Authentication
obsrv supports two authentication modes: project-scoped API keys for SDK and machine traffic, and signed-in user sessions for dashboard traffic.
API keys
API keys are project-scoped. Every key belongs to exactly one project, and ingest from that key is always written into that project's tenant path. Keys are hashed with argon2id at rest; only a SHA-256 fingerprint is stored for fast lookup.
Prefer x-api-key for new SDK and HTTP integrations. Bearer auth is accepted for compatibility with older examples.
x-api-key: tk_live_…Rotating keys
Create a new key in the dashboard, deploy your services with the new value, then revoke the old key. obsrv keeps both valid until you explicitly revoke.
Restrictions
Keys can be marked read-only (for trace listing dashboards) or write-only (for ingest from untrusted services). The dashboard exposes the constraint as a per-key toggle.
Dashboard sessions
The dashboard authenticates users with email/password and Google OAuth when provider secrets are configured. After sign-in the dashboard mints a short-lived JWT for dashboard-to-API calls; the Go API verifies it via shared secret.
Org membership & roles
- Owner — full access including billing and member management.
- Admin — manages projects, keys, members.
- Member — reads & annotates traces; can configure non-billing settings.
- Viewer — read-only access to traces and clusters.