diff --git a/README.md b/README.md index 338db56..057335a 100644 --- a/README.md +++ b/README.md @@ -334,7 +334,7 @@ Enable in config: `metrics.enabled: true`. Scrape at `GET /metrics`. Human-reada `GET /dashboard` renders a live HTML view of all metrics. Counters show request counts with status-code badges, histograms show p50/p95/p99 latencies, gauges show current endpoint priority and inflight counts. -Auth follows the same rules as `/metrics`: server `api_keys` apply, and `metrics.api_key` adds a second layer if set. +Auth: if `metrics.api_key` is set, both `/metrics` and `/dashboard` require that key (Bearer token) and ignore server-level `api_keys`. If `metrics.api_key` is blank, both routes are fully public — no auth headers are checked. --- diff --git a/pkg/server/server.go b/pkg/server/server.go index 079f3a4..4269e03 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -60,8 +60,9 @@ func New( authed.POST("/map/:mapping/v1/embeddings", h.openAIEmbeddingsMapped) authed.POST("/map/:mapping/v1/models/*modelaction", h.googleDispatchMapped) - // Metrics — only when enabled; registered in the authed group so server - // auth (if configured) applies. Metrics may additionally enforce its own key. + // Metrics — only when enabled. + // If metrics.api_key is set, routes are guarded by that key (on the authed group). + // If metrics.api_key is blank, routes are public — no auth headers checked at all. if cfg.Metrics.Enabled { metricsHandler := promhttp.HandlerFor(reg.Prometheus(), promhttp.HandlerOpts{}) path := cfg.Metrics.Path @@ -73,11 +74,11 @@ func New( authed.GET(path, metricsAuthHandler(cfg.Metrics.APIKey, metricsHandler)) authed.GET("/dashboard", metricsKeyMiddleware(cfg.Metrics.APIKey, dash)) } else { - authed.GET(path, func(w http.ResponseWriter, req bunrouter.Request) error { + router.GET(path, func(w http.ResponseWriter, req bunrouter.Request) error { metricsHandler.ServeHTTP(w, req.Request) return nil }) - authed.GET("/dashboard", dash) + router.GET("/dashboard", dash) } }