Learn about the Prefect settings that add security to your self-hosted server.
server.api.auth_string="admin:pass"
: this setting should be set with an administrator / password combination, separated by a colon, on any process that hosts the Prefect webserver (for example prefect server start
).api.auth_string="admin:pass"
: this setting should be set with the same administrator / password combination as the server on any client process that needs to communicate with the Prefect API (for example, any process that runs a workflow)."admin:pass"
(no quotes) upon first load. It is recommended to store this information in a secure way, such as a Kubernetes Secret or in a private .env
file.
PREFECT_API_KEY
and PREFECT_API_AUTH_STRING
are set on the client, PREFECT_API_KEY
will take precedence. If you plan to use a
self-hosted Prefect server, make sure PREFECT_API_KEY
is not set in your active profile or as
an environment variable, otherwise authentication will fail (HTTP 401 Unauthorized
)..env
file:
ui.api_url
setting should be set to the external proxy URL.
For example, if your external URL is https://prefect-server.example.com
then you can configure a prefect.toml
file for your server like this:
ui.api_url
, then api.url
will be used as a fallback.
server.api.csrf_protection_enabled
: activates CSRF protection on the server,
requiring valid CSRF tokens for applicable requests. Recommended for production to prevent CSRF attacks.
Defaults to False
.server.api.csrf_token_expiration
: sets the expiration duration for server-issued CSRF tokens,
influencing how often tokens need to be refreshed. The default is 1 hour.client.csrf_support_enabled
: enables or disables CSRF token handling in the Prefect client.
When enabled, the client manages CSRF tokens for state-changing API requests. Defaults to True
.server.api.cors_allowed_origins
: a list of origins that are allowed to make cross-origin requests.server.api.cors_allowed_methods
: a list of HTTP methods that are allowed to be used during cross-origin requests.server.api.cors_allowed_headers
: a list of headers that are allowed to be used during cross-origin requests.client.custom_headers
setting allows you to configure custom HTTP headers that are included with every API request. This is particularly useful for authentication with proxies, CDNs, or security services that protect your Prefect server.
User-Agent
: Managed by Prefect to identify client version and capabilitiesPrefect-Csrf-Token
: Used for CSRF protection when enabledPrefect-Csrf-Client
: Used for CSRF client identification