Operating › Authentication

Authentication

Dev bypass for local use, OIDC for real logins, API keys for the REST API.

Dev auth (default in the image)

The shipped image runs in dev mode, where any visitor is logged in as an admin (server.auth.dev: true). Great for a first look, unsafe for anything reachable by others — turn it off for real deployments.

OIDC logins

Point Uptimer at any OIDC provider (Keycloak, Auth0, Google, …). The callback path is /ui/auth/oauth/callback:

server:
  auth:
    dev: false
    oidc:
      issuer_url:    https://id.example.com/realms/main
      client_id:     uptimer
      client_secret: "…"
      redirect_url:  https://uptimer.example.com/ui/auth/oauth/callback

or the matching UPTIMER__SERVER__AUTH__OIDC__* env vars. With OIDC configured, dev auth is off.

Example: Keycloak

A self-contained Keycloak + Uptimer stack (full realm import in examples/1.3.0/keycloak):

services:
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    command: ["start-dev", "--import-realm"]
    ports: ["8080:8080"]
    environment:
      KC_BOOTSTRAP_ADMIN_USERNAME: admin
      KC_BOOTSTRAP_ADMIN_PASSWORD: admin
    volumes:
      - ./realm-config.json:/opt/keycloak/data/import/realm-config.json:ro
  uptimer:
    image: ghcr.io/myuptime-info/uptimer:1.3.0
    command: ["--delay", "20", "dev"]   # dev command, real OIDC; delay waits for Keycloak
    ports: ["2517:2517"]
    volumes: ["./data:/data"]
    environment:
      UPTIMER__SERVER__AUTH__DEV: "false"
      UPTIMER__SERVER__AUTH__OIDC__CLIENT_ID: "uptimer-dev"
      UPTIMER__SERVER__AUTH__OIDC__CLIENT_SECRET: "1234567890"
      UPTIMER__SERVER__AUTH__OIDC__ISSUER_URL: "http://keycloak:8080/realms/uptimer-dev-keycloak-example"
      UPTIMER__SERVER__AUTH__OIDC__REDIRECT_URL: "http://uptimer-dev:2517/ui/auth/oauth/callback"

The imported realm defines the uptimer-dev client and a test/test user, and maps a custom nickname claim that Uptimer uses as the username. To run it locally, map keycloak and uptimer-dev to 127.0.0.1 in /etc/hosts, then docker compose up and sign in at http://uptimer-dev:2517 with test/test.

API keys (REST API)

The REST API authenticates with a Bearer token you mint in the dashboard (Settings → API Keys). Send it as Authorization: Bearer <token>; see the REST API reference.

Reverse-proxy auth

For a quick lock on an internal instance, add HTTP basic auth in nginx in front of the UI — see examples/1.3.0/http-auth.