Authentication & Roles
Login model, session cookies, and admin authorization
CH-UI has two authentication models depending on how you run it.
Single Sign-On: CH-UI also supports OIDC SSO (Okta, Entra ID, Google, Keycloak, …) alongside password login. See Single Sign-On.
Self-Hosted: ClickHouse Credentials
The self-hosted server authenticates against ClickHouse credentials over the selected connection tunnel.
Login Flow
- User picks a connection.
- User provides ClickHouse
username/password. - CH-UI verifies credentials through tunnel.
- CH-UI issues
chui_sessioncookie.
Cloud: Magic Link + ClickHouse Credentials
CH-UI Cloud uses a two-layer authentication model:
Console Authentication (Magic Link)
The Console at console.ch-ui.com uses passwordless email authentication:
- User enters their email address.
- A magic link is sent to their inbox (via Resend).
- Clicking the link sets a
console_sessioncookie (30-day expiry). - User is redirected to their organization.
No passwords are stored. Rate limits: 10 requests per IP, 3 per email per 15 minutes.
Workspace Authentication (ClickHouse Credentials)
Once inside an org workspace (your-org.ch-ui.com), users authenticate with ClickHouse credentials — identical to self-hosted:
- User picks a connection.
- User provides ClickHouse
username/password. - CH-UI verifies credentials through tunnel.
- CH-UI issues
chui_sessioncookie.
Session Endpoint
curl http://localhost:3488/api/auth/session \
-H "Cookie: chui_session=..."Response includes:
authenticateduser(the person's email for SSO sessions, the ClickHouse user otherwise)user_rolevia_sso(whether the session was created through SSO)- active connection info
- app version
The /api/auth/config endpoint (unauthenticated) reports which login methods
are available so the login page can render the right options:
curl http://localhost:3488/api/auth/config
# { "password_login": true, "oidc_enabled": true, "oidc_login_url": "/api/auth/oidc/login" }Role Resolution
CH-UI supports app-level roles, overridable per user by an admin:
| Role | Admin panel & settings | Workspace objects (dashboards, pipelines, models, saved queries) | Run queries |
|---|---|---|---|
admin | ✓ | create / edit / delete | ✓ (per ClickHouse grants) |
analyst | — | create / edit / delete | ✓ (per ClickHouse grants) |
viewer | — | read-only | ✓ (per ClickHouse grants) |
Admin-only routes are guarded server-side (RequireAdmin); workspace writes are
guarded by RequireWriter (admin or analyst). Data access is always governed by
the user's own ClickHouse grants regardless of CH-UI role.
Login Failure Statuses
Common statuses returned by /api/auth/login:
401invalid credentials429IP/user rate limit503selected connection offline
Logout
curl -X POST http://localhost:3488/api/auth/logout \
-H "Cookie: chui_session=..."This deletes the server session and clears cookie state.
Audit
Both successful and failed logins are written to the immutable audit trail (with user, IP, and timestamp), so brute-force and credential-stuffing attempts are visible. Audit events can be forwarded to your SIEM — see Monitoring & SIEM.
Security Notes
- In production, cookie is
Securewhen app runs in production mode. - Set strong
APP_SECRET_KEY. - Keep
ALLOWED_ORIGINSstrict to your UI origin(s). - Terminate TLS natively or at a proxy — see Security.