chmonitor
Authentication

Public (no auth)

Run chmonitor with no authentication — all routes are open to anyone who can reach the server. Best for local dev or trusted networks.

Public is the default mode. The dashboard and all /api/v1/* routes are open to anyone who can reach the server.

Setup

No configuration needed — this is the default when CHM_AUTH_PROVIDER is unset.

CHM_AUTH_PROVIDER=none   # or omit entirely

If you also set CHM_API_KEY_SECRET, the API key layer activates for non-browser callers — /api/v1/* will require a chm_ token from scripts and MCP clients even though the browser dashboard remains open. See API keys.

When to use

Public mode fits environments where every visitor is already trusted:

  • Local development
  • Internal network with no external exposure
  • Read-only dashboards where the data is not sensitive

Avoid public mode for:

  • Any public-internet deployment where you want to restrict access
  • Dashboards showing sensitive query data or credentials
  • Multi-user setups where you need per-user audit trails

Troubleshooting

Not for public internet

Do not use public mode on an internet-exposed deployment. Your ClickHouse credentials and query data will be visible to any visitor. Switch to a provider before exposing the dashboard externally.

To add browser authentication, switch to another provider:

To lock down programmatic access only (keep the dashboard open), set CHM_API_KEY_SECRET and issue chm_ tokens to authorized callers. See API keys.

On this page