Auth

Security & auth

PulseBoard supports single-tenant (open, API-key-only) and multi-tenant (OIDC + per-workspace isolation) deployments.

Modes

ModeAuthIngest
Single-tenantBearer API keyOpen — no auth needed for /ingest/*
Multi-tenantOIDC (any provider) + workspace bearer tokensScoped per tenant; Mimir org header injected

Sign-in flows

RBAC scopes

Federated workload identity

Cross-cloud access (Azure, GCP) uses our OIDC issuer at /.well-known/openid-configuration. The customer configures a Federated Identity Credential (Azure) or a Workload Identity Pool (GCP) pinning the subject we use. We never store client secrets or service-account JSON keys.

Anti-tenant-enumeration

Cross-tenant access attempts return 404 (not 403). Workspace IDs are 22-character ULIDs, not sequential integers.

Audit logging

Every request is access-logged with X-Forwarded-For-aware IP, method, path, status, latency and user-agent. Workspaces on the Enterprise plan can export audit logs to S3/GCS/Azure Blob via the /api/admin/audit/export stream.