49. Endpoints

Actuator endpoints allow you to monitor and interact with your application. Spring Boot includes a number of built-in endpoints and you can also add your own. For example the health endpoint provides basic application health information.

The way that endpoints are exposed will depend on the type of technology that you choose. Most applications choose HTTP monitoring, where the ID of the endpoint along with a prefix of /application is mapped to a URL. For example, by default, the health endpoint will be mapped to /application/health.

The following technology agnostic endpoints are available:



Exposes audit events information for the current application.


Displays an auto-configuration report showing all auto-configuration candidates and the reason why they ‘were’ or ‘were not’ applied.


Displays a complete list of all the Spring beans in your application.


Displays a collated list of all @ConfigurationProperties.


Exposes properties from Spring’s ConfigurableEnvironment.


Shows any Flyway database migrations that have been applied.


Shows application health information.


Displays arbitrary application info.


Shows and modifies the configuration of loggers in the application.


Shows any Liquibase database migrations that have been applied.


Shows ‘metrics’ information for the current application.


Displays a collated list of all @RequestMapping paths.


Allows retrieval and deletion of user’s sessions from Spring Session backed session store.


Allows the application to be gracefully shutdown (not enabled by default).


Show application status information (i.e. health status with no additional details).


Performs a thread dump.


Displays trace information (by default the last 100 HTTP requests).

If your application is a web application (Spring MVC, Spring WebFlux, or Jersey), the following additional endpoints can also be used:



Returns a GZip compressed hprof heap dump file.


Returns the contents of the logfile (if logging.file or logging.path properties have been set). Supports the use of the HTTP Range header to retrieve part of the log file’s content.


Exposes metrics in a format that can be scraped by a Prometheus server.

49.1 Securing endpoints

By default all HTTP endpoints are secured such that only users that have an ACTUATOR role may access them. Security is enforced using the standard HttpServletRequest.isUserInRole method.


Use the management.security.roles property if you want something different to ACTUATOR.

If you are deploying applications behind a firewall, you may prefer that all your actuator endpoints can be accessed without requiring authentication. You can do this by changing the management.security.enabled property:




By default, actuator endpoints are exposed on the same port that serves regular HTTP traffic. Take care not to accidentally expose sensitive information if you change the management.security.enabled property.

If you’re deploying applications publicly, you may want to add ‘Spring Security’ to handle user authentication. When ‘Spring Security’ is added, by default ‘basic’ authentication will be used with the username user and a generated password (which is printed on the console when the application starts).


Generated passwords are logged as the application starts. Search for ‘Using default security password’.

You can use Spring properties to change the username and password and to change the security role(s) required to access the endpoints. For example, you might set the following in your application.properties:


If your application has custom security configuration and you want all your actuator endpoints to be accessible without authentication, you need to explicitly configure that in your security configuration. Along with that, you need to change the management.security.enabled property to false.

If your custom security configuration secures your actuator endpoints, you also need to ensure that the authenticated user has the roles specified under management.security.roles.


If you don’t have a use case for exposing basic health information to unauthenticated users, and you have secured the actuator endpoints with custom security, you can set management.security.enabled to false. This will inform Spring Boot to skip the additional role check.

49.2 Customizing endpoints

Endpoints can be customized using Spring properties. You can change if an endpoint is enabled and its id.

For example, here is an application.properties that changes the id of the beans endpoint and also enables shutdown.


The prefix ‟endpoints + . + name” is used to uniquely identify the endpoint that is being configured.

By default, all endpoints except for shutdown are enabled. If you prefer to specifically “opt-in” endpoint enablement you can use the endpoints.default.enabled property. For example, the following will disable all endpoints except for info:


49.3 Hypermedia for actuator web endpoints

A “discovery page” is added with links to all the endpoints. The “discovery page” is available on /application by default.

When a custom management context path is configured, the “discovery page” will automatically move from /application to the root of the management context. For example, if the management context path is /management then the discovery page will be available from /management. When the management context path is set to / the discovery page is disabled to prevent the possibility of a clash with other mappings.

49.4 CORS support

Cross-origin resource sharing (CORS) is a W3C specification that allows you to specify in a flexible way what kind of cross domain requests are authorized. If you are using Spring MVC or Spring WebFlux, Actuator’s web endpoints can be configured to support such scenarios.

CORS support is disabled by default and is only enabled once the management.endpoints.cors.allowed-origins property has been set. The configuration below permits GET and POST calls from the example.com domain:


Check CorsEndpointProperties for a complete list of options.

49.5 Adding custom endpoints

If you add a @Bean annotated with @Endpoint, any methods annotated with @ReadOperation or @WriteOperation will automatically be exposed over JMX and, in a web application, over HTTP as well.


If you are doing this as a library feature consider adding a configuration class annotated with @ManagementContextConfiguration to /META-INF/spring.factories under the key org.springframework.boot.actuate.autoconfigure.ManagementContextConfiguration. If you do that then the endpoint will move to a child context with all the other web endpoints endpoints if your users ask for a separate management port or address.

49.6 Health information

Health information can be used to check the status of your running application. It is often used by monitoring software to alert someone if a production system goes down. The default information exposed by the health endpoint depends on how it is accessed. For an unauthenticated connection in a secure application a simple ‘status’ message is returned, and for an authenticated connection additional details are also displayed (see Section 50.6, “HTTP health endpoint format and access restrictions” for HTTP details).

Health information is collected from all HealthIndicator beans defined in your ApplicationContext. Spring Boot includes a number of auto-configured HealthIndicators and you can also write your own. By default, the final system state is derived by the HealthAggregator which sorts the statuses from each HealthIndicator based on an ordered list of statuses. The first status in the sorted list is used as the overall health status. If no HealthIndicator returns a status that is known to the HealthAggregator, an UNKNOWN status is used.

49.6.1 Auto-configured HealthIndicators

The following HealthIndicators are auto-configured by Spring Boot when appropriate:



Checks that a Cassandra database is up.


Checks for low disk space.


Checks that a connection to DataSource can be obtained.


Checks that an Elasticsearch cluster is up.


Checks that a JMS broker is up.


Checks that a mail server is up.


Checks that a Mongo database is up.


Checks that a Rabbit server is up.


Checks that a Redis server is up.


Checks that a Solr server is up.


It is possible to disable them all using the management.health.defaults.enabled property.

49.6.2 Writing custom HealthIndicators

To provide custom health information you can register Spring beans that implement the HealthIndicator interface. You need to provide an implementation of the health() method and return a Health response. The Health response should include a status and can optionally include additional details to be displayed.

import org.springframework.boot.actuate.health.Health;
import org.springframework.boot.actuate.health.HealthIndicator;
import org.springframework.stereotype.Component;

public class MyHealthIndicator implements HealthIndicator {

	public Health health() {
		int errorCode = check(); // perform some specific health check
		if (errorCode != 0) {
			return Health.down().withDetail("Error Code", errorCode).build();
		return Health.up().build();


The identifier for a given HealthIndicator is the name of the bean without the HealthIndicator suffix if it exists. In the example above, the health information will be available in an entry named my.

In addition to Spring Boot’s predefined Status types, it is also possible for Health to return a custom Status that represents a new system state. In such cases a custom implementation of the HealthAggregator interface also needs to be provided, or the default implementation has to be configured using the management.health.status.order configuration property.

For example, assuming a new Status with code FATAL is being used in one of your HealthIndicator implementations. To configure the severity order add the following to your application properties:

management.health.status.order=FATAL, DOWN, OUT_OF_SERVICE, UNKNOWN, UP

The HTTP status code in the response reflects the overall health status (e.g. UP maps to 200, OUT_OF_SERVICE or DOWN to 503). You might also want to register custom status mappings if you access the health endpoint over HTTP. For example, the following maps FATAL to 503 (service unavailable).


If you need more control you can define your own HealthStatusHttpMapper bean.

The default status mappings for the built-in statuses are:







No mapping by default, so http status is 200


No mapping by default, so http status is 200

49.7 Application information

Application information exposes various information collected from all InfoContributor beans defined in your ApplicationContext. Spring Boot includes a number of auto-configured InfoContributors and you can also write your own.

49.7.1 Auto-configured InfoContributors

The following InfoContributors are auto-configured by Spring Boot when appropriate:



Expose any key from the Environment under the info key.


Expose git information if a git.properties file is available.


Expose build information if a META-INF/build-info.properties file is available.


It is possible to disable them all using the management.info.defaults.enabled property.

49.7.2 Custom application info information

You can customize the data exposed by the info endpoint by setting info.* Spring properties. All Environment properties under the info key will be automatically exposed. For example, you could add the following to your application.properties:


Rather than hardcoding those values you could also expand info properties at build time.

Assuming you are using Maven, you could rewrite the example above as follows:

info.app.encoding[email protected]@
info.app.java.source[email protected]@
info.app.java.target[email protected]@

49.7.3 Git commit information

Another useful feature of the info endpoint is its ability to publish information about the state of your git source code repository when the project was built. If a GitProperties bean is available, the git.branch, git.commit.id and git.commit.time properties will be exposed.


A GitProperties bean is auto-configured if a git.properties file is available at the root of the classpath. See Generate git information for more details.

If you want to display the full git information (i.e. the full content of git.properties), use the management.info.git.mode property:


49.7.4 Build information

The info endpoint can also publish information about your build if a BuildProperties bean is available. This happens if a META-INF/build-info.properties file is available in the classpath.


The Maven and Gradle plugins can both generate that file, see Generate build information for more details.

49.7.5 Writing custom InfoContributors

To provide custom application information you can register Spring beans that implement the InfoContributor interface.

The example below contributes an example entry with a single value:

import java.util.Collections;

import org.springframework.boot.actuate.info.Info;
import org.springframework.boot.actuate.info.InfoContributor;
import org.springframework.stereotype.Component;

public class ExampleInfoContributor implements InfoContributor {

	public void contribute(Info.Builder builder) {
				Collections.singletonMap("key", "value"));


If you hit the info endpoint you should see a response that contains the following additional entry:

	"example": {
		"key" : "value"