Grafana Loki does not come with any included authentication layer. Operators are expected to run an authenticating reverse proxy in front of your services.

The simple scalable deployment mode requires a reverse proxy to be deployed in front of Loki, to direct client API requests to either the read or write nodes. The Loki Helm chart includes a default reverse proxy configuration, using Nginx.

A list of open-source reverse proxies you can use:


When using Loki in multi-tenant mode, Loki requires the HTTP header X-Scope-OrgID to be set to a string identifying the tenant; the responsibility of populating this value should be handled by the authenticating reverse proxy. For more information, read the multi-tenancy documentation.

For information on authenticating Promtail, see the documentation for how to configure Promtail.