Skip to main content
Authentication is opt-in. When no users are configured, the dashboard is open with no login page. When at least one user is configured (via any method below), all UI routes redirect to /login. After signing in, a signed session cookie (claudeye_session) grants access for 24 hours. A Sign out button appears in the navbar.

Enable via CLI flag

# Single user
claudeye --auth-user admin:secret

# Multiple users (repeat the flag)
claudeye --auth-user admin:secret --auth-user viewer:readonly

Enable via environment variable

Provide a comma-separated list of user:password pairs: 
CLAUDEYE_AUTH_USERS=admin:secret claudeye

# Multiple users
CLAUDEYE_AUTH_USERS=admin:secret,viewer:readonly claudeye

Enable via the programmatic API

import { createApp } from 'claudeye';

const app = createApp();

app.auth({
  users: [
    { username: 'admin', password: 'secret' },
    { username: 'viewer', password: 'readonly' },
  ],
});

app.listen();
app.auth() is chainable: 
app
  .auth({ users: [{ username: 'admin', password: 'secret' }] })
  .eval('my-eval', fn)
  .listen();

Combining sources

Users from CLI flags, the environment variable, and app.auth() are merged. You can configure different users in each source and they all become valid: 
# ops:pass123 comes from the CLI flag
# admin:secret comes from the env var
# dev:devpass comes from app.auth() in my-evals.js
CLAUDEYE_AUTH_USERS=admin:secret claudeye --evals ./my-evals.js --auth-user ops:pass123
All three users (ops, admin, dev) would be valid.

How session cookies work

  • Login sets a signed HMAC-SHA256 cookie (claudeye_session) with 24-hour expiry
  • All UI routes check the cookie and redirect to /login if it’s absent or invalid
  • If no users are configured, auth is completely disabled - no login page, no blocking