chmonitor
Authentication

Authentication

Two-layer auth system for chmonitor — choose a browser auth provider and an optional API key layer for programmatic access.

chmonitor has two independent auth layers that work together on every /api/v1/* route. A request is allowed when either layer accepts it. The only fully public setup is CHM_AUTH_PROVIDER=none with no CHM_API_KEY_SECRET.

  • Auth provider — one of none, clerk, proxy, or trusted. Controls whether browser sessions are authenticated. Set the canonical CHM_AUTH_PROVIDER; the client VITE_AUTH_PROVIDER is derived from it at build time (you don't set it separately).
  • API key layer — always active when CHM_API_KEY_SECRET is set. Authenticates programmatic clients (MCP, scripts, CI) with signed chm_ Bearer tokens, independent of the provider.

Compare auth methods

MethodWho reads itBrowser / proxy authcurl / MCP auth
Public (none)opennone needed
API keyProvider-agnostic; active when CHM_API_KEY_SECRET setAuthorization: Bearer chm_…
Clerkclerk providerClerk __session cookieClerk token or chm_ key
Clerk OAuth (MCP only)MCP serverOAuth bearer token
Proxy → Cloudflare Accessproxy providerCf-Access-Jwt-Assertion JWT
Proxy → trusted header (bare subject)proxy providerX-Forwarded-User + shared secretshared secret header
Proxy → trusted headers (full profile)trusted providerforwarded headers (oauth2-proxy / Dex / Authelia)shared secret header

Which one should I use?

SituationRecommended setup
Local dev or internal network, no login neededPublic (none) — default
Hosted dashboard with user accounts and sign-inClerk
Behind Cloudflare AccessProxy — cloudflare-access
Behind nginx/SSO with a bare identity headerProxy — trusted-header
Behind oauth2-proxy / Dex / Authelia / Traefik ForwardAuthTrusted (trusted)
MCP clients, scripts, CI pipelinesAPI key (CHM_API_KEY_SECRET) — add alongside any provider

How enforcement decides

Request evaluation order

For each /api/v1/* request, in order:

  1. If CHM_AUTH_PROVIDER=none and CHM_API_KEY_SECRET is not set → allow (public).
  2. The key-issuance route /api/v1/auth/api-key is exempt (it has its own auth).
  3. A valid chm_ Bearer token → allow.
  4. The active provider's check runs; if it authenticates → allow.
  5. Otherwise → 401 { "error": "Authentication required" }.

All paths fail closed: a missing config or verification error resolves to "not authenticated".

Choose a provider

On this page