auth token is used to authenticate SCIM requests. If not set, SCIM is disabled.
	"scim.authToken": "",

// Misc.

	// Disable the feedback survey
	"disableFeedbackSurvey": false,

	// Disable aggregated event counts from being sent to via pings.
	"disableNonCriticalTelemetry": false,

	// HTML to inject at the bottom of the `<body>` element on each page, for analytics scripts
	"htmlBodyBottom": null,

	// HTML to inject at the top of the `<body>` element on each page, for analytics scripts
	"htmlBodyTop": null,

	// HTML to inject at the bottom of the `<head>` element on each page, for analytics scripts
	"htmlHeadBottom": null,

	// HTML to inject at the top of the `<head>` element on each page, for analytics scripts
	"htmlHeadTop": null,

	// Enables users access to the product research page in their settings.
	"productResearchPage.enabled": true,

	// The channel on which to automatically check for Sourcegraph updates.
	"": "release",
	// Other example values:
	// - "none"

// Search

	// DEPRECATED: Configure maxRepos in search.limits. The maximum number of repositories to search across. The user is prompted to narrow their query if exceeded. Any value less than or equal to zero means unlimited.
	"maxReposToSearch": -1,

	// Whether indexed symbol search is enabled. This is contingent on the indexed search configuration, and is true by default for instances with indexed search enabled. Enabling this will cause every repository to re-index, which is a time consuming (several hours) operation. Additionally, it requires more storage and ram to accommodate the added symbols information in the search index.
	"search.index.symbols.enabled": null,

	// A list of file glob patterns where matching files will be indexed and searched regardless of their size. Files still need to be valid utf-8 to be indexed. The glob pattern syntax can be found here:
	"search.largeFiles": null,
	// Other example values:
	// - [
	//     "go.sum",
	//     "package-lock.json",
	//     "**/*.thrift"
	//   ]

	// Limits that search applies for number of repositories searched and timeouts.
	"search.limits": null,

// Security

	// Settings for access tokens, which enable external tools to access the Sourcegraph API with the privileges of the user.
	"auth.accessTokens": {
		"allow": "all-users-create"
	// Other example values:
	// - {"allow":"site-admin-create"}
	// - {"allow":"none"}

	// Required when using any of the native code host integrations for Phabricator, GitLab, or Bitbucket Server. It is a space-separated list of allowed origins for cross-origin HTTP requests which should be the base URL for your Phabricator, GitLab, or Bitbucket Server instance.
	"corsOrigin": null,
	// Other example values:
	// - ""

	// Whether or not LSIF uploads will be blocked unless a valid LSIF upload token is provided.
	"lsifEnforceAuth": false,

	// Settings for Sourcegraph permissions, which allow the site admin to explicitly manage repository permissions via the GraphQL API. This setting cannot be enabled if repository permissions for any specific external service are enabled (i.e., when the external service's `authorization` field is set).
	"permissions.userMapping": {
		"bindID": "email",
		"enabled": true
	// Other example values:
	// - {"bindID":"email"}
	// - {"bindID":"username"}

// Sourcegraph Enterprise license

	// The license key associated with a Sourcegraph product subscription, which is necessary to activate Sourcegraph Enterprise functionality. To obtain this value, contact Sourcegraph to purchase a subscription. To escape the value into a JSON string, you may want to use a tool like
	"licenseKey": null,


	// Configuration options for only.
	"dotcom": null

Known bugs

The following site configuration options require the server to be restarted for the changes to take effect:


Editing your site configuration if you cannot access the web UI

If you are having trouble accessing the web UI, you can make edits to your site configuration by editing the configuration directly.

Sourcegraph with Docker Compose and single-server Sourcegraph with Docker


docker exec -it --user=root $FRONTEND_CONTAINER sh -c 'apk add --no-cache && nano /home/sourcegraph/site-config.json'

Or if you prefer using a Vim editor:

docker exec -it $FRONTEND_CONTAINER sh -c 'vi ~/site-config.json'

Sourcegraph with Kubernetes

For Kubernetes deployments:

kubectl exec -it $FRONTEND_POD -- sh -c 'apk add --no-cache nano && nano ~/site-config.json'

Or if you prefer using a Vim editor:

kubectl exec -it $FRONTEND_POD -- sh -c 'vi ~/site-config.json'

Then simply save your changes (type ctrl+x and y to exit nano and save your changes). Your changes will be applied immediately in the same was as if you had made them through the web UI.

If you are still encountering issues

You can check the container logs to see if you have made any typos or mistakes in editing the configuration file. If you are still encountering problems, you can save the default site configuration that comes with Sourcegraph (below) or contact [email protected] with any questions you have.

	// The externally accessible URL for Sourcegraph (i.e., what you type into your browser)
	// This is required to be configured for Sourcegraph to work correctly.
	// "externalURL": "",

	// The authentication provider to use for identifying and signing in users.
	// Only one entry is supported.
	// The builtin auth provider with signup disallowed (shown below) means that
	// after the initial site admin signs in, all other users must be invited.
	// Other providers are documented at
	"auth.providers": [
			"type": "builtin",
			"allowSignup": false