Application Settings Reference

RAMP is configured through appsettings.json files in the src/RAMP.API/ directory. Configuration follows ASP.NET Core conventions with environment-specific overrides.

Configuration Files

File	Purpose
appsettings.json	Base configuration (always loaded)
appsettings.Development.json	Development overrides
appsettings.Production.json	Production overrides
appsettings.Docker.json	Docker deployment overrides

Base settings are loaded first, then environment-specific files override matching keys. Later files win.

Environment Variable Overrides

All settings can be overridden via environment variables with the RAMP_ prefix:

RAMP_Database__Provider=Sqlite
RAMP_Jwt__Secret=MyProductionSecret123456789012345
RAMP_Cache__Provider=Redis

Use double underscores (__) to separate nested keys.

---

Database

Configures the database provider and connection.

{
  "Database": {
    "Provider": "SqlServer",
    "ConnectionString": "Server=localhost,1433;Database=RAMP;User Id=sa;Password=YourPassword;TrustServerCertificate=True",
    "AutoMigrate": true,
    "RequireUpToDateSchema": false,
    "RequireUpToDateTranslations": false
  }
}

Property	Type	Default	Description
Provider	enum	SqlServer	Database provider: SqlServer, Sqlite, PostgreSQL, MySQL
ConnectionString	string	(empty)	Database connection string. Falls back to ConnectionStrings:DefaultConnection if empty.
AutoMigrate	bool	true	Automatically apply Entity Framework Core migrations on startup. Set to false in production for controlled migration deployments.
RequireUpToDateSchema	bool	false	If true and pending migrations exist, the API will fail to start. Useful for catching missed migrations in CI/CD.
RequireUpToDateTranslations	bool	false	If true and built-in translations are outdated, the API will fail to start.

Provider-Specific Connection Strings

SQL Server

Server=hostname,1433;Database=RAMP;User Id=sa;Password=YourPassword;TrustServerCertificate=True

SQLite

Data Source=ramp.db

Best for development and small deployments.

PostgreSQL

Host=localhost;Port=5432;Database=RAMP;Username=ramp;Password=YourPassword

MySQL

Server=localhost;Port=3306;Database=RAMP;User=ramp;Password=YourPassword

Legacy ConnectionStrings

For backward compatibility, RAMP also checks the standard ConnectionStrings section:

{
  "ConnectionStrings": {
    "DefaultConnection": "Server=localhost,1433;Database=RAMP;..."
  }
}

If Database:ConnectionString is empty, RAMP falls back to ConnectionStrings:DefaultConnection.

---

JWT Authentication

Configures JSON Web Token authentication for API access.

{
  "Jwt": {
    "Secret": "YourSuperSecretKeyThatIsAtLeast32CharactersLong!",
    "Issuer": "RAMP.API",
    "Audience": "RAMP.Web",
    "ExpiryHours": 8
  }
}

Property	Type	Default	Description
Secret	string	(see default)	HMAC-SHA256 signing key. Minimum 32 characters. Must be changed in production.
Issuer	string	RAMP.API	JWT token issuer claim
Audience	string	RAMP.Web	JWT token audience claim
ExpiryHours	int	8	JWT token lifetime in hours

Danger

The default secret key is for development only. Always set a unique, strong secret in production. Use environment variables to avoid storing secrets in configuration files:

RAMP_Jwt__Secret=YourProductionSecretKeyThatIsVeryLongAndSecure!

---

File Storage

Configures where uploaded files (attachments, evidence) are stored.

{
  "FileStorage": {
    "Provider": "Local",
    "Local": {
      "Path": "uploads"
    },
    "MinIO": {
      "Endpoint": "localhost:9000",
      "AccessKey": "admin",
      "SecretKey": "minio_password",
      "BucketName": "ramp-uploads",
      "UseSSL": false,
      "Region": "us-east-1"
    },
    "AzureBlob": {
      "ConnectionString": "",
      "ContainerName": "ramp-uploads"
    },
    "S3": {
      "AccessKey": "",
      "SecretKey": "",
      "BucketName": "ramp-uploads",
      "Region": "us-east-1",
      "ServiceUrl": ""
    }
  }
}

Provider Options

Provider	Description	Best For
Local	Files stored on local filesystem	Development, single-server deployments
MinIO	S3-compatible object storage	Docker deployments, self-hosted clusters
AzureBlob	Azure Blob Storage	Azure cloud deployments
S3	Amazon S3 or S3-compatible services	AWS deployments, S3-compatible storage

Local Storage

Property	Type	Default	Description
Path	string	uploads	Directory path for file storage. Relative to the API working directory.

MinIO Storage

Property	Type	Default	Description
Endpoint	string	localhost:9000	MinIO server endpoint (host:port)
AccessKey	string	(empty)	MinIO access key
SecretKey	string	(empty)	MinIO secret key
BucketName	string	ramp-uploads	Storage bucket name
UseSSL	bool	false	Use HTTPS for MinIO connections
Region	string	us-east-1	MinIO region

Azure Blob Storage

Property	Type	Default	Description
ConnectionString	string	(empty)	Azure Storage connection string
ContainerName	string	ramp-uploads	Blob container name

S3 Storage

Property	Type	Default	Description
AccessKey	string	(empty)	AWS access key ID
SecretKey	string	(empty)	AWS secret access key
BucketName	string	ramp-uploads	S3 bucket name
Region	string	us-east-1	AWS region
ServiceUrl	string	(empty)	Custom endpoint for S3-compatible services

---

Cache

Configures the caching provider for application data and token blacklisting.

{
  "Cache": {
    "Provider": "InMemory",
    "InMemory": {
      "SizeLimit": 100000000,
      "ExpirationScanFrequency": 60
    },
    "Redis": {
      "ConnectionString": "localhost:6379",
      "InstanceName": "RAMP:",
      "Database": 0,
      "AbortOnConnectFail": false,
      "ConnectTimeout": 5000,
      "SyncTimeout": 5000
    }
  }
}

Provider Options

Provider	Description	Best For
InMemory	In-process memory cache	Single-server deployments, development
Redis	Redis distributed cache	Multi-server deployments, production

Caution

Redis is required for multi-server deployments to ensure cache consistency across instances. It is also required for the token blacklist to work correctly when users change roles.

InMemory Options

Property	Type	Default	Description
SizeLimit	long	100000000	Maximum cache size in bytes (100 MB)
ExpirationScanFrequency	int	60	How often to scan for expired entries (seconds)

Redis Options

Property	Type	Default	Description
ConnectionString	string	localhost:6379	Redis server connection string
InstanceName	string	RAMP:	Key prefix for cache entries
Database	int	0	Redis database number (0-15)
AbortOnConnectFail	bool	false	Throw exception if initial connection fails. Set false for resilience.
ConnectTimeout	int	5000	Connection timeout in milliseconds
SyncTimeout	int	5000	Synchronous operation timeout in milliseconds

---

SignalR (Real-Time Updates)

Configures SignalR for real-time browser notifications and collaboration features.

{
  "SignalR": {
    "UseRedisBackplane": false,
    "Redis": {
      "ConnectionString": "localhost:6379",
      "ChannelPrefix": "RAMP:SignalR:",
      "ConnectTimeout": 5000,
      "SyncTimeout": 5000
    }
  }
}

Property	Type	Default	Description
UseRedisBackplane	bool	false	Enable Redis backplane for multi-server SignalR. Required for load-balanced deployments.

Redis Backplane Options

Property	Type	Default	Description
ConnectionString	string	localhost:6379	Redis server for SignalR backplane
ChannelPrefix	string	RAMP:SignalR:	Redis channel prefix for SignalR messages
ConnectTimeout	int	5000	Connection timeout in milliseconds
SyncTimeout	int	5000	Synchronous operation timeout in milliseconds

Hardcoded SignalR Settings

These values are configured in code and cannot be changed via configuration:

Setting	Value	Description
KeepAliveInterval	15 seconds	Interval between keep-alive pings
ClientTimeoutInterval	30 seconds	Client considered disconnected after this
HandshakeTimeout	15 seconds	Maximum time for initial handshake
MaximumReceiveMessageSize	32 KB	Maximum incoming message size
EnableDetailedErrors	Development only	Detailed error messages in development

---

Email Settings

Configures SMTP for email notifications (password reset, escalations, digests).

{
  "EmailSettings": {
    "SmtpHost": "localhost",
    "SmtpPort": 25,
    "UseSsl": false,
    "Username": null,
    "Password": null,
    "FromAddress": "noreply@ramp.local",
    "FromName": "RAMP Notifications"
  }
}

Property	Type	Default	Description
SmtpHost	string	localhost	SMTP server hostname
SmtpPort	int	25	SMTP server port (25, 587, or 465)
UseSsl	bool	false	Enable SSL/TLS for SMTP connections. Use true with port 587 (STARTTLS) or 465 (implicit TLS).
Username	string	null	SMTP authentication username (optional)
Password	string	null	SMTP authentication password (optional)
FromAddress	string	noreply@ramp.local	Sender email address
FromName	string	RAMP Notifications	Sender display name

Note

When multi-tenancy is enabled, each tenant can override SMTP settings via the Tenant Admin UI.

---

Multi-Tenant

Configures multi-tenancy support. When disabled, RAMP operates as a single-tenant installation.

{
  "MultiTenant": {
    "Enabled": false,
    "ResolutionStrategy": "Cookie",
    "FallbackStrategy": "None",
    "AllowDomain": false,
    "AllowPath": false,
    "AllowDatabasePerTenant": false,
    "DomainPattern": "{tenant}.localhost",
    "PathPrefix": "/tenant",
    "DefaultTenantSlug": "default",
    "RequireTenant": false
  }
}

Property	Type	Default	Description
Enabled	bool	false	Enable multi-tenancy. When false, RAMP operates as single-tenant.
ResolutionStrategy	enum	Cookie	Primary tenant resolution method: Cookie, DomainSlug, Header
FallbackStrategy	enum	None	Fallback resolution if primary fails: Cookie, DomainSlug, Header, None
AllowDomain	bool	false	Allow domain-based tenant resolution (e.g., acme.ramp.example.com)
AllowPath	bool	false	Allow path-based tenant resolution (e.g., /tenant/acme/)
AllowDatabasePerTenant	bool	false	Allow separate databases per tenant (advanced)
DomainPattern	string	{tenant}.localhost	Domain pattern for domain-based resolution. {tenant} is replaced with tenant slug.
PathPrefix	string	/tenant	Path prefix for path-based resolution
DefaultTenantSlug	string	default	Default tenant slug when no tenant is resolved
RequireTenant	bool	false	If true, requests without a resolved tenant are rejected

Resolution Strategies

Strategy	How It Works	Use Case
Cookie	Tenant stored in browser cookie after login	Default. Works with any deployment.
DomainSlug	Tenant extracted from subdomain	When each tenant has its own subdomain
Header	Tenant from X-Tenant-Id header	API-only access, reverse proxy setups

---

Tenant Admin

Configures the Tenant Administration area, including authentication methods for tenant administrators.

{
  "TenantAdmin": {
    "Authentication": {
      "AllowRampInternal": true,
      "AllowWindowsAuth": false,
      "Oidc": {
        "Enabled": false,
        "Authority": "",
        "ClientId": "",
        "ClientSecret": "",
        "Scopes": ["openid", "profile", "email"],
        "DisplayName": "Single Sign-On"
      },
      "Ldap": {
        "Enabled": false,
        "Server": "",
        "Port": 389,
        "UseSsl": false,
        "BaseDn": "",
        "UserFilter": "(uid={0})",
        "BindDn": null,
        "BindPassword": null,
        "DisplayName": "LDAP Directory"
      }
    },
    "Administrators": [
      { "Username": "admin", "Provider": "RampInternal" }
    ]
  }
}

Authentication Options

Property	Type	Default	Description
AllowRampInternal	bool	true	Allow username/password login for tenant admins
AllowWindowsAuth	bool	false	Allow Windows Integrated Authentication

OIDC Options (for Tenant Admin login)

Property	Type	Default	Description
Enabled	bool	false	Enable OIDC authentication for tenant admins
Authority	string	(empty)	OIDC authority URL (e.g., https://keycloak.example.com/realms/ramp)
ClientId	string	(empty)	OIDC client ID
ClientSecret	string	(empty)	OIDC client secret
Scopes	string[]	["openid", "profile", "email"]	OIDC scopes to request
DisplayName	string	Single Sign-On	Button label on login page

LDAP Options (for Tenant Admin login)

Property	Type	Default	Description
Enabled	bool	false	Enable LDAP authentication for tenant admins
Server	string	(empty)	LDAP server hostname
Port	int	389	LDAP server port
UseSsl	bool	false	Use SSL/TLS (LDAPS)
BaseDn	string	(empty)	Base DN for user search
UserFilter	string	(uid={0})	LDAP user filter. {0} is replaced with the username.
BindDn	string	null	Bind DN for LDAP service account
BindPassword	string	null	Bind password for LDAP service account
DisplayName	string	LDAP Directory	Button label on login page

Administrators List

Pre-authorized tenant administrators. Matched during login to determine who has TenantAdministrator access.

Property	Type	Description
Username	string	Username to match (for RampInternal, WindowsAD, Ldap)
Email	string	Email to match (for Oidc)
Provider	string	Authentication provider: RampInternal, WindowsAD, Oidc, Ldap

---

Bootstrap

Configures initial administrator accounts created on first startup. Used for initial setup or emergency access recovery.

{
  "Bootstrap": {
    "Administrators": [
      {
        "IdentityProvider": "RAMP",
        "Username": "admin",
        "Email": "admin@example.com",
        "FirstName": "System",
        "LastName": "Administrator",
        "Password": "Passw0rd"
      }
    ],
    "TenantAdministrators": [
      {
        "IdentityProvider": "RAMP",
        "Username": "tenantadmin",
        "Email": "tenantadmin@ramp.local",
        "FirstName": "Tenant",
        "LastName": "Administrator",
        "Password": "Passw0rd"
      }
    ]
  }
}

Administrator Entry

Property	Type	Default	Description
IdentityProvider	string	RAMP	Identity provider type: RAMP (internal)
Username	string	(required)	Login username
Email	string	(required)	Email address
FirstName	string	null	First name
LastName	string	null	Last name
Password	string	null	Password. If not set, a random password is generated and logged.
ProviderSubjectId	string	null	External provider subject ID (for OIDC/LDAP bootstrap)

On startup, RAMP checks if these users exist. If they don’t, they are created with the specified credentials and assigned the appropriate role (Administrator or TenantAdministrator).

Caution

Remove bootstrap entries from configuration after initial setup, or use environment variables so credentials don’t persist in config files.

See Bootstrap Administrators for detailed setup instructions.

---

Windows Authentication

Configures Windows Integrated Authentication (IIS/Kestrel with Negotiate/NTLM).

{
  "Authentication": {
    "WindowsAuthentication": {
      "AutoProvision": false,
      "Administrators": [],
      "TenantAdministrators": []
    }
  }
}

Property	Type	Default	Description
AutoProvision	bool	false	Automatically create RAMP user accounts on first Windows auth login
Administrators	string[]	[]	Windows domain usernames that receive the Administrator role on login
TenantAdministrators	string[]	[]	Windows domain usernames that receive TenantAdministrator role on login

---

OIDC Direct Access (Development Only)

Enables the OIDC Resource Owner Password Credentials (ROPC) flow for development and testing.

{
  "OidcDirectAccess": {
    "Enabled": false
  }
}

Property	Type	Default	Description
Enabled	bool	false	Enable ROPC flow. Development only — never enable in production.

Danger

ROPC is a legacy OAuth2 flow that sends passwords directly to the API. It is only used for automated testing (E2E tests) and should never be enabled in production environments.

---

Logging (Serilog)

Configures application logging via Serilog.

{
  "Serilog": {
    "MinimumLevel": {
      "Default": "Information",
      "Override": {
        "Microsoft": "Warning",
        "Microsoft.AspNetCore": "Warning",
        "Microsoft.AspNetCore.Authentication": "Error",
        "Microsoft.IdentityModel": "Error",
        "System": "Warning"
      }
    }
  }
}

Log Levels

Level	Description
Verbose	Most detailed logging
Debug	Developer diagnostics
Information	Normal operational events
Warning	Unexpected but handled situations
Error	Failures requiring attention
Fatal	Application crash-level errors

Recommended Overrides

Namespace	Production	Development	Why
Default	Information	Debug	General application logging
Microsoft	Warning	Information	ASP.NET Core framework
Microsoft.AspNetCore	Warning	Information	HTTP request pipeline
Microsoft.AspNetCore.Authentication	Error	Error	Auth middleware (very noisy at Info/Warning)
Microsoft.IdentityModel	Error	Error	JWT token validation (noisy)
System	Warning	Warning	.NET runtime

Log Outputs

RAMP writes logs to:

1. Console — always enabled
2. File — logs/ramp-{date}.log with daily rolling

Additional Serilog sinks can be configured following standard Serilog configuration patterns.

---

Global Settings

Top-level settings that don’t belong to a specific section.

{
  "FrontendUrl": "http://localhost:5173",
  "AllowedHosts": "*"
}

Property	Type	Default	Description
FrontendUrl	string	(empty)	Frontend URL used for CORS policy and email link generation. Set to your web frontend URL.
AllowedHosts	string	*	Standard ASP.NET Core host filtering. Semicolon-separated list of allowed hostnames.

---

Implicit Configuration

Some settings are derived automatically rather than configured directly.

Hangfire (Background Jobs)

• When Database.Provider is SqlServer: Uses SQL Server storage for persistent job queues
• All other providers: Falls back to in-memory storage (jobs lost on restart)
• Dashboard available at /_hangfire (requires Administrator role)

Health Checks

Always available (no configuration needed):

Endpoint	Description
/_health	Overall health status
/_health/ready	Readiness probe (database connectivity)
/_health/live	Liveness probe (application is running)

Swagger / API Documentation

• Available at /_swagger in Development environment only
• Automatically disabled in Production

PID File

• Created at {BaseDirectory}/ramp-api.{pid}.pid on startup
• Automatically deleted on process exit
• Useful for process management scripts

---

Environment-Specific Examples

Development

SQLite + In-Memory cache for local development:

{
  "FrontendUrl": "http://localhost:5173",
  "Database": {
    "Provider": "Sqlite",
    "ConnectionString": "Data Source=ramp_dev.db"
  },
  "Cache": { "Provider": "InMemory" },
  "SignalR": { "UseRedisBackplane": false }
}

Production

SQL Server + Redis for production deployments:

{
  "FrontendUrl": "https://ramp.example.com",
  "Database": {
    "Provider": "SqlServer",
    "ConnectionString": "Server=db-server;Database=RAMP;User Id=ramp_app;Password=CHANGE_ME;TrustServerCertificate=False;Encrypt=True",
    "AutoMigrate": false
  },
  "Jwt": {
    "Secret": "CHANGE_ME_TO_A_LONG_RANDOM_SECRET_KEY_AT_LEAST_32_CHARS"
  },
  "Cache": {
    "Provider": "Redis",
    "Redis": { "ConnectionString": "redis-server:6379", "InstanceName": "RAMP:Prod:" }
  },
  "SignalR": {
    "UseRedisBackplane": true,
    "Redis": { "ConnectionString": "redis-server:6379", "ChannelPrefix": "RAMP:Prod:SignalR:" }
  },
  "FileStorage": {
    "Provider": "MinIO",
    "MinIO": {
      "Endpoint": "minio-server:9000",
      "AccessKey": "CHANGE_ME",
      "SecretKey": "CHANGE_ME",
      "BucketName": "ramp-uploads",
      "UseSSL": true
    }
  },
  "EmailSettings": {
    "SmtpHost": "smtp.example.com",
    "SmtpPort": 587,
    "UseSsl": true,
    "Username": "ramp@example.com",
    "Password": "CHANGE_ME",
    "FromAddress": "ramp@example.com",
    "FromName": "RAMP"
  }
}

Docker

Docker deployment with SQLite, MinIO, and Redis:

{
  "Database": {
    "Provider": "Sqlite",
    "ConnectionString": "Data Source=/app/data/ramp.db"
  },
  "FileStorage": {
    "Provider": "MinIO",
    "MinIO": {
      "Endpoint": "ramp-minio:9000",
      "AccessKey": "admin",
      "SecretKey": "minio_password",
      "BucketName": "ramp-uploads"
    }
  },
  "Cache": {
    "Provider": "Redis",
    "Redis": { "ConnectionString": "ramp-redis:6379" }
  },
  "SignalR": {
    "UseRedisBackplane": true,
    "Redis": { "ConnectionString": "ramp-redis:6379" }
  }
}

---

Related topics

Authentication Overview Choose the right authentication method for your RAMP deployment

Email / SMTP Configuration Configure SMTP for password resets, notifications, and email-based features

Bootstrap Administrators Auto-provision administrator accounts on first startup