Welcome to Keyline

Modern Authentication Proxy for Elasticsearch

Keyline is a unified authentication proxy service that provides dual authentication modes (OIDC and Basic Auth) simultaneously, supports multiple deployment modes (forwardAuth, auth_request, standalone proxy), and automatically injects Elasticsearch credentials into authenticated requests.

Get Started Configuration Deployment

Key Features

Dual Authentication

Support both interactive (OIDC) and programmatic (Basic Auth) access simultaneously

Dynamic User Management

Automatically create and manage Elasticsearch users for all authenticated users

Multiple Deployment Modes

Works with Traefik (forwardAuth), Nginx (auth_request), or as standalone proxy

OIDC Support

Full OpenID Connect implementation with PKCE, auto-discovery, and token validation

Security First

Cryptographic randomness, secure cookies, HTTPS enforcement, bcrypt password hashing

Observability

Prometheus metrics, OpenTelemetry tracing, structured logging with context

Installation

Docker (Recommended)

docker pull ghcr.io/wasilak/keyline:latest

Binary

curl -LO https://github.com/wasilak/keyline/releases/latest/download/keyline-linux-amd64.tar.gz
tar -xzf keyline-linux-amd64.tar.gz
sudo mv keyline /usr/local/bin/

Community

GitHub Issues Discussions