Authentication
Enable authentication, manage sessions and API tokens, and secure your reverse proxy.
Overview
Insights Plus supports optional built-in authentication with session cookies and API tokens. When enabled, all UI and API access requires a valid session or bearer token. Authentication is disabled by default for easy initial setup.
When enabled, authentication requires HTTPS— the login and setup endpoints reject requests over plain HTTP to protect credentials in transit.
Quick Start
- Configure your reverse proxy with HTTPS and the
X-ULI-Proxy-Authheader (see Reverse Proxy Setup below). This header is required for the app to trust forwarded protocol headers. - Set
AUTH_ENABLED=truein your.envordocker-compose.ymlenvironment block. - Restart the container:
docker compose up -d --force-recreate - Find your proxy auth token in the container logs:
docker logs unifi-log-insight 2>&1 | grep "Proxy auth token" - Add the token to your reverse proxy configuration as the
X-ULI-Proxy-Authheader value (see examples below). - Open the web UI over HTTPS. Go to Settings → Security and create the first admin account (username + password, minimum 8 characters).
- Authentication is now active. All subsequent visits require login.
Environment Variables
| Variable | Description |
|---|---|
AUTH_ENABLED | Set to true to enable built-in authentication. Requires HTTPS. Default: false |
SECRET_KEY | Optional secret used to derive the proxy auth token. Falls back to POSTGRES_PASSWORD or DB_PASSWORD if not set. Change this only if you need a separate secret from your database password |
Session Management
Login creates a server-side session stored in the database. A session cookie (uli_session, HttpOnly, Secure, SameSite=Lax) is set in the browser.
- Session duration is configurable in Settings → Security → Session Duration (1 hour to 30 days). Changes apply to new sessions only.
- Expired sessions are automatically cleaned up by the daily maintenance task.
- Logging out invalidates the session immediately on the server.
API Tokens
API tokens provide programmatic access for integrations like the MCP AI Agent or the browser extension. Tokens are created in Settings → API.
- Tokens are shown only once at creation. Copy and store securely.
- Each token has a name, a client type, and a set of scopes that limit which API operations it can perform. Tokens do not expire — revoke or disable them when no longer needed.
- Effective scopes = intersection of token scopes and owner's role permissions. A token can never exceed its owner's access level.
- To rotate a token, delete the old one and create a new one with the same scopes.
Audit Logging
When enabled, all MCP API calls are logged to an audit trail visible in Settings → MCP → Audit Log. Each entry records the token used, tool called, parameters (sensitive values redacted), success/failure, and timestamp.
Audit retention defaults to 10 days and is configurable via mcp_audit_retention_days in Settings.
Reverse Proxy Setup
Authentication requires HTTPS. Place Insights Plus behind a reverse proxy that terminates TLS. The proxy must send two headers so the app can verify the connection is secure:
X-Forwarded-Proto— tells the app whether the client connected over HTTP or HTTPS.X-ULI-Proxy-Auth— a shared secret that proves the request came through your trusted proxy, not from an attacker spoofing headers.
How It Works
Insights Plus derives a deterministic auth token from your SECRET_KEY, POSTGRES_PASSWORD, or DB_PASSWORD (first non-empty wins). The app only trusts X-Forwarded-Proto when the request carries a matching X-ULI-Proxy-Auth header. Without this header, the app cannot verify HTTPS and authentication will not work.
This approach eliminates the need for IP-based proxy trust (TRUSTED_PROXIES), which is fragile in Docker environments where bridge gateway IPs are indistinguishable from external traffic.
Finding Your Token
The token is logged at container startup:
docker logs unifi-log-insight 2>&1 | grep "Proxy auth token"Once authenticated as an admin, you can also retrieve it from Settings → Security → Proxy Token.
Important
The X-ULI-Proxy-Auth header must be set insidethe location/route block of your proxy config, not at the server level. Some proxy managers (e.g. Nginx Proxy Manager) have separate “Advanced” and “Custom Locations” tabs — the header must go in the location block to take effect.
Proxy Configuration Examples
Replace YOUR_TOKEN_HERE with the token from your container logs.
nginx
location / {
proxy_pass http://<your-host>:8090;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-ULI-Proxy-Auth "YOUR_TOKEN_HERE";
}$scheme is set by nginx itself and cannot be spoofed by clients. Use $remote_addr (not $proxy_add_x_forwarded_for) so the app receives the real client IP, not an attacker-supplied chain.
Nginx Proxy Manager
In Nginx Proxy Manager, use Custom Locations (not the Advanced tab). Add a / location with this in the custom config:
proxy_set_header X-ULI-Proxy-Auth "YOUR_TOKEN_HERE";NPM already sets X-Forwarded-Proto, X-Forwarded-For, and Host automatically in its proxy.conf include. Do notput the header in the Advanced tab — nginx silently drops server-level proxy_set_header directives when a location block has its own.
Caddy
your-domain.com {
reverse_proxy <your-host>:8090 {
header_up X-ULI-Proxy-Auth "YOUR_TOKEN_HERE"
}
}Caddy automatically sets X-Forwarded-Proto, X-Forwarded-For, and Host, overwriting any client-supplied values. header_up adds the auth header to upstream requests and overwrites any client-supplied value of the same name.
Traefik
labels:
- "traefik.http.routers.uli.rule=Host(`insights.example.com`)"
- "traefik.http.routers.uli.entrypoints=websecure"
- "traefik.http.routers.uli.tls=true"
- "traefik.http.middlewares.uli-proxy-auth.headers.customrequestheaders.X-ULI-Proxy-Auth=YOUR_TOKEN_HERE"
- "traefik.http.routers.uli.middlewares=uli-proxy-auth"
- "traefik.http.services.uli.loadbalancer.server.port=8090"Traefik sets X-Forwarded-Proto automatically when TLS terminates at the entrypoint. The customrequestheaders middleware overwrites any client-supplied header of the same name. Ensure forwardedHeaders.insecure is not enabled unless you trust all upstream sources.