Authentication & Roles

Login model, session cookies, and admin authorization

CH-UI authenticates against ClickHouse credentials over the selected connection tunnel.

User picks a connection.
User provides ClickHouse username/password.
CH-UI verifies credentials through tunnel.
CH-UI issues chui_session cookie.

Session Endpoint

curl http://localhost:3488/api/auth/session \
  -H "Cookie: chui_session=..."

Response includes:

authenticated
user
user_role
active connection info
app version

Role Resolution

CH-UI supports app-level role overrides for users:

admin
analyst
viewer

Admin-only routes are guarded server-side (RequireAdmin).

Common statuses returned by /api/auth/login:

401 invalid credentials
429 IP/user rate limit
503 selected connection offline

Logout

curl -X POST http://localhost:3488/api/auth/logout \
  -H "Cookie: chui_session=..."

This deletes the server session and clears cookie state.

Security Notes

In production, cookie is Secure when app runs in production mode.
Set strong APP_SECRET_KEY.
Keep ALLOWED_ORIGINS strict to your UI origin(s).

CLI Reference

Complete command reference for the CH-UI binary

API Reference

CH-UI REST API reference

On this page

Login Flow Session Endpoint Role Resolution Login Failure Statuses Logout Security Notes