The glsa_ token on the /grafana/ location was committed to a public repo. Verified dead: Grafana's service-account and api_key tables are empty (the data dir is ephemeral container storage, so the SA was wiped on a past recreate) and an arbitrary invalid bearer gets identical 200 responses — panel embeds are actually served by anonymous Viewer auth (GF_AUTH_ANONYMOUS_ENABLED=true). The header was a no-op; removing it changes no behavior and removes the credential from the config. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| overlord.conf | ||