Public (no auth)
Run chmonitor with no authentication — all routes are open to anyone who can reach the server. Best for local dev or trusted networks.
Public is the default mode. The dashboard and all /api/v1/* routes are open to anyone who can reach the server.
Setup
No configuration needed — this is the default when CHM_AUTH_PROVIDER is unset.
CHM_AUTH_PROVIDER=none # or omit entirelyIf you also set CHM_API_KEY_SECRET, the API key layer activates for non-browser callers — /api/v1/* will require a chm_ token from scripts and MCP clients even though the browser dashboard remains open. See API keys.
When to use
Public mode fits environments where every visitor is already trusted:
- Local development
- Internal network with no external exposure
- Read-only dashboards where the data is not sensitive
Avoid public mode for:
- Any public-internet deployment where you want to restrict access
- Dashboards showing sensitive query data or credentials
- Multi-user setups where you need per-user audit trails
Troubleshooting
Not for public internet
Do not use public mode on an internet-exposed deployment. Your ClickHouse credentials and query data will be visible to any visitor. Switch to a provider before exposing the dashboard externally.
To add browser authentication, switch to another provider:
Clerk
Add browser sign-in with Clerk accounts.
Cloudflare Access
Put the dashboard behind Cloudflare Access Zero Trust.
Trusted header
Front with nginx or Kubernetes ingress auth.
To lock down programmatic access only (keep the dashboard open), set CHM_API_KEY_SECRET and issue chm_ tokens to authorized callers. See API keys.