06 · ENGINE
Auth & TLS
Two toggles: API-key auth and TLS. Both live under [auth] and [tls] in the TOML.
API-key auth
Every request is required to carry Authorization: Bearer <key> when [auth] enabled = true. An admin key is auto-generated on first run if admin_api_key is blank, and written to a .api-key file next to the config.
$ cat /etc/xerj/.api-key
xk_7g8Hb3m2P4qRsT1vW9xY0zC5dE6fG7hJ
$ curl -H "Authorization: Bearer xk_7g8H..." \
http://localhost:8080/v1/indices/logs/search -d @q.json
TLS
Terminate TLS at the server. PEM cert and key paths are required when enabled.
[tls] enabled = true cert_path = "/etc/xerj/certs/xerj.crt" key_path = "/etc/xerj/certs/xerj.key"
Key rotation
Replace the file, reload:
$ sudo systemctl reload xerj
Network
Use bind_address to restrict the listener to a private interface. Never bind 0.0.0.0 without TLS and auth on in production. The --insecure flag is dev-only and refuses to run with a non-loopback bind.
Source · engine/crates/common/src/config.rs · api/src/middleware/auth.rs
◀ PREVMetrics
NEXT ▶Running in production