# Configure Redpanda Console to Connect to a Redpanda Cluster

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt)

---
title: Configure Redpanda Console to Connect to a Redpanda Cluster
latest-redpanda-tag: v25.1.1
latest-console-tag: v3.7.3
latest-operator-version: v26.1.4
# EOL = End-of-Life (support lifecycle status)
page-is-nearing-eol: "false"
page-is-past-eol: "true"
page-eol-date: April 7, 2026
latest-connect-version: 4.93.0
docname: config/connect-to-redpanda
page-component-name: streaming
page-version: "25.1"
page-component-version: "25.1"
page-component-title: Streaming
page-relative-src-path: config/connect-to-redpanda.adoc
page-edit-url: https://github.com/redpanda-data/docs/edit/v/25.1/modules/console/pages/config/connect-to-redpanda.adoc
description: This topic provides instructions on configuring Redpanda Console to connect to a Redpanda cluster. The configuration ensures that Redpanda Console can communicate with your Redpanda brokers.
page-git-created-date: "2024-09-11"
page-git-modified-date: "2025-06-18"
support-status: past end-of-life
---

<!-- Source: https://docs.redpanda.com/streaming/25.1/console/config/connect-to-redpanda.md -->

Redpanda Console connects to your Redpanda cluster using dedicated configuration blocks for the Kafka API, Schema Registry API, and Admin API. Each connection serves a different purpose:

-   **Kafka API:** Enables core messaging operations and authenticates requests to your Kafka cluster.

-   **Schema Registry API:** Allows Redpanda Console to manage and display schema information.

-   **Admin API:** Unlocks management features such as viewing cluster details, managing users, and generating debug bundles.


To ensure secure and reliable communication, each connection must be configured with the appropriate authentication, TLS, and startup settings. The authentication mechanism you configure in Redpanda Console must match the one set up in your Redpanda cluster, ensuring that the user’s credentials are properly verified.

This guide provides detailed instructions and examples for configuring each of these connections.

## [](#prerequisites)Prerequisites

Ensure that you have:

-   Access to your Redpanda cluster’s broker URLs.

-   The necessary configuration details if your cluster requires authentication, TLS, or other security measures.


## [](#configure-a-connection-to-the-kafka-api)Configure a connection to the Kafka API

Redpanda Console must be configured to communicate with the Kafka API on your Redpanda brokers. This configuration involves specifying the broker endpoints and, if needed, configuring client identification, SASL, and TLS settings.

Here is an example configuration for the Kafka API using OAuth for SASL authentication:

```yaml
kafka:
  brokers:
    - "http://broker1.example.com:9092"
    - "http://broker2.example.com:9092"
  # Optional client identification:
  # clientId: "console"
  # rackId: "zone-a"

  sasl:
    enabled: true
    mechanism: OAUTHBEARER
    impersonateUser: false
    oauth:
      # token: "example-oauth-token" (for static token)
      clientId: "example-client-id"
      clientSecret: "example-client-secret"
      tokenEndpoint: "https://accounts.google.com/token"
      scope: "openid"

  startup:
    establishConnectionEagerly: true   # Test the connection at startup.
    maxRetries: 5                      # Maximum number of retry attempts.
    retryInterval: 1s                  # Initial wait time between retries.
    maxRetryInterval: 60s              # Maximum wait time between retries.
    backoffMultiplier: 2               # Multiplier for increasing retry intervals.

  # TLS configuration (only needed if self-signed certificates or mTLS are used):
  # tls:
    # enabled: true
    # caFilepath: "/path/to/ca-cert.pem"
    # certFilepath: "/path/to/client-cert.pem"
    # keyFilepath: "/path/to/client-key.pem"
    # insecureSkipTlsVerify: false
```

For clusters using Kerberos, the configuration may resemble the following:

```yaml
kafka:
  brokers:
    - "http://broker1.example.com:9092"
  sasl:
    enabled: true
    mechanism: GSSAPI
    impersonateUser: false  # Must be false when using Kerberos with Redpanda Console
    gssapi:
      authType: KEYTAB_AUTH
      keyTabPath: "/path/to/keytab"
      kerberosConfigPath: "/path/to/krb5.conf"
      serviceName: "kafka"
      username: "example-user"
      password: "example-password"
      realm: "EXAMPLE.REALM"
      enableFast: true
```

> 📝 **NOTE**
>
> Because Redpanda Console supports only OIDC and basic authentication for its own login authentication, Kerberos (GSSAPI) configurations cannot be used with user impersonation enabled. Ensure `impersonateUser` is set to `false` when using Kerberos.

> 📝 **NOTE**
>
> Because Redpanda Console supports only OIDC and basic authentication for its own login authentication, Kerberos (GSSAPI) configurations must be used with `impersonateUser` set to `false`.

## [](#configure-access-to-the-schema-registry)Configure access to the Schema Registry

To enable schema management features, you must configure Redpanda Console to connect to the Schema Registry API. This includes specifying the service endpoints and, if needed, setting up authentication.

Example Schema Registry configuration:

```yaml
schemaRegistry:
  enabled: true
  urls:
    - "http://broker1.example.com:8081"
    - "http://broker2.example.com:8081"

  # Optional authentication settings
  authentication:
    impersonateUser: true
    #basic:
      #username: "example-user"
      #password: "example-password"
    #bearerToken: "example-bearer-token"
```

| Schema Registry Configuration Option | Description |
| --- | --- |
| urls | A list of Schema Registry endpoints including the URL scheme (http:// or https://), hostname, and port. Include all endpoints for redundancy. |
| authentication (optional) | Configure authentication for the Schema Registry. Options include basic authentication or bearer tokens. For more detailed instructions on configuring authentication, see Authentication in Redpanda Console. |

## [](#admin)Configure access to the Redpanda Admin API

Configuring a connection to the Redpanda Admin API unlocks additional features in Redpanda Console, including viewing the current Redpanda version, managing data transforms, administering SASL-SCRAM users, and generating debug bundles. This section details the configuration options and how they interact.

Example configuration template:

```yaml
redpanda:
  adminApi:
    enabled: true # Enable connection to the Admin API.
    urls:
      - "http://broker1.example.com:9644" # Provide all endpoints (host:port) for high availability.
      - "http://broker2.example.com:9644"
    # Optional authentication settings
    authentication:
      impersonateUser: true # Use the logged-in user's credentials for authentication.
      # For basic authentication.
      #basic:
        #username: "example-user"
        #password: "example-password"
      # For OIDC, use the `bearerToken` field instead of `basic`.
      #bearerToken: "example-bearer-token"
    startup:
      establishConnectionEagerly: true   # Test the connection at startup.
      maxRetries: 5                      # Maximum number of retry attempts.
      retryInterval: 1s                  # Initial wait time between retries.
      maxRetryInterval: 60s              # Maximum wait time between retries.
      backoffMultiplier: 2               # Multiplier for increasing retry intervals.
```

> 📝 **NOTE**
>
> Include the URLs of _all_ endpoints in the `redpanda.adminApi.urls` array. For some requests such as collecting debug bundles, Redpanda Console must be able to communicate with all brokers individually.

| Redpanda Admin API Configuration Option | Description |
| --- | --- |
| enabled | Activates the connection to the Admin API. Set to true to enable the integration. |
| urls | A list of Admin API endpoints including the URL scheme (http:// or https://), hostname, and port. Providing all URLs enhances reliability. |
| authentication (optional) | Provides credentials using basic authentication or bearer tokens when impersonation is disabled. For more detailed instructions on configuring authentication, see Authentication in Redpanda Console. |
| startup (optional) | Controls connection behavior at startup:establishConnectionEagerly: Tests the connection immediately.maxRetries, retryInterval, maxRetryInterval, backoffMultiplier: Define the retry logic for establishing a connection. |

## [](#suggested-reading)Suggested reading

-   [Redpanda Console Security](https://docs.redpanda.com/streaming/25.1/console/config/security/)

-   [Configure Message Deserialization in Redpanda Console](https://docs.redpanda.com/streaming/25.1/console/config/deserialization/)