Skip to main content
Version: 8.9

Configuration

Web Modeler Self-Managed consists of two components: restapi and websocket. Each component is configured separately as described below.

  • The restapi component is a Spring Boot application. Its configuration is stored in a YAML file (application.yml) by default. All Web Modeler-specific settings are prefixed with camunda.modeler.
  • The websocket (PHP/Laravel) component is configured via environment variables.
Configuration methods

The two components support configuration through environment variables. For the restapi component, environment variables can be used as an alternative to application.yml following Spring Boot conventions: convert the property to uppercase, remove any dashes, and replace any delimiters (.) with _.

For example, the property camunda.modeler.clusters[0].name is represented by the environment variable CAMUNDA_MODELER_CLUSTERS_0_NAME.

If you are using the Camunda 8 Helm chart, read more about the different configuration options in the chart's Helm chart values documentation. You can pass environment variables to each component via webModeler.restapi.env and webModeler.websocket.env in your values.yaml.

For a working example configuration showing how the components are correctly wired together, see the Docker Compose file for Web Modeler.

Licensing

Camunda 8 Self-Managed only

Installations of Camunda 8 Self-Managed which require a license can provide their license key to the components as an environment variable:

Environment variableDescriptionDefault value
CAMUNDA_LICENSE_KEYYour Camunda 8 license key, if your installation requires a license.None

For Helm installations, license keys can be configured globally in your values.yaml file. See the License key for more details.

note

Camunda 8 components without a valid license may display Non-Production License in the navigation bar and issue warnings in the logs. These warnings have no impact on startup or functionality.

Web Modeler without a license: Web Modeler is limited to five concurrent users when running without a valid enterprise license. This applies to Self-Managed installations used for testing or development purposes. To support additional users or for production use, obtain a Camunda Self-Managed Enterprise Edition license by visiting the Camunda Enterprise page.

Configuration of the restapi component

As a Spring Boot application, the restapi component supports any standard Spring configuration method.

The examples below show configuration in two formats:

  • Environment variables – suitable for Docker Compose or direct shell usage.
  • application.yml – the native Spring Boot configuration file format.
Passing JVM options

When running the restapi component in a container (Docker / Kubernetes), use the JAVA_TOOL_OPTIONS environment variable to pass JVM arguments, for example for trust store settings or proxy configuration.

General

Environment variableDescriptionExample valueDefault value
RESTAPI_SERVER_URLURL at which users access Web Modeler in the browser (used to construct redirect URLs in the client-side login flow as well as links in notification emails).https://modeler.example.com,
https://example.com/modeler		-
SERVER_SERVLET_CONTEXTPATH[optional]
Context path of the URL. Must be set if RESTAPI_SERVER_URL does not point to the root path of a (sub-)domain.		/modeler-
SERVER_HTTPS_ONLY[optional]
Enforce the usage of HTTPS when users access Web Modeler (by redirecting from http:// to https://).		truetrue

Clusters

Clusters must be configured using the following options to access the cluster from within Web Modeler. If no clusters are configured, you will not be able to perform any actions that require a cluster (for example, deploy, start an instance, or Play a process).

The Camunda 8 Helm and Docker Compose distributions provide a local Zeebe cluster configured by default.

To add additional clusters, increment the 0 value for each entry (for example clusters[1] or CAMUNDA_MODELER_CLUSTERS_1_NAME).

Cluster version

The available configuration options depend on the version of the cluster:

Common configuration (all cluster versions)

Environment variableDescriptionExample value
CAMUNDA_MODELER_CLUSTERS_0_IDA unique identifier to use for your cluster.test-cluster-1
CAMUNDA_MODELER_CLUSTERS_0_NAMEThe name of your cluster.Test Cluster 1
CAMUNDA_MODELER_CLUSTERS_0_VERSIONThe Camunda version used by this cluster.8.8.0
CAMUNDA_MODELER_CLUSTERS_0_AUTHENTICATIONThe authentication to use with your cluster.BEARER_TOKEN

Additional configuration for cluster versions >= 8.8

Environment variableDescriptionExample value
CAMUNDA_MODELER_CLUSTERS_0_URL_GRPCInternal or external address where the Zeebe gRPC API can be reached.grpc://camunda:26500,
grpcs://camunda.example.com:26500
CAMUNDA_MODELER_CLUSTERS_0_URL_RESTInternal or external address where the cluster's REST APIs can be reached. Used as the base URL for requests to the Orchestration Cluster API (/v2 endpoints) as well as the Operate and Tasklist APIs (/v1 endpoints).http://camunda:8080,
https://camunda.example.com
CAMUNDA_MODELER_CLUSTERS_0_URL_WEBAPPExternal address where the cluster's web applications can be reached in a browser.https://camunda.example.com
CAMUNDA_MODELER_CLUSTERS_0_AUTHORIZATIONS_ENABLEDIndicates if authorizations are enabled for the cluster. If true, users will see a hint when they deploy from Web Modeler.true

Additional configuration for cluster versions < 8.8

Environment variableDescriptionExample value
CAMUNDA_MODELER_CLUSTERS_0_URL_ZEEBE_GRPCInternal or external address where the Zeebe gRPC API can be reached.grpc://camunda-zeebe-gateway:26500,
grpcs://zeebe.example.com:26500
CAMUNDA_MODELER_CLUSTERS_0_URL_ZEEBE_RESTInternal or external address where the Camunda 8 REST API can be reached.http://camunda-zeebe-gateway:8080,
https://zeebe.example.com
CAMUNDA_MODELER_CLUSTERS_0_URL_OPERATEInternal or external address where the Operate REST API can be reached.http://camunda-operate:80,
https://operate.example.com
CAMUNDA_MODELER_CLUSTERS_0_URL_TASKLISTInternal or external address where the Tasklist REST API can be reached.http://camunda-tasklist:80,
https://tasklist.example.com

Available authentication methods

MethodDescriptionWhen to use?
BEARER_TOKENWeb Modeler sends the authenticated user's token in the Authorization header with every request to the cluster.Cluster version >= 8.8
The cluster uses OIDC authentication with the same identity provider as Web Modeler.
Note: You need to ensure that the cluster accepts Web Modeler's token audience.

Cluster version < 8.8
The cluster uses Camunda Identity-based authentication and the external identity provider supports access tokens with multiple audiences (example provider: Keycloak).
Note: For the token to be accepted by the different cluster components, it must contain each component's audience.
BASICWeb Modeler sends a username and password with every request to the cluster. The credentials have to be provided by the user in the UI.Cluster version >= 8.8
The cluster uses Basic authentication.

Cluster version < 8.8
not supported
NONEWeb Modeler does not send any authentication information.Cluster version >= 8.8
The cluster API is configured as unprotected and can be used without authentication.

Cluster version < 8.8
The authentication / token validation in the Zeebe Gateway is disabled.

Database

Web Modeler currently supports PostgreSQL, Oracle, Microsoft SQL Server (MSSQL), MySQL, MariaDB, and H2 as persistent data storage.

Oracle and MySQL driver

The Oracle and MySQL drivers are not provided by default and must be downloaded and supplied for the application to load. Refer to the Oracle and MySQL database configuration section for details.

Environment variableDescriptionExample value
SPRING_DATASOURCE_URLJDBC URL of the databasejdbc:postgresql://postgres.example.com:5432/modeler-db
SPRING_DATASOURCE_USERNAMEDatabase user namemodeler-user
SPRING_DATASOURCE_PASSWORDDatabase user password***
SPRING_DATASOURCE_DRIVER_CLASS_NAME[optional]
Java class name of the database driver		software.amazon.jdbc.Driver
SPRING_DATASOURCE_HIKARI_SCHEMA[optional; only supported for PostgreSQL]
Database schema.
Defaults to the default schema of the database user (usually public) if not set.
Refer to the PostgreSQL documentation for naming restrictions.		custom_schema

Refer to the Advanced Database Configuration Guide for additional details on how to configure Web Modeler's database connection.

SMTP / email

Web Modeler requires an SMTP server to send notification emails to users.

Environment variableDescriptionExample valueDefault value
RESTAPI_MAIL_HOSTSMTP server host namesmtp.example.com-
RESTAPI_MAIL_PORTSMTP server port587-
RESTAPI_MAIL_USER[optional]
SMTP user name		modeler-user-
RESTAPI_MAIL_PASSWORD[optional]
SMTP user password		***-
RESTAPI_MAIL_ENABLE_TLSEnforce TLS encryption for SMTP connections (using STARTTLS).truetrue
RESTAPI_MAIL_FROM_ADDRESSEmail address used as the sender of emails sent by Web Modeler.noreply@example.com-
RESTAPI_MAIL_FROM_NAME[optional]
Name displayed as the sender of emails sent by Web Modeler.		CamundaCamunda

WebSocket

Web Modeler uses a WebSocket server to send events (e.g. "file updated", "comment added", "user opened diagram") between the backend and the client application in the browser. This enables features like real-time notifications and immediate UI updates.

Environment variableDescriptionExample valueDefault value
RESTAPI_PUSHER_HOSTInternal host name of the WebSocket server.modeler-websockets-
RESTAPI_PUSHER_PORTInternal port number of the WebSocket server.80608060
RESTAPI_PUSHER_APP_IDmust be the same as PUSHER_APP_IDweb-modeler-
RESTAPI_PUSHER_KEYmust be the same as PUSHER_APP_KEY***-
RESTAPI_PUSHER_SECRETmust be the same as PUSHER_APP_SECRET***-
CLIENT_PUSHER_HOSTExternal host name on which the Web Modeler client accesses the WebSocket server from the browser.ws.example.com-
CLIENT_PUSHER_PORTExternal port number on which the Web Modeler client accesses the WebSocket server from the browser.44380
CLIENT_PUSHER_PATH[optional]
must be the same as PUSHER_APP_PATH		/modeler-ws/
CLIENT_PUSHER_FORCE_TLSEnable TLS encryption for WebSocket connections initiated by the browser.truefalse

Identity / Keycloak

Web Modeler uses Keycloak as the default authentication provider (using OAuth 2.0 + OpenID Connect) and integrates with Management Identity for user management and authorization (see Manage access and permissions).

Environment variableDescriptionExample valueDefault value
CAMUNDA_IDENTITY_BASEURLInternal base URL of the Identity API (used to fetch user data).http://identity:8080-
CAMUNDA_IDENTITY_USERNAMECLAIMID token claim used to assign usernames.preferred_usernamename
CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_APIExpected value of the audience claim in user access tokens (used for JWT validation).web-modeler-apiweb-modeler-api
CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_APIExpected value of the audience claim in M2M access tokens required for Web Modeler's API (used for JWT validation).web-modeler-public-apiweb-modeler-public-api
RESTAPI_OAUTH2_TOKEN_ISSUER_BACKEND_URL[optional]
Internal URL used to request Keycloak's OpenID Provider Configuration; if not set, SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI is used.		http://keycloak:18080/auth/realms/camunda-platform-
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URIURL of the token issuer (used for JWT validation).https://keycloak.example.com/auth/realms/camunda-platform-
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI[optional] URL of the JWK Set endpoint (used for JWT validation). Only necessary if URL cannot be derived from the OIDC configuration endpoint.https://keycloak.example.com/auth/realms/camunda-platform/protocol/openid-connect/certs-
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWS_ALGORITHMS[optional] List of trusted JWS algorithms used for JWT validation. Only necessary if the algorithms cannot be derived from the JWK Set response.ES256-
OAUTH2_CLIENT_IDClient ID of the Web Modeler application configured in Identity.web-modeler-
OAUTH2_CLIENT_FETCH_REQUEST_CREDENTIALS[optional]
Configuration whether credentials should be sent along with requests to the OIDC provider, see documentation. Use this if you are using a proxy that requires cookies.		include-
Helm behavior

The restapi component default for CAMUNDA_IDENTITY_USERNAMECLAIM is name. In Helm-based setups, OIDC configuration commonly uses preferred_username, so usernames may appear as email-style identifiers unless you explicitly set CAMUNDA_IDENTITY_USERNAMECLAIM=name for the Web Modeler restapi environment.

Refer to the advanced Identity configuration guide for additional details on how to connect a custom OpenID Connect (OIDC) authentication provider.

Camunda client

Web Modeler uses the Camunda Java client to connect to Zeebe. To customize the client configuration, you can provide optional properties.

Environment variableDescriptionExample valueDefault Value
CAMUNDA_CA_CERTIFICATE_PATH[optional]
Path to a root CA certificate to be used instead of the certificate in the default store.		/path/to/certificate-
CAMUNDA_CLIENT_CONFIG_PATH[optional]
Path to the client's OAuth credential cache.		/path/to/credentials/cache.txt$HOME/.camunda/credentials
CAMUNDA_CLIENT_REQUESTTIMEOUT[optional]
The request timeout used when communicating with a target Zeebe cluster.		6000010000
CAMUNDA_AUTH_CONNECT_TIMEOUT[optional]
The connection timeout for requests to the OAuth server.		300005000
CAMUNDA_AUTH_READ_TIMEOUT[optional]
The data read timeout for requests to the OAuth server.		300005000

For more details, see the Zeebe connection troubleshooting section.

Logging

Environment variableDescriptionExample valueDefault value
LOGGING_CONFIG[optional]
Path to custom Log4j2 configuration.		file:/full/path/to/custom-log4j2-spring.xml-
CAMUNDA_MODELER_LOG_LEVEL[optional]
Defines the log level for the Web Modeler components.		DEBUGINFO
CAMUNDA_LOG_FILE_APPENDER_ENABLED[optional]
To enable logging to a file.		truefalse
CAMUNDA_MODELER_LOG_APPENDER[optional]
Defines which appender to use for logging.		StackdriverConsole
LOG_LEVEL_CLIENT[optional]
Log level for the client.		DEBUGWARN

Refer to the advanced logging configuration guide for additional details on how to customize the restapi logging output.

info

SSL

Environment variableDescriptionExample valueDefault value
SERVER_SSL_ENABLED[optional]
Whether to enable SSL support.		truefalse
SERVER_SSL_CERTIFICATE[optional]
Path to a PEM-encoded SSL certificate file.		file:/full/path/to/certificate.pem-
SERVER_SSL_CERTIFICATE_PRIVATE_KEY[optional]
Path to a PEM-encoded private key file for the SSL certificate.		file:/full/path/to/key.pem-
MANAGEMENT_SERVER_SSL_ENABLED[optional]
Whether to enable SSL support for the management server routes.		truefalse
MANAGEMENT_SERVER_SSL_CERTIFICATE[optional]
Path to a PEM-encoded SSL certificate file.		file:/full/path/to/certificate.pem-
MANAGEMENT_SERVER_SSL_CERTIFICATE_PRIVATE_KEY[optional]
Path to a PEM-encoded private key file for the SSL certificate.		file:/full/path/to/key.pem-
RESTAPI_PUSHER_SSL_ENABLED[optional]
Whether to enable communication via SSL to the websocket component.		truefalse

Refer to the advanced SSL configuration guide for additional details on how to set up secure connections (incoming & outgoing) to the Web Modeler components.

Monitoring and health probes

The restapi component is a Spring Boot application that includes the Spring Boot Actuator, providing health check and metrics endpoints out of the box. These endpoints are served on a separate management port (default: 8091).

By default, Web Modeler uses the following actuator configuration:

management:
  server:
    port: 8091

  endpoints:
    access:
      default: none
    web:
      exposure:
        include: health, info, prometheus, loggers
      base-path: /
      path-mapping:
        health: health
        prometheus: metrics

  endpoint:
    prometheus:
      access: read-only
    health:
      access: read-only
      probes:
        enabled: true
      # make readiness endpoint additionally available on main server port, so that it gets publicly exposed
      group:
        readiness:
          additional-path: "server:/health"
    info:
      access: read-only
    loggers:
      access: unrestricted
  info:
    git:
      enabled: false

  health:
    defaults:
      enabled: false

  metrics:
    distribution:
      percentiles:
        http.server.requests:
          - 0.5
          - 0.9
          - 0.99

Available endpoints

EndpointDescription
<server>:8091/metricsPrometheus metrics
<server>:8091/health/readinessReadiness probe
<server>:8091/health/livenessLiveness probe

For more details, including Kubernetes probe configuration examples and websocket health endpoints, see the Monitoring page.

Git Sync

Web Modeler supports syncing files via Git Sync. Provide the base URL for your provider if you are using a self-hosted GitLab, GitHub, or Azure DevOps Server instance.

ProviderEnvironment variableDescriptionDefault value
All providersCAMUNDA_MODELER_GITSYNC_MAXFILESMaximum number of allowed files for sync operations.50
All providersCAMUNDA_MODELER_GITSYNC_MAXINMEMORYSIZEMaximum memory size that can be processed by calls to the Git provider. This limits the maximum file size that can be synced.4MB
GitHubCAMUNDA_MODELER_GITSYNC_GITHUB_BASEURLThe base URL of your self-hosted GitHub instance.https://api.github.com
GitLabCAMUNDA_MODELER_GITSYNC_GITLAB_BASEURLThe base URL of your self-hosted GitLab instance.https://gitlab.com/api/v4
Azure DevOpsCAMUNDA_MODELER_GITSYNC_AZURE_BASEURLThe base URL of your self-hosted Azure DevOps Server instance.https://dev.azure.com
Azure DevOpsCAMUNDA_MODELER_GITSYNC_AZURE_API_VERSIONThe Azure DevOps API versions to use.7.1
Azure DevOpsCAMUNDA_MODELER_GITSYNC_AZURE_AUTHORITY_BASE_PATHURL used to access authentication and authorization services for Microsoft cloud identities.https://login.microsoftonline.com
Azure DevOpsCAMUNDA_MODELER_GITSYNC_AZURE_SCOPEOAuth scope requested for Azure DevOps authentication.https://app.vssps.visualstudio.com/.default
BitbucketCAMUNDA_MODELER_GITSYNC_BITBUCKET_BASEURLThe base URL of Bitbucket Cloud.https://api.bitbucket.org/2.0/repositories

Feature flags

Environment variableDescriptionExample valueDefault value
PLAY_ENABLED[optional]
Enables the Play mode in the BPMN editor, allowing users to test processes in a playground environment.		truetrue
ZEEBE_BPMN_DEPLOYMENT_ENABLED[optional]
Enables the Deploy and Run actions in the BPMN editor.
When disabled, it prevents users from deploying and starting instances of processes via the UI.		falsetrue
ZEEBE_DMN_DEPLOYMENT_ENABLED[optional]
Enables the Deploy action in the DMN editor.
When disabled, it prevents users from deploying decisions via the UI.		falsetrue
MARKETPLACE_ENABLED[optional]
Enables the integration of the Camunda Marketplace. If enabled, users can browse the Marketplace and download resources directly inside Web Modeler.		falsetrue

Unstable configuration options

These are unstable options that are not officially supported and may be removed without deprecation in future releases. They are intended for testing and feedback purposes only.

Environment variableDescriptionExample valueDefault value
CAMUNDA_MODELER_RESOURCE_IMPORT_ALLOW_PRIVATE_IP_ADDRESSAllow importing resources from a host that resolves to a private IP address. Enabling this option weakens server-side request forgery (SSRF) protections and can significantly increase security exposure.truefalse

Configuration of the websocket component

The WebSocket server shipped with Web Modeler Self-Managed is based on the laravel-websockets open source package and implements the Pusher Channels Protocol.

The websocket component is configured via environment variables. When using the Camunda Helm chart, you can pass these variables via webModeler.websocket.env in your values.yaml. See the Helm chart values docs for all available configuration options.

Environment variableDescriptionExample valueDefault value
PUSHER_APP_IDID of the single application/tenant configured for Web Modeler.web-modeler-
PUSHER_APP_KEYA unique key used for authentication. Provide a random alphanumeric string of at least 20 characters.***-
PUSHER_APP_SECRETA unique secret used for authentication. Provide a random alphanumeric string of at least 20 characters.***-
PUSHER_APP_PATH[optional]
Base path of the WebSocket endpoint. Can be used to expose the endpoint on a sub path instead of the domain root (e.g. https://example.com/modeler-ws).		/modeler-ws/

Logging

Environment variableDescriptionExample valueDefault Value
LOG_CHANNEL[optional]
Log channel driver, see Laravel documentation		singlestack

Refer to the Advanced Logging Configuration Guide for additional details on how to customize the websocket logging output.

SSL

Environment variableDescriptionExample valueDefault Value
PUSHER_SSL_CERT[optional]
Path to a PEM-encoded SSL certificate file.		/full/path/to/certificate.pem-
PUSHER_SSL_KEY[optional]
Path to a PEM-encoded private key file for the SSL certificate.		/full/path/to/key.pem-
PUSHER_SSL_PASSPHRASE[optional]
Passphrase for the private key file.		change-me-

Refer to the advanced SSL configuration guide for additional details on how to set up secure connections (incoming & outgoing) to the Web Modeler components.

Notes on host names and port numbers

  • Internal refers to host names and port numbers that are only used inside a Docker Compose network or Kubernetes cluster for backend-to-backend communication.
  • External refers to host names and port numbers that are exposed to the outside and can be reached from a web browser.