Skip to main content

API Key Authentication

Generate an API Key#

When one of the authentication providers is configured, API clients should provide an authentication token. You can generate it via the UI, if you have Admin role:

  1. Log in using an account with the Admin role.
  2. Navigate to Settings page in the left sidebar.
  3. Open API keys tab.
  4. Click on Add Key button.
  5. Type in a descriptive unique API key name.
  6. Select the appropriate role.
  7. Specify expiration period in seconds. Set 0, if you want the key to never expire.
  8. Click Add API Key button.
  9. Copy the key. The key is not stored and can't be viewed after the creation.

If you don't have an admin user, follow the instructions to create one

Authenticate Agents with an API Key#

Pyroscope Server can be configured to require authentication from the agents ingesting data in the push mode. By default, anyone can send data to Pyroscope Server without any authentication.

1. Enable Agent Authentication#

In order to secure the data ingestion, specify the auth.ingestion.enabled parameter in the Pyroscope configuration file:

auth:  ingestion:    enabled: true

The options can be also specified via CLI flags or environment variables. See the server configuration page for more details on the Pyroscope configuration.

You will need to restart Pyroscope Server for the configuration to take effect.

2. Get API Key#

First, we need to get an API key with the Agent role that would allow agents to authenticate and ingest data. Generate an API Key paragraph describes how a new key can be generated.

3. Specify Authentication Token#

Now the API Key should be provided to the agent as the authentication token. The way an authentication token is specified on the agent side depends on the integration used and is described in the corresponding page.

For example, in Go you should specify AuthToken configuration parameter:

package main
import ""
func main() {  pyroscope.Start(pyroscope.Config{    ApplicationName: "",    ServerAddress:   "http://pyroscope-server:4040",    AuthToken:       os.Getenv("PYROSCOPE_AUTH_TOKEN"),  })
  // your code goes here}

If the application is profiled using exec or connect mode, we recommend you specifying the API Key via the PYROSCOPE_AUTH_TOKEN environment variable.