Configure projects with Ory CLI
All Ory components use the same configuration format and APIs whether they are self-hosted or used through Ory Network.
This allows you to use the Ory CLI to configure your components, no matter how you use Ory!
Stored secrets
When you read your Ory Network project configuration through the API or the Ory CLI (for example with ory get project or
ory get identity-config), the following secret fields are returned empty even when a value is stored:
- SMTP
courier.smtp.connection_uri— the password segment of the URI is removed. - OIDC provider
client_secret— for every entry inselfservice.methods.oidc.config.providers. - Apple provider
apple_private_key.
The stored value stays in place and continues to be used at runtime. Only the API response is redacted.
When you write the configuration back:
- To keep the stored secret: leave the field as the API returned it (
nullfor OIDCclient_secretandapple_private_key, or a URI without the password segment for SMTPconnection_uri). The server merges your update with the existing secret. - To rotate a secret: set the new value explicitly.
- Setting an OIDC
client_secretor Appleapple_private_keyto an empty string is rejected by configuration validation — these fields are required when the provider is configured, so you cannot accidentally clear them by sending an empty value. To remove a secret entirely, remove the provider.
Configure projects
There are two ways to adjust the configuration of projects. You can:
- overwrite / import configuration from a file using the
ory updatecommand - patch the existing configuration using the
ory patchcommand
Overwrite / import configuration
To overwrite the entire project configuration or to import a brand new config, create a file with the configuration you want to use.
The configuration format follows the updateProject API request payload.
The /services/identity/config key is compatible with the
Ory Kratos configuration format except for some keys (for example serve, dsn)
which are ignored.
{
"services": {
"identity": {
"config": ...
}
}
}
Let's look at an example. If you want to change the name of the email sender for recovery and verification emails, create a configuration file that looks like this:
{
"name": "My Project Name",
"services": {
"identity": {
"config": {
"courier": {
"smtp": {
"from_name": "My Custom E-Mail Name"
}
}
}
}
}
}
Next, use the Ory CLI to apply the config:
ory update project --project <project-id> --workspace <workspace-id> --file config.json
Patch configuration
When you want to change specific parts of the configuration instead of overwriting the entire config, use the ory patch command.
Use this command in combination with JSON Patch to target individual keys.
To perform an update similar to the one described in the previous paragraph and change the name of the email sender for recovery and verification emails, run this command:
ory patch project --project <project-id> --workspace <workspace-id> \
--replace '/services/identity/config/courier/smtp/from_name="My Custom E-Mail Name"'
Use the --replace flag to indicate the key you want to change.
When patching configuration, the part after = is interpreted as raw JSON. Use this format to patch the desired data types:
- String:
/path/to/key="my string" - Boolean:
/path/to/key=true - Number:
/path/to/key=123 - Complex:
/path/to/key={"my": ["values", {"foo":"bar"}]}