Configuration Overview
Waypoint reads a single TOML file (default: waypoint.toml, override with -config). It has a small set of top-level sections plus an array of listeners. ✓ TestLoad_FullConfig internal/config/config_test.go:50 ✓ TestLoad_MissingFile internal/config/config_test.go:173 ✓ TestLoad_InvalidTOML internal/config/config_test.go:180
[tailscale] # tsnet identity, hostname, auth keys[redis] # connection tracking + distributed locks[revalidation] # mid-session identity re-checks[provisioning] # global toggles (e.g. allow_raw_sql)[defaults.limits] # default per-user limits[metrics] # OTLP endpoint, sample rate[metrics.enable] # opt-in per metric name + tag allow-list
[[listeners]] # one block per portEnvironment variable interpolation
Section titled “Environment variable interpolation”Any string value may contain ${VAR}. Variables are resolved from the process environment at load time. Missing variables fail loudly rather than silently expanding to an empty string. ✓ TestLoad_EnvVarExpansion internal/config/config_test.go:143
[listeners.postgres]admin_password = "${PG_ADMIN_PASSWORD}"run-proxy (the devenv script) sources a local .env file before exec’ing the binary, which is convenient in development. In production, prefer your orchestrator’s secret-injection mechanism.
Full example
Section titled “Full example”See examples/waypoint.toml in the repo for an annotated reference covering every option, including the commented-out alternatives for OAuth, WIF, MongoDB SRV discovery, and Tailscale Services.
Section guides
Section titled “Section guides”- Tailscale — hostname, auth keys, OAuth client credentials, Workload Identity Federation.
- Redis — address, key prefix, service-name tag for OTel.
- TLS —
tls_mode, Tailscale-managed certs, custom certs. - Revalidation — mid-session re-checks.
- Provisioning —
allow_raw_sql, default limits.