This is documentation for the next version of Grafana Tempo documentation. For the latest stable release, go to the latest version.
Manage authentication
Grafana Tempo does not come with any included authentication layer. You must run an authenticating reverse proxy in front of your services.
We recommend that in all deployment modes you add a reverse proxy to be deployed in front of Tempo, to direct client API requests to the various components.
A list of open-source reverse proxies you can use:
- HAProxy
- NGINX using their guide on restricting access with HTTP basic authentication
- OAuth2 proxy
- Pomerium, which has a guide for securing Grafana
Note
When using Tempo in multi-tenant mode, Tempo requires the HTTP header
X-Scope-OrgIDto be set to a string identifying the tenant. It’s assumed that clients settingX-Scope-OrgIDare trusted clients, and the responsibility of populating this value should be handled by the authenticating reverse proxy. For more information, read the multi-tenancy documentation.
