06 · ENGINE

Auth & TLS

Two toggles: API-key auth and TLS. Both live under [auth] and [tls] in the TOML.

API-key auth

Every request is required to carry Authorization: Bearer <key> when [auth] enabled = true. An admin key is auto-generated on first run if admin_api_key is blank, and written to a .api-key file next to the config.

$ cat /etc/xerj/.api-key
xk_7g8Hb3m2P4qRsT1vW9xY0zC5dE6fG7hJ

$ curl -H "Authorization: Bearer xk_7g8H..." \
    http://localhost:8080/v1/indices/logs/search -d @q.json

TLS

Terminate TLS at the server. PEM cert and key paths are required when enabled.

[tls]
enabled   = true
cert_path = "/etc/xerj/certs/xerj.crt"
key_path  = "/etc/xerj/certs/xerj.key"

Key rotation

Replace the file, reload:

$ sudo systemctl reload xerj

Network

Use bind_address to restrict the listener to a private interface. Never bind 0.0.0.0 without TLS and auth on in production. The --insecure flag is dev-only and refuses to run with a non-loopback bind.

Source · engine/crates/common/src/config.rs · api/src/middleware/auth.rs