You can configure Chroma to use authentication when in server/client mode only.
Supported authentication methods:
| Authentication Method | Basic Auth (Pre-emptive) | Static API Token |
|---|---|---|
| Description | RFC 7617 Basic Auth with user:password base64-encoded Authorization header. | Static auth token in Authorization: Bearer <token> or in X-Chroma-Token: <token> headers. |
| Status | Alpha | Alpha |
| Server-Side Support | ✅ Alpha | ✅ Alpha |
| Client/Python | ✅ Alpha | ✅ Alpha |
| Client/JS | ✅ Alpha | ✅ Alpha |
Basic Authentication#
Server Setup#
Generate Server-Side Credentials#
Security Practices
A good security practice is to store the password securely. In the example below we use bcrypt (currently the only supported hash in Chroma server side auth) to hash the plaintext password.
To generate the password hash, run the following command:
This creates the bcrypt password hash for the password admin and puts it into server.htpasswd alongside the user admin. It will look like admin:<password hash>.
Running the Server#
Set the following environment variables:
And run the server as normal:
Client Setup#
Static API Token Authentication#
Tokens
Tokens must be alphanumeric ASCII strings. Tokens are case-sensitive.
Server Setup#
Security Note
Current implementation of static API token auth supports only ENV based tokens.
Running the Server#
Set the following environment variables to use Authorization: Bearer test-token to be your authentication header. All environment variables can also be set as Settings.
To configure multiple tokens and use them for role-based access control (RBAC), use a file like this and the following configuration settings:
To use X-Chroma-Token: test-token type of authentication header you can set the CHROMA_AUTH_TOKEN_TRANSPORT_HEADER environment variable or configuration setting.