Short answer: Prefect Server (open‑source, self‑hosted) does not include user accounts, RBAC, or per‑user API keys. In Prefect 3.x, you have two main options: - A single shared HTTP Basic Auth credential via an environment variable - Put Prefect behind an auth‑terminating reverse proxy (Basic Auth, OIDC/SSO, mTLS, etc.) if you need per‑user credentials Details and options: 1) Simple gate: HTTP Basic Auth (single shared credential) - What it does: Requires a single

username:password

on all requests to the API. This is a coarse gate, not per‑user auth. - How to enable: - On the server, set

PREFECT_API_AUTH_STRING='user:pass'

when starting Prefect Server. - On every client (workers, agents, flows using

get_client()

), set the same

PREFECT_API_AUTH_STRING

so the client automatically sends the Authorization header. - Also set

PREFECT_API_URL

to the server’s API URL for both server and clients. - Example:

# Start server (local example)
  PREFECT_API_AUTH_STRING='admin:supersecret' \
  PREFECT_API_URL='<http://localhost:4200/api>' \
  prefect server start --ui

  # On a worker/flow machine
  export PREFECT_API_URL='<https://prefect.example.com/api>'
  export PREFECT_API_AUTH_STRING='admin:supersecret'

- Notes: - Anyone with the credential has full control; there’s no per‑user tracking or permissions. - Store secrets securely (e.g., Kubernetes Secret, .env protected by your secrets manager). - Docs: Security settings, Server CLI 2) Per‑user auth: put Prefect behind a reverse proxy If you need different API keys/passwords per user or SSO, terminate auth at a proxy and forward to Prefect. - Basic Auth with multiple users (Nginx example) - Create an

htpasswd

file with multiple users:

htpasswd -c /etc/nginx/.htpasswd alice
    htpasswd /etc/nginx/.htpasswd bob

- Minimal Nginx config protecting both UI and API:

server {
      listen 443 ssl;
      server_name <http://prefect.example.com|prefect.example.com>;

      ssl_certificate     /etc/ssl/certs/fullchain.pem;
      ssl_certificate_key /etc/ssl/private/privkey.pem;

      auth_basic           "Restricted";
      auth_basic_user_file /etc/nginx/.htpasswd;

      location / {
        proxy_pass <http://prefect-server:4200;>
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto https;
      }
      location /api/ {
        proxy_pass <http://prefect-server:4200/api/;>
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto https;
      }
    }

- Point clients to the proxy URL:

export PREFECT_API_URL='<https://prefect.example.com/api>'
    # Do NOT set PREFECT_API_AUTH_STRING if proxy handles auth

- Example repo pattern: Reverse proxy example - OIDC/SSO (OAuth2-Proxy, Traefik ForwardAuth, etc.) - Use OAuth2-Proxy or Traefik to authenticate users with your IdP (e.g., Okta, Azure AD, Google). - The proxy validates the user and only then forwards to Prefect. - For headless clients (workers), configure them to send a token your proxy will accept. Prefect clients can send a Bearer token if you set `PREFECT_API_KEY`:

export PREFECT_API_URL='<https://prefect.example.com/api>'
    export PREFECT_API_KEY='<a JWT or opaque token your proxy accepts>'

The client will include

Authorization: Bearer <token>

with each request. Your proxy must validate this token before forwarding to Prefect. - This gives per‑user login in the UI and a way to issue per‑client tokens for automation. Prefect Server itself still does not enforce roles. - mTLS (service-to-service) - For non‑interactive components, you can also front Prefect with a proxy that enforces client certificates. Important notes and best practices

- TLS is critical. Prefect’s built‑in server does not terminate TLS; terminate TLS at your proxy. - If you enable

PREFECT_API_AUTH_STRING

, the UI and API are both served by the same webserver. Browsers may prompt for credentials via a Basic Auth challenge. If you need per‑user auth, prefer a proxy. - RBAC and multi‑tenant user management are not available in Prefect Server. If you need first‑class users, roles, and API keys tied to users, consider Prefect Cloud: Security overview. Questions to tailor a solution for you: - Where will you run Prefect Server (Docker, Kubernetes, VM)? - Do you need per‑user auth for the UI, programmatic access for workers/CI, or both? - Do you already have an IdP (Okta/Azure AD/Google) you’d like to use? Links: - Prefect 3.x security settings: docs-3.prefect.io/v3/advanced/security-settings - Server CLI: docs-3.prefect.io/v3/how-to-guides/self-hosted/server-cli - Reverse proxy example: github.com/zzstoatzz/prefect-pack/.../with_a_reverse_proxy