Short answer: that’s expected. In Prefect 3 Server,

PREFECT_SERVER_API_AUTH_STRING

enables HTTP Basic Auth on the API; it does not create a login page in the UI. The UI doesn’t have user accounts or a login form. Instead, any client (CLI, workers, or the browser calling the API) must send an Authorization header. If you’re browsing the UI, your browser may or may not show a native Basic Auth prompt depending on how it reaches the API. What to check and how to verify it’s working - Make sure the server was restarted after setting the env vars. Settings are only read on process start. - Confirm the settings are active:

prefect config view --show-sources

Look for

PREFECT_SERVER_API_AUTH_STRING

and

PREFECT_API_AUTH_STRING

in the output and ensure their sources are correct. - Test the API directly:

# Should be 401 if auth is enabled
  curl -i http://<host>:4200/api/health

  # Should succeed with Basic Auth
  curl -i -u admin:pass http://<host>:4200/api/health

- For workers/CLI on the EC2 host, make sure

PREFECT_API_AUTH_STRING=admin:pass

is set in the environment where those processes run (e.g., systemd unit, shell, or .env). This is required for them to contact the API. Why you didn’t see a login prompt - The UI is a static app; it loads without auth. When it tries to call the API at

/api/...

, the server requires Basic Auth. Some browsers show a native prompt for same-origin requests; others don’t surface a prompt for XHR/fetch calls—instead the UI will fail to load data and you’ll see errors in the browser console/network tab. - There is no Prefect-provided UI login form. How to actually protect the UI (and get a prompt at page load) - Put Prefect behind a reverse proxy (e.g., Nginx, Caddy, Traefik) and enable Basic Auth and TLS there. This protects both the UI and the API and gives you a browser prompt before the UI loads. Minimal Nginx example:

server {
    listen 443 ssl;
    server_name your.domain;

    ssl_certificate     /etc/ssl/your.crt;
    ssl_certificate_key /etc/ssl/your.key;

    location / {
      auth_basic "Prefect";
      auth_basic_user_file /etc/nginx/.htpasswd;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass <http://127.0.0.1:4200;>
    }
  }

- Also keep the EC2 security group tight (allow only your IPs/VPN) and avoid exposing port 4200 directly. Docs - Security settings overview: Prefect 3 Security settings If you can share: - How you start the server (command/systemd/docker) - Whether you restarted it after setting the env vars - How you’re accessing the UI (direct on port 4200 vs via a proxy) …I can help tailor the exact steps and config for your EC2 setup in ap-southeast-1.