Menu
Open source

Authentication

Grafana Loki does not come with any included authentication layer. Operators are expected to run an authenticating reverse proxy in front of your services.

The simple scalable deployment mode requires a reverse proxy to be deployed in front of Loki, to direct client API requests to either the read or write nodes. The Loki Helm chart includes a default reverse proxy configuration, using Nginx.

A list of open-source reverse proxies you can use:

Note

When using Loki in multi-tenant mode, Loki requires the HTTP header X-Scope-OrgID to be set to a string identifying the tenant; the responsibility of populating this value should be handled by the authenticating reverse proxy. For more information, read the multi-tenancy documentation.

For information on authenticating Promtail, see the documentation for how to configure Promtail.