Authentication & Roles
Login model, session cookies, and admin authorization
CH-UI has two authentication models depending on how you run it.
Self-Hosted: ClickHouse Credentials
The self-hosted server authenticates against ClickHouse credentials over the selected connection tunnel.
Login Flow
- User picks a connection.
- User provides ClickHouse
username/password. - CH-UI verifies credentials through tunnel.
- CH-UI issues
chui_sessioncookie.
Cloud: Magic Link + ClickHouse Credentials
CH-UI Cloud uses a two-layer authentication model:
Console Authentication (Magic Link)
The Console at console.ch-ui.com uses passwordless email authentication:
- User enters their email address.
- A magic link is sent to their inbox (via Resend).
- Clicking the link sets a
console_sessioncookie (30-day expiry). - User is redirected to their organization.
No passwords are stored. Rate limits: 10 requests per IP, 3 per email per 15 minutes.
Workspace Authentication (ClickHouse Credentials)
Once inside an org workspace (your-org.ch-ui.com), users authenticate with ClickHouse credentials — identical to self-hosted:
- User picks a connection.
- User provides ClickHouse
username/password. - CH-UI verifies credentials through tunnel.
- CH-UI issues
chui_sessioncookie.
Session Endpoint
curl http://localhost:3488/api/auth/session \
-H "Cookie: chui_session=..."Response includes:
authenticateduseruser_role- active connection info
- app version
Role Resolution
CH-UI supports app-level role overrides for users:
adminanalystviewer
Admin-only routes are guarded server-side (RequireAdmin).
Login Failure Statuses
Common statuses returned by /api/auth/login:
401invalid credentials429IP/user rate limit503selected connection offline
Logout
curl -X POST http://localhost:3488/api/auth/logout \
-H "Cookie: chui_session=..."This deletes the server session and clears cookie state.
Security Notes
- In production, cookie is
Securewhen app runs in production mode. - Set strong
APP_SECRET_KEY. - Keep
ALLOWED_ORIGINSstrict to your UI origin(s).