GlintlogGlintlog

Authentication

Users, roles, and API keys

Glintlog includes built-in authentication with role-based access control. Manage users, create API keys, and secure your observability data.

Initial Setup

On first launch, Glintlog prompts you to create an admin account:

  1. Navigate to http://localhost:8080
  2. Complete the onboarding form with your email and password
  3. You'll be logged in as an admin user

Alternatively, use the API:

curl -X POST http://localhost:8080/api/v1/setup/init \
  -H "Content-Type: application/json" \
  -d '{
    "email": "admin@example.com",
    "password": "your-secure-password"
  }'

User Roles

RolePermissions
adminFull access: manage users, API keys, settings, and all data
userRead access: view logs, traces, and statistics

Login

Web UI

Navigate to http://localhost:8080/login and enter your credentials.

API

curl -X POST http://localhost:8080/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "admin@example.com",
    "password": "your-password"
  }'

Response:

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
  "expires_in": 3600
}

Using Tokens

Include the access token in the Authorization header:

curl http://localhost:8080/api/v1/logs \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

Refresh Tokens

Access tokens expire after 1 hour. Use the refresh token to get a new access token:

curl -X POST http://localhost:8080/api/v1/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "refresh_token": "eyJhbGciOiJIUzI1NiIs..."
  }'

API Keys

API keys provide programmatic access for log ingestion and automation. Unlike user tokens, API keys don't expire (unless revoked).

Create an API Key

Through the admin panel or API:

curl -X POST http://localhost:8080/api/v1/admin/api-keys \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "production-ingest",
    "description": "Log ingestion from production services"
  }'

Response:

{
  "id": "ak_abc123...",
  "name": "production-ingest",
  "key": "glk_1234567890abcdef...",
  "created_at": "2024-01-15T10:30:00Z"
}

Save the API key immediately. It's only shown once and cannot be retrieved later.

Using API Keys

For log ingestion, include the key in the X-Glintlog-Key header:

curl -X POST http://localhost:4318/v1/logs \
  -H "Content-Type: application/json" \
  -H "X-Glintlog-Key: glk_1234567890abcdef..." \
  -d @logs.json

For REST API access, you can also use API keys:

curl http://localhost:8080/api/v1/logs \
  -H "X-Glintlog-Key: glk_1234567890abcdef..."

List API Keys

curl http://localhost:8080/api/v1/admin/api-keys \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN"

Revoke an API Key

curl -X DELETE http://localhost:8080/api/v1/admin/api-keys/ak_abc123 \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN"

User Management

Admins can create and manage users.

Create User

curl -X POST http://localhost:8080/api/v1/admin/users \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "developer@example.com",
    "password": "secure-password",
    "role": "user"
  }'

List Users

curl http://localhost:8080/api/v1/admin/users \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN"

Delete User

curl -X DELETE http://localhost:8080/api/v1/admin/users/user_id \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN"

Password Reset

If email is configured, users can reset their passwords:

Request Reset

curl -X POST http://localhost:8080/api/v1/auth/password-reset/request \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com"
  }'

Complete Reset

Use the token from the email:

curl -X POST http://localhost:8080/api/v1/auth/password-reset/complete \
  -H "Content-Type: application/json" \
  -d '{
    "token": "reset-token-from-email",
    "new_password": "new-secure-password"
  }'

Session Management

View and manage active sessions:

# Get current user info
curl http://localhost:8080/api/v1/auth/me \
  -H "Authorization: Bearer YOUR_TOKEN"

# Logout (invalidate current session)
curl -X POST http://localhost:8080/api/v1/auth/logout \
  -H "Authorization: Bearer YOUR_TOKEN"

Security Best Practices

  1. Use strong passwords - Minimum 12 characters with mixed case, numbers, and symbols
  2. Rotate API keys - Periodically create new keys and revoke old ones
  3. Use HTTPS - Always use TLS in production
  4. Limit admin users - Only grant admin access when necessary
  5. Monitor sessions - Review active sessions in the admin panel

Next Steps

API Reference

Complete API documentation

Admin Guide

System administration

Distributed Tracing

Visualize request flows across services

API Reference

Complete REST API documentation

On this page

Initial SetupUser RolesLoginWeb UIAPIUsing TokensRefresh TokensAPI KeysCreate an API KeyUsing API KeysList API KeysRevoke an API KeyUser ManagementCreate UserList UsersDelete UserPassword ResetRequest ResetComplete ResetSession ManagementSecurity Best PracticesNext Steps