Explanation of Netbird management.json file structure

muutt · October 29, 2025, 9:15am

Hey all,

I have had a self-hosted Netbird installation for some time, and initially I used the quickstart script to implement the setup. Later I re-installed the environment with ansible-automation, and I got stuck with Netbird management service, as the management.json file isn’t so well documented. The template in github netbird/infrastructure_files/management.json.tmpl at main · netbirdio/netbird · GitHub is there for reference, but it’s not really describing what parameters are used for what purpose.

Now asking for community assistance to describe the structure and purpose of different sections in the management.json file. Could someone explain for what the sections like “HttpConfig”, “IdpManagerConfig”, “DeviceAuthorizationFlow” and “PKCEAuthorizationFlow” are used for, and how should I populate the parameter values?

I had to reverse-engineer the quickstart installation script in order to fill in parameters from my own environment, and I got my setup working, but it was more of luck than knowledge how the setup for working.

I’m using self-hosted Zitadel as idp and it includes Netbird project with 2 app; Dashboard and CLI, similarly configured as with the Netbird quickstart script.

Would appreciate the help with this

Thanks in advance,

-Tuomo

Codixer · November 8, 2025, 9:42am

So there is a ./configure.sh script, this uses the content from your .well-known/openid-configuration to fill that config. For example, this is my file for my specific setup:

    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "<public client id>",
        "AuthIssuer": "https://sso.stefanocoding.me/application/o/vpn/",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://sso.stefanocoding.me/application/o/vpn/jwks/",
        "OIDCConfigEndpoint": "https://sso.stefanocoding.me/application/o/vpn/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "authentik",
        "ClientConfig": {
            "Issuer": "https://sso.stefanocoding.me/application/o/vpn",
            "TokenEndpoint": "https://sso.stefanocoding.me/application/o/token/",
            "ClientID": "<public client id>",
            "ClientSecret": "",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "Password": "<password used by the netbird user in authentik to populate user information>",
            "Username": "Netbird"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "openid profile email offline_access api",
            "ClientSecret": "",
            "Domain": "sso.stefanocoding.me",
            "Audience": "<public client id>",
            "TokenEndpoint": "https://sso.stefanocoding.me/application/o/token/",
            "DeviceAuthEndpoint": "https://sso.stefanocoding.me/application/o/device/",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null,
            "DisablePromptLogin": false,
            "LoginFlag": 0
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "<public client id>",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "<public client id>",
            "TokenEndpoint": "https://sso.stefanocoding.me/application/o/token/",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://sso.stefanocoding.me/application/o/authorize/",
            "Scope": "openid profile email offline_access api",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:5300"
            ],
            "DisablePromptLogin": true,
            "LoginFlag": 0
        }
    },

All that information is used by the client to determine how to connect to your IDP and for clients to connect to/with it. Altough it will be different for you when you start to configure it.