docs(server): clarify metrics authentication behavior

README.md

@@ -334,7 +334,7 @@ Enable in config: `metrics.enabled: true`. Scrape at `GET /metrics`. Human-reada
 
 `GET /dashboard` renders a live HTML view of all metrics. Counters show request counts with status-code badges, histograms show p50/p95/p99 latencies, gauges show current endpoint priority and inflight counts.
 
-Auth follows the same rules as `/metrics`: server `api_keys` apply, and `metrics.api_key` adds a second layer if set.
+Auth: if `metrics.api_key` is set, both `/metrics` and `/dashboard` require that key (Bearer token) and ignore server-level `api_keys`. If `metrics.api_key` is blank, both routes are fully public — no auth headers are checked.
 
 ---
 

pkg/server/server.go

@@ -60,8 +60,9 @@ func New(
 	authed.POST("/map/:mapping/v1/embeddings", h.openAIEmbeddingsMapped)
 	authed.POST("/map/:mapping/v1/models/*modelaction", h.googleDispatchMapped)
 
-	// Metrics — only when enabled; registered in the authed group so server
+	// Metrics — only when enabled.
-	// auth (if configured) applies. Metrics may additionally enforce its own key.
+	// If metrics.api_key is set, routes are guarded by that key (on the authed group).
+	// If metrics.api_key is blank, routes are public — no auth headers checked at all.
 	if cfg.Metrics.Enabled {
 		metricsHandler := promhttp.HandlerFor(reg.Prometheus(), promhttp.HandlerOpts{})
 		path := cfg.Metrics.Path
@@ -73,11 +74,11 @@ func New(
 			authed.GET(path, metricsAuthHandler(cfg.Metrics.APIKey, metricsHandler))
 			authed.GET("/dashboard", metricsKeyMiddleware(cfg.Metrics.APIKey, dash))
 		} else {
-			authed.GET(path, func(w http.ResponseWriter, req bunrouter.Request) error {
+			router.GET(path, func(w http.ResponseWriter, req bunrouter.Request) error {
 				metricsHandler.ServeHTTP(w, req.Request)
 				return nil
 			})
-			authed.GET("/dashboard", dash)
+			router.GET("/dashboard", dash)
 		}
 	}