Security & auth
PulseBoard supports single-tenant (open, API-key-only) and multi-tenant (OIDC + per-workspace isolation) deployments.
Modes
| Mode | Auth | Ingest |
|---|---|---|
| Single-tenant | Bearer API key | Open — no auth needed for /ingest/* |
| Multi-tenant | OIDC (any provider) + workspace bearer tokens | Scoped per tenant; Mimir org header injected |
Sign-in flows
- Hosted — GitHub OAuth + magic-link email for password-less sign-in.
- Self-host (OIDC) — any OIDC provider via
--oidc-issuer/--oidc-client-id. - Self-host (single-tenant) — API-key-only, no OIDC.
RBAC scopes
admin— full access including tenant management and billing.query— read metrics/logs/traces; manage dashboards and rules.ingest— write-only ingest token (no read access).
Federated workload identity
Cross-cloud access (Azure, GCP) uses our OIDC issuer at /.well-known/openid-configuration. The customer configures a Federated Identity Credential (Azure) or a Workload Identity Pool (GCP) pinning the subject we use. We never store client secrets or service-account JSON keys.
Anti-tenant-enumeration
Cross-tenant access attempts return 404 (not 403). Workspace IDs are 22-character ULIDs, not sequential integers.
Audit logging
Every request is access-logged with X-Forwarded-For-aware IP, method, path, status, latency and user-agent. Workspaces on the Enterprise plan can export audit logs to S3/GCS/Azure Blob via the /api/admin/audit/export stream.