Authentication Configuration
This guide explains how to configure both user and agent authentication in zymtrace.
Authentication protects profiling data and restricts access to authorized users.
Quick Start​
Use this minimal auth section in your custom-values.yaml to enable local authentication.
All other fields will fall back to the defaults defined in values.yaml.
The Helm chart source code is available on GitHub: zystem-io/zymtrace-charts
custom-values.yaml
auth:
# Enable built-in local authentication
type: "local"
# Admin user for first login
admin:
email: admin@example.com
password: "your-secure-password"
roles:
- "System Admin"
# Optional: enable service tokens for agents/CLI
serviceToken:
enabled: true
Refer to the local authentication guide to create a pair of keys when deploying to production.
Authentication Methods​
zymtrace supports several authentication methods:
| Auth Type | Description | Use Case |
|---|---|---|
none | No authentication required | Development, testing, trusted networks |
local | Built-in authentication with username/password | Self-hosted deployments, on-premises |
oidc | OpenID Connect integration | Enterprise SSO, Google, Okta, Azure AD |
basic | HTTP Basic authentication | Simple API access, service-to-service |
For production environments, we recommend using oidc for enterprise SSO integration or local for built-in
authentication. Always use HTTPS/TLS when authentication is enabled.
Common Configuration​
Admin User Configuration​
Regardless of authentication type, an admin user is created automatically and has full access.
auth:
admin:
email: admin@example.com
password: admin
roles:
- "System Admin"
Change default admin credentials immediately after deployment.
Service Token Configuration​
Service tokens enable programmatic access for agents, CLI tools, and automation.
auth:
serviceToken:
enabled: true # Enable service token generation and authentication
Enable when:
- Using CI/CD pipelines
- Running agents outside trusted networks
- Building custom API integrations
Running the agent with -disable-tls exposes the token publicly.