Authentication
- Built-In Auth
- Keycloak
- Header Authentication
- OIDC Auth
- Zero-Trust Tunnels
- Alternative Authentication Methods
It is your responsibility to properly secure your Dashy instance. Never expose your Dashy instance to the public internet or untrusted users without sufficient authentication and authorization in place.
Built-In Authβ
Dashy includes a built-in username/password login, with optional server-side HTTP Basic Auth. This is the easiest way to get a login page, without needing to spin up any other services. The full guide, covering password hashing, env-var passwords, guest access, user roles, visibility controls and security notes, is in the Built-In Auth guide.
To enable, simply add an array of users under appConfig.auth.users, each with a username (user) and a SHA256 hash of their password (hash).
appConfig:
disableConfigurationForNonAdmin: true
auth:
users:
- user: alicia
hash: 5994471ABB01112AFCC18159F6CC74B4F511B99806DA59B3CAF5A9C173CACFC5
type: admin
Optionally set this env var to enforce this on the server-side too
ENABLE_HTTP_AUTH=true
Keycloakβ
Dashy supports Keycloak (v17+) as an authentication provider. See the Keycloak guide for the full deploy and configuration walkthrough.
appConfig:
disableConfigurationForNonAdmin: true
auth:
enableKeycloak: true
keycloak:
serverUrl: http://localhost:9100
realm: dashy
clientId: dashy
adminRole: dashy-admin
Header Authenticationβ
Dashy can defer authentication to a reverse proxy that injects the user's identity in a request header. See the Header Authentication guide.
appConfig:
auth:
enableHeaderAuth: true
users:
- user: alice
hash: 0a7b1d4c2e...
type: admin
headerAuth:
userHeader: Remote-User
proxyWhitelist:
- 172.18.0.2
OIDCβ
Dashy has full support for OIDC based auth, with scoped permissions. See either the generic OIDC docs, or our provider-specific guides:
appConfig:
disableConfigurationForNonAdmin: true # Hide the config editor from non-admins (recommended)
enableGuestAccess: false # Optional: view the dashboard read-only without signing in
enableServiceWorker: true # Optional: enables the PWA and offline support
enableAuthProxyCompat: true # Recover the PWA after a session expires (needs the service worker)
auth:
enableOidc: true # Turn OIDC on
oidc:
clientId: dashy # Client ID from your provider
endpoint: https://auth.example.com/application/o/dashy/ # The issuer URL, not the .well-known one
scope: openid profile email groups # Scopes to request (groups for adminGroup, roles for adminRole)
adminGroup: dashy-admins # Members of this group are admins
adminRole: dashy-admin # Or grant admin by role instead
enableSilentRenew: true # Refresh the session in the background before it expires
Zero-Trust Tunnelsβ
Dashy works well with third-party tunnel based auth, allowing you to access your dashboard remotely.
Alternative Authentication Methodsβ
These are alternatives to Dashy's built-in auth, Keycloak, and OIDC. Most of them sit in front of Dashy at the network or reverse proxy level, which is generally the better approach for anything internet-facing.
- Reverse Proxy Auth - Authelia, Authentik, or similar sitting in front of Dashy
- VPN - Keep Dashy off the internet entirely
- IP-Based Access - Restrict by source IP in your web server
- Web Server Authentication - HTTP basic auth at the proxy level
- Client Certificates (mTLS) - Require a client TLS certificate to connect
- SSO / OAuth Providers - Cloud-hosted identity providers
- Cloud Hosting Providers - Built-in auth on hosting platforms
Comparison of Auth Optionsβ
| Method | Type | Description | Complexity | Security | Best for |
|---|---|---|---|---|---|
| No Auth | Built-in | This is the default state Dashy ships with | π’ Easy | π΄ Weak | Internal usage |
| Built-In Auth | Built-in | Username/password list in your config, optionally enforced server-side | π’ Easy | π Medium | A quick login screen on a trusted LAN |
| Header Auth | Built-in | Trusts a username header from a proxy that already did the login | π Medium | π Medium | Reusing an existing proxy or forward-auth session |
| OIDC (generic) | OIDC | Any OpenID Connect provider, with server-side token checks and admin roles | π Medium | π’ Strong | Standards-based SSO with any IdP |
| Authentik | OIDC | Self-hosted IdP with a full admin UI, MFA and group policies | π Medium | π’ Strong | One login across many self-hosted apps |
| Authelia | OIDC | Lightweight self-hosted IdP, configured from a single YAML file | π Medium | π’ Strong | Self-hosters who prefer file-based config |
| Keycloak | OIDC | Heavyweight enterprise IdP with realms, roles and social login | π΄ Hard | π’ Strong | Larger or enterprise deployments |
| Pocket ID | OIDC | Minimal passkey-only IdP, a single Go binary | π Medium | π’ Strong | Passwordless homelab SSO |
| Zitadel | OIDC | Go/Postgres IdP with project roles (needs an Action to map groups) | π΄ Hard | π’ Strong | Role-based access across projects |
| Cloudflare Tunnel | Tunnel | Outbound tunnel to Cloudflare's edge, paired with Access for login | π Medium | π’ Strong | Public access with no open ports |
| Tailscale / Headscale | Tunnel | Private WireGuard mesh, with optional Funnel for public access | π’ Easy | π’ Strong | Private remote access between your devices |
| Reverse Proxy Auth | Proxy | An auth server (Authelia, Authentik, OAuth2 Proxy) in front via forward-auth | π Medium | π’ Strong | Protecting many apps behind one proxy |
| Web Server Auth | Proxy | HTTP basic auth handled by your reverse proxy | π’ Easy | π Medium | A fast password prompt over HTTPS |
| Client Certificates (mTLS) | Proxy | Require a client TLS certificate to connect, enforced at the proxy | π΄ Hard | π’ Strong | A small fixed set of trusted devices |
| IP-Based Access | Network | Allow only certain source IPs at the web server | π’ Easy | π Medium | An extra layer on a static IP or VPN |
| VPN | Network | Keep Dashy off the internet, reach it over WireGuard, Tailscale or OpenVPN | π Medium | π’ Strong | Private access with zero public exposure |
| SSO / OAuth Providers | OIDC | Cloud IdPs (Auth0, Okta, Google) wired in through Dashy's OIDC | π Medium | π’ Strong | Offloading identity to a managed provider |
| Cloud Hosting Providers | Platform | Platform-level auth (Cloudflare Access, Netlify, Vercel) outside Dashy | π’ Easy | π’ Strong | Dashboards hosted on a cloud platform |