What it does
WhenUSE_USER_AUTH=true:
- The UI shows a login screen before any tab is reachable.
- Sensitive Configuration sub-tabs (Secrets, API-Keys) are gated to admin users. The AI Providers and Environment sub-tabs remain visible to all roles. The Users and API-Keys sub-tabs appear based on the active flags (see the matrix for full visibility rules).
- A new Users sub-tab appears under Configuration for adding, removing, and changing roles (admin-only by virtue of being inside Configuration).
- Sessions are server-side, with a TTL index cleaning them up automatically.
Enabling it
-
Add the flag to your
.env: -
Recreate the Datris container:
- Open the UI. You’ll see the login screen.
-
Log in as the seed account:
On first login Datris prompts you to set a password (minimum 5 characters). After that,
adminis your administrator account.
The default
admin row is seeded on every startup (idempotent — only when the user table is empty), regardless of whether USE_USER_AUTH is on. That means flipping the flag on later “just works” — there’s no separate provisioning step.Roles
| Role | Can read pipelines / data | Can edit pipelines / taps / secrets | Can manage users + Configuration |
|---|---|---|---|
| admin | ✓ | ✓ | ✓ |
| editor | ✓ | ✓ | |
| viewer | ✓ |
Adding users
As an admin: Configuration → Users → Add user. Fill in username + role; the new user has no password until they log in for the first time. Send them their username and tell them to leave the password field blank on first login — they’ll be prompted to set one. You can change a user’s role or delete them from the same screen. Datris won’t let you remove the last admin — there’s anadminCount guard on delete and role-change.
Changing your own password
Click your username in the top-right → Change password. Enter your current password and the new one (min 5 chars). If you’ve forgotten your password and there’s another admin: have them delete and re-add your user; the new row will prompt you for a fresh password on next login. If you’re the only admin and you’ve lost the password, you’ll need to clear your user row directly in MongoDB (the user table lives in the platform’s internal database, defaultoss). After deletion, restart Datris — the seed will recreate admin with a null password and you can set a new one through the UI.
Reverting
SetUSE_USER_AUTH=false (or remove the line) and recreate the Datris container. The login screen disappears; the Configuration tab is unrestricted again. User rows persist in the database — they just aren’t checked. Flipping back on later returns you to the same set of users with the same passwords.
Production checklist
- Run Datris behind HTTPS before turning auth on. Sessions are cookie-based; without TLS, the login is exposed in transit.
- Review your CORS allow-list (
cors.allowedOriginsinapplication.yaml) — the default"*"is for local dev only. - Pair this with
USE_API_KEYS=truefor any shared install — user auth gates the UI, API-key gating handles programmatic clients (CLI, MCP, external scripts). API keys are meant to be used alongside user auth: enable the two together. Turning onUSE_API_KEYS=truewithoutUSE_USER_AUTH=trueleaves the browser with no coherent auth mechanism — see supported configurations; the two are designed to compose.
Related
- API Keys — the paired flag. Required for any deployment where the UI or CLI talks to a real install.
- Configuring Claude — connecting AI agents via MCP. MCP clients use the API-key path, not user auth.
- Configuration Reference — the underlying
useUserAuth,useApiKeys, andmultiTenantkeys inapplication.yaml.