Skip to main content
The FlowX.AI platform supports enabling Kafka authentication across all Java microservices using a dedicated Spring configuration profile. This feature simplifies the activation of secure Kafka communication by centralizing the configuration in one place.
Currently, kafka-auth is the only supported profile provided by the platform for Kafka authentication.

Understanding SPRING_PROFILES_ACTIVE

SPRING_PROFILES_ACTIVE is an environment variable used by Spring Boot to determine which configuration profiles should be active at runtime.

Key characteristics

  • Multiple profiles: Can contain one or more profile names, separated by commas
    • Example: SPRING_PROFILES_ACTIVE=dev,kafka-auth
  • Environment-specific behavior: Profiles allow different sets of configuration to be loaded depending on the environment or required feature set
  • Special kafka-auth profile: Activates Kafka authentication across services
If SPRING_PROFILES_ACTIVE is not set, the application runs with the default profile, which does not include Kafka authentication.

Configuration details

When the kafka-auth profile is enabled, the following Spring Kafka properties are automatically applied:

Configuration properties explained

Required environment variables

The Kafka authentication profile uses environment variables to configure OAuth parameters dynamically. These variables should be set in the runtime environment for each microservice.
These variables should be set in the runtime environment. If they are not provided, the defaults listed above will be used.

Benefits

Enabling the Kafka authentication profile provides several advantages:
  • Centralized enablement: Activates OAuth-based Kafka authentication consistently across services.
  • Configurable via environment variables: No hardcoding of sensitive data in app configuration.
  • Simple activation: Controlled entirely by the SPRING_PROFILES_ACTIVE variable.

Notes and limitations

  • Only the kafka-auth profile is currently supported for Kafka authentication.
  • The profile enforces SASL/OAUTHBEARER with plaintext transport. Secure networking (for example, VPN, mTLS) should be ensured where required.
Last modified on May 12, 2026