Operate AuthProxy
Operations span application-level request history, OpenTelemetry signals, background work, connection lifecycle, and the stores behind them.
flowchart LR
Request["Host request"] --> AP["AuthProxy"]
AP --> Provider["Third-party API"]
AP --> Events[("Request events and resource snapshots")]
AP --> OTLP["OTLP traces, metrics, and logs"]
Worker["Worker"] --> Tasks[("Tasks and workflows")]
Worker --> Provider
Events --> Grafana["Admin UI / Grafana"]
OTLP --> Collector["Collector and observability backend"]
Observability and audit
Section titled “Observability and audit”- Application metrics — request-event metadata, resource snapshots, query dimensions, and aggregations.
- Telemetry — OpenTelemetry traces, metrics, logs, sampling, and label projection.
- Blob storage — inspect full request/response payloads in MinIO or S3 when recording is enabled.
- RedisInsight — inspect local Redis state during development.
Application metrics and OpenTelemetry complement each other. Request events are AuthProxy domain records suited to audit and per-connection investigation; OpenTelemetry describes service and dependency behavior across a distributed system.
Control and lifecycle
Section titled “Control and lifecycle”- Rate limits — proactive namespace-scoped policies and connector-level handling of provider 429 responses.
- Background tasks — run the worker and inspect queues.
- Connector lifecycle — disconnect or archive a connector version and monitor the resulting task.
- Connector version migrations — move existing connections to a new connector version, run hooks, handle required setup or re-authentication, and surface actor notifications.
Production baseline
Section titled “Production baseline”Before accepting traffic:
- configure readiness checks for every enabled service and dependency;
- choose retention for request-event rows, body blobs, task history, and telemetry;
- keep full body recording off unless its debugging or audit value outweighs the sensitive-data risk;
- restrict high-cardinality telemetry labels with allowlists;
- monitor OAuth refresh failures, upstream 429s, proxy latency, worker queues, and storage availability;
- test database and blob-store restores; and
- document key, signing-key, database, and provider credential rotation.
See deployment for topology and security for the review checklist.