Skip to content

Self-hosted dashboard emits telemetry to https://api.openpanel.dev/track and returns 401 even with correct API_URL #380

Open
Open
Self-hosted dashboard emits telemetry to https://api.openpanel.dev/track and returns 401 even with correct API_URL#380
@pcruzvsm

Description

@pcruzvsm
pcruzvsm
opened on May 29, 2026

Summary

In a self-hosted OpenPanel deployment on Kubernetes, the dashboard still attempts outbound telemetry requests to https://api.openpanel.dev/track, which return 401 Unauthorized.

This appears unrelated to core app API routing, which is correctly configured to self-hosted URLs. It looks like the dashboard frontend includes an internal SDK/client with a hosted fallback URL.

Environment

  • OpenPanel Helm chart: openpanel/openpanel version 0.9.0
  • Deployment mode: self-hosted on Kubernetes
  • Ingress host: analytics-openpanel.example.com
  • Ingress class: haproxy

Self-hosting env/config verification

The deployment is aligned with self-hosting docs:

  • API_URL=https://analytics-openpanel.example.com/api
  • DASHBOARD_URL=https://analytics-openpanel.example.com
  • SELF_HOSTED=true
  • DATABASE_URL, REDIS_URL, CLICKHOUSE_URL, COOKIE_SECRET are set

References:

Reproduction

  1. Open self-hosted dashboard login page:
    • https://analytics-openpanel.example.com/login
  2. Open browser dev tools network tab.
  3. Observe outbound request:
    • POST https://api.openpanel.dev/track
  4. Response is 401.

Expected behavior

  • In self-hosted mode, dashboard telemetry should either:
    • use self-hosted API URL (https://<self-hosted-domain>/api), or
    • be disabled by default, or
    • be controllable by documented env/config.
  • Dashboard should not call hosted api.openpanel.dev implicitly.

Actual behavior

  • Dashboard emits hosted telemetry request to api.openpanel.dev/track.
  • Request returns 401 Unauthorized.
  • This creates repeated noisy outbound errors and implies misrouting in self-hosted setups.

Evidence

Runtime env in dashboard pod

  • API_URL=https://analytics-openpanel.example.com/api
  • NEXT_PUBLIC_API_URL=https://analytics-openpanel.example.com/api
  • DASHBOARD_URL=https://analytics-openpanel.example.com
  • NEXT_PUBLIC_DASHBOARD_URL=https://analytics-openpanel.example.com

Bundle evidence (served dashboard asset)

The dashboard bundle contains code equivalent to:

this.api = new Client({
  baseUrl: e.apiUrl || "https://api.openpanel.dev",
  ...
})

This fallback appears to explain hosted outbound calls when an internal telemetry client is initialized without apiUrl.

Impact

  • Self-hosted operators see persistent 401 outbound errors to hosted OpenPanel API.
  • Confusing behavior and possible policy/compliance concern in environments that must avoid unexpected external telemetry.

Suggested fix

  • Ensure any internal dashboard telemetry client uses self-hosted API_URL when SELF_HOSTED=true.
  • Alternatively, disable internal telemetry in self-hosted mode by default.
  • Add explicit documented env flag to disable dashboard outbound telemetry.

Suggested docs update

  • Document whether dashboard has internal telemetry.
  • Document how to fully disable outbound telemetry in self-hosted deployments.

Related issues checked (not exact match)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions