Skip to content

Ability to track usage of Bearer tokens #45047

New issue
New issue
Open
#45049
Open
Ability to track usage of Bearer tokens#45047
#45049
Assignees
brdotv2
Labels
enhancementNew feature or requestextension/bearertokenauth
@brdotv2

Description

@brdotv2
brdotv2
opened on Dec 18, 2025

Component(s)

extension/bearertokenauth

Is your feature request related to a problem? Please describe.

I'm part of a small team that use the OTel Collector to build and maintain an internal Observability pipeline in our company. Our setup is somewhat simple, where we maintain a "central" Collector deployed in the cloud and various clients (SDKs, other Collectors, etc) are then submitting their data to our OTLP endpoint (not publicly accessible, yet) where we then process the data and make it fit our requirements and such.

We are using Bearer tokens to authenticate the individual clients. We provision and distribute a token for each client using AWS Secrets and cross-account sharing of those secrets.

We now need a way to track the usage of each individual token, so that we can answer questions like: "which token hasn't been used in a while?", "which token is abusive?" and the likes.

Describe the solution you'd like

We are playing with the idea to add internal metrics to the bearertokenauth extension, that would count the amount of times a token was used to either authenticate or fail.

To be able to correlate the metrics to a single token, the token index would be used as one of the attributes.

We are a bit unsure if this is the right approach and if this would benefit both the community and our use-case at the same time.

We will naturally provide a PR addressing this issue, if there is an interest in this.

Example telemetry metadata:

attributes:
  auth.status:
    description: Authentication status
    type: string
    enum: [success, failure]
  auth.type:
    description: Type of authentication
    type: string
    enum: [client, server]
  token.index:
    description: Index of the token in the configuration (0-based, -1 when token.matched is false)
    type: int
  token.matched:
    description: Whether the provided token matches a configured token
    type: bool

telemetry:
  metrics:
    bearer_token_auth_usage:
      enabled: true
      description: Number of authentication attempts with bearer tokens
      unit: "{attempt}"
      stability:
        level: development
      sum:
        value_type: int
        monotonic: true
      attributes: [auth.type, auth.status, token.index, token.matched]

Describe alternatives you've considered

If this approach is against what the bearertokenauth extension should provide and what the extension's telemetry should provide of insight, we could expose this kind of telemetry data in a new extension that potentially could support multiple kinds of Token based authentications.

Additional context

No response

Tip

React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestextension/bearertokenauth

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions