Accessing Prometheus metrics endpoint

We are deploying hydra “public” and “admin” as separate applications. I am able to access /metrics/prometheus on the admin instance but not from the public (4444) instance. Both applications are configured exactly the same with the exception of hydra serve admin versus hydra serve public. I’m not sure if this is by design to prevent metrics from being exposed by default for the public endpoint / etc, but I wanted to check first before investigating further. Thanks!

Yeah, the metrics endpointis not exposed publicly as it may expose data which should not end up on the open internet. It’s a good question though how to handle this scenario with prometheus. Maybe we need to open an additional port for metrics here?

What about making this an env configuration setting (ex, ENABLE_METRICS_ENDPOINT) which is disabled by default for public? In our case, we will be exposing this though an edge/gateway layer which will contain specific mappings for routes we want to expose over the internet, so we have control over which endpoints are public.

We shouldn’t mix public with very sensitive metrics data. I would suggest to simply run the public hydra with „serve all“ and only use the metrics endpoint of the admin port. We might make this more consistent in terms of terminology in the future but I think its a good workaround for now.

Fair enough, the reason we were actually deploying admin as a separate app is because we were concerned about running this in the same container as the public-facing app from a security perspective. That said, we can control access via networks ACLs, etc, so this isn’t a show-stopper.

Regarding the published metrics, is it possible to get request-level metrics for the various endpoints, similarly to what is published for the prometheus endpoint itself (promhttp_metric_handler_requests_total{code=“200”), or do you recommend relying on pulling this data from the supporting infrastructure (for ex, CloudWatch/ALB metrics).

There is an open PR for better metrics, but it’s been stale for a while. We encourage contributions though!