Import/Export Tenant Configuration to Directory Structure

The auth0-deploy-cli tool includes a directory option that allows you to export and import an existing Auth0 tenant configuration into a predefined directory structure.

To import an Auth0 tenant configuration with the directory option:

1. Copy config.json.example, making sure to replace the placeholder values with the values specific to your configuration.

   Log in

   to configure this snippet with your account

   {
       "AUTH0_DOMAIN": "{yourDomain}",
       "AUTH0_CLIENT_ID": "{yourClientId}",
       "AUTH0_CLIENT_SECRET": "{yourClientSecret}",
       "AUTH0_KEYWORD_REPLACE_MAPPINGS": {
         "AUTH0_TENANT_NAME": "{yourAccountName}",
         "ENV": "DEV"
       },
       "AUTH0_ALLOW_DELETE": false,
       "AUTH0_EXCLUDED_RULES": [
         "rule-1-name",
         "rule-2-name"
       ],
       "INCLUDED_PROPS": {
         "clients": [ "client_secret" ]
       },
       "EXCLUDED_PROPS": {
         "connections": [ "options.client_secret" ]
       }
     }

   Was this helpful?

   Yes /No
   Use the client ID and secret from your newly-created application. If you used the Deploy CLI Extension to create the application, the client is named auth0-deploy-cli-extension. By default, the tool merges with your current environment variables and overrides the config.json file (which has the same top key). You can use the --no-env option to disable the override via the command line. You can either set the environment variables, or you can place the values in a configuration file anywhere on the file system that is accessible by the Deploy CLI Tool.

2. Deploy using the following command:

   a0deploy import --config_file config.json --input_file .

   Was this helpful?

   Yes /No

Here is an example of a config.json file:

{
  "AUTH0_DOMAIN": "{yourDomain}",
  "AUTH0_CLIENT_SECRET": "<yourClientSecret}",
  "AUTH0_CLIENT_ID": "{yourClientId}",
  "AUTH0_KEYWORD_REPLACE_MAPPINGS": {
    "YOUR_ARRAY_KEY": [
      "http://localhost:8080",
      "https://somedomain.com"
    ],
    "YOUR_STRING_KEY": "{someEnvironmentSpecificString}"
  },
  "AUTH0_ALLOW_DELETE": false,
  "INCLUDED_PROPS": {
    "clients": [ "client_secret" ]
  },
  "EXCLUDED_PROPS": {
    "connections": [ "options.client_secret" ],
    "emailProvider": ["name", "credentials", "default_from_address", "enabled"]
  },
  "AUTH0_EXCLUDED_RULES": [ "auth0-account-link-extension" ],
  "AUTH0_EXCLUDED_CLIENTS": [ "auth0-account-link" ],
  "AUTH0_EXCLUDED_RESOURCE_SERVERS": [ "SSO Dashboard API" ],
  "AUTH0_EXCLUDED_DEFAULTS": ["emailProvider"]
}

Using the config.json file, you can exclude the following records from the deployment process:

• rules (AUTH0_EXCLUDED_RULES)

• clients (AUTH0_EXCLUDED_CLIENTS)

• databases (AUTH0_EXCLUDED_DATABASES)

• connections (AUTH0_EXCLUDED_CONNECTIONS)

• resource servers (AUTH0_EXCLUDED_RESOURCE_SERVERS)

If excluded, records will not be modified by deployments.

Beginning with version 3.0.0, you can manage your secrets and tenant-based environment variables using keyword mapping. This is useful if you want to specify different variables across your environments. For example, you could specify different JWT timeouts for your Development, QA/Testing, and Production environments.

Set your keyword mappings in your config.json file using AUTH0_KEYWORD_REPLACE_MAPPINGS. For an example, see the example configuration file above.

To use keyword mapping, either wrap the key using:

• @ symbols (e.g., @@key@@), which will cause your value to be converted from a Javascript object or value to a JSON string.

• # symbols (e.g., ##key##), which will cause Auth0 to perform a literal replacement.

A sample implementation is as follows:

Client.json

{
  ...
  "callbacks": [
    "##ENVIRONMENT_URL##/auth/callback"
  ],
  "jwt_configuration": {
    "lifetime_in_seconds": ##JWT_TIMEOUT##,
    "secret_encoded": true
  }
  ...
}

To add hook secrets to your environment, add secrets in the .json configuration file (in this example, hook1.json) as follows:

"secrets": { 
  "api-key": "my custom api key" 
}

The secrets object cannot be nested, so remember to prefix your secrets.

To export your current tenant configuration, run a command that's similar to:

a0deploy export --config_file config.json --format directory --output_folder path/to/export

When importing objects into Auth0 tenants, Auth0 generates new IDs. To avoid import failure, identifier fields are stripped from the Auth0 objects on export by default. To override this behavior, use --export_ids or AUTH0_EXPORT_IDENTIFIERS: true.

Some of the settings cannot be exported, such as rulesConfigs values. After exporting, you may need to update the values in tenant.yaml if you see schema-related errors during the import process.

To learn more, see Deploy CLI Tool Environment Variables and Keyword Mappings.

The following is a sample of what the export directory structure looks like. For full details on everything that can be included, see the extension's repository:

repository =>
  clients
    client1.json
    client2.json
  connections
    connection1.json
  database-connections
    connection1
      database.json
      create.js
      delete.js
      get_user.js
      login.js
      verify.js
  emails
    provider.json
    verify_email.json
    verify_email.html
    welcome_email.json
    welcome_email.html
  grants
    grant1.json
  pages
    login.html
    login.json
    password_reset.html
    password_reset.json
  resource-servers
    resource_server1.json
    resource_server2.json
  rules
    rule1.js
    rule1.json
    rule2.js
  rules-configs
    env_param1.json
    some_secret1.json
  hooks
     hook1.js
     hook1.json
  guardian
    factors
      sms.json
      email.json
      otp.json
      push-notification.json
    provider
      sms-twilio.json
    templates
      sms.json

To deploy a connection, create a JSON file under the connections directory in your file structure. For example:

facebook.json

{
  "name": "facebook",
  "strategy": "facebook",
  "enabled_clients": [
    "my-client"
  ],
  "options": {}
}

To learn more about allowed attributes for connections, see Auth0's Management API Post Connections endpoint.

To deploy a database connection, create a subdirectory named [connection-name] under the database-connections directory in your file structure. The name of the subdirectory must exactly match the name of your database connection in Auth0. You can create as many subdirectories as you have database connections.

Create a JSON file named database.json under the corresponding database-connections/[connection-name] subdirectory in your file structure.

To learn more about allowed attributes for connections, see Auth0's Management API Patch Connections by ID endpoint.

To deploy a database connection script, create a JavaScript file under the corresponding database-connections/[connection-name] subdirectory in your file structure. The filename of the JavaScript file should correspond to the database connection script you want to deploy.

Allowed scripts include:

• get_user.js

• create.js

• verify.js

• login.js

• change_password.js

• delete.js

For a generic custom database connection, only the login.js script is required. However, if you enable the migration feature, you will also need to provide the get_user.js script.

To see examples, visit the Auth0 Samples GitHub repository.

Supported pages include:

• error_page

• guardian_multifactor

• login

• password_reset

To deploy a page, create an HTML file under the pages directory in your file structure. For each HTML page, you must also create a JSON file (with the same name) that controls whether the page is enabled or disabled.

For example, to deploy a password_reset page, you would create two files:

• your-github-repo/pages/password_reset.html

• your-github-repo/pages/password_reset.json

To enable the page, the password_reset.json would contain the following:

{
  "enabled": true
}

To deploy a rule, create a JavaScript file under the rules directory in your file structure. Each rule must be contained in its own JavaScript file. For each JavaScript file, you must also create a JSON file (with the same name) that controls the rule order, status, and stage during which the rule executes.

For example, to deploy a set-country rule, you would create two files:

• your-github-repo/rules/set-country.js

• your-github-repo/rules/set-country.json

set-country.js

function (user, context, callback) {
  if (context.request.geoip) {
    user.country = context.request.geoip.country_name;
  }
  callback(null, user, context);
}

set-country.json

{
  "enabled": false,
  "order": 15,
  "stage": "login_success"
}

To see an example for the login_success stage, visit the Auth0 Samples GitHub repository.

To avoid conflicts, multiple rules with the same order are not allowed. However, you can create a JSON file for each rule, and within each file, assign a value for order. We suggest using number values that allow for reordering with less risk of conflict. For example, assign a value of 10 to the first Rule and 20 to the second Rule, rather than using values of 1 and 2, respectively.

Once you deploy a rule, you cannot change the stage during which the rule executes. If you need the rule to execute during a different stage, you must create a new rule configured for that stage and delete the original rule.

The allowed values for the stage should be:

• login_success

• login_failure

• pre_authorize

See Create a Rule for details.

To deploy a rule config, create a JSON file under the rules-configs directory in your file structure. For example:

secret_number.json

{
  "key": "secret_number",
  "value": 42
}

To deploy a client, create a JSON file under the clients directory in your file structure. For example:

my-client.json

{
  "name": "my-client"
}

To learn more about allowed attributes for clients and client grants, see Auth0's Management API Post Clients endpoint.

To specify the client grants for each client, create a JSON file under the grants directory in your file structure. For example:

my-client-api.json

{
  "client_id": "my-client",
  "audience": "https://myapp.com/api/v1",
    "scope": [
      "read:users"
    ]
}

To deploy a resource server, create a JSON file under the resource-servers directory in your file structure. For example:

my-api.json

{
  "name": "my-api",
  "identifier": "https://myapp.com/api/v1",
  "scopes": [
    {
      "value": "read:users",
      "description": "Allows getting user information"
    }
  ]
}

To learn more about allowed attributes for resource servers, see Auth0's Management API Post Resource Servers endpoint.

To deploy an email provider, create a provider.json file under the emails directory in your file structure. For example:

provider.json

{
    "name": "smtp",
    "enabled": true,
    "credentials": {
        "smtp_host": "smtp.server.com",
        "smtp_port": 25,
        "smtp_user": "smtp_user",
        "smtp_pass": "smtp_secret_password"
    }
}

To learn more about allowed attributes for email providers, see Auth0's Management API Patch Provider endpoint.

Supported email templates include:

• verify_email

• reset_email

• welcome_email

• blocked_account

• stolen_credentials

• enrollment_email

• mfa_oob_code

To deploy an email template, create an HTML file under the emails directory in your file structure. For each HTML file, you must also create a JSON file (with the same name) that contains additional options for that template.

For example, to deploy a blocked_account template, you would create two files:

• your-github-repo/emails/blocked_account.html

• your-github-repo/emails/blocked_account.json

blocked_account.json

{
    "template": "blocked_account",
    "from": "",
    "subject": "",
    "resultUrl": "",
    "syntax": "liquid",
    "body": "./blocked_account.html",
    "urlLifetimeInSeconds": 432000,
    "enabled": true
}

• Incorporate Deploy CLI into Build Environment
• Call Deploy CLI Tool Programmatically
• Deploy CLI Tool Options
• Import/Export Tenant Configuration to YAML File
• Troubleshoot Deploy CLI Tool