You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe
In Portainer Business Edition (tested with 2.33.7 LTS), the /api/licenses endpoint is restricted to Administrator users. Standard users (Role = 2) receive 401 Unauthorized, even when using a valid Personal Access Token.
At the same time, license expiration warnings are visible in the UI to non-admin users after login.
This creates the following problems:
Monitoring systems (e.g., CheckMK, Zabbix, Prometheus) cannot read license expiration without Administrator privileges
Organizations must store Admin-level API tokens in monitoring systems
This violates the principle of least privilege
It increases the security risk surface unnecessarily
Describe the solution you'd like
Introduce a read-only way for non-admin users to retrieve license status via API.
Possible implementations:
Allow Standard Users read-only access to /api/licenses
Introduce a dedicated endpoint, e.g.:
GET /api/licenses/status
Add a granular permission such as:
PortainerLicenseRead
The endpoint would only need to return minimal non-sensitive data, for example:
{
"valid": true,
"expiresAt": 1772927999
}
This would enable secure monitoring integrations without granting Administrator rights.
Describe alternatives you've considered
Alternatives evaluated:
Using an Administrator Personal Access Token
→ Works technically, but introduces unnecessary security risk
Using /api/auth login flow and JWT
→ Still requires Administrator privileges
Scraping license warning from the UI
→ Fragile, version-dependent, not API-stable
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Portainer.io
Uh oh!
There was an error while loading. Please reload this page.
-
Is your feature request related to a problem? Please describe
In Portainer Business Edition (tested with 2.33.7 LTS), the /api/licenses endpoint is restricted to Administrator users. Standard users (Role = 2) receive 401 Unauthorized, even when using a valid Personal Access Token.
At the same time, license expiration warnings are visible in the UI to non-admin users after login.
This creates the following problems:
Describe the solution you'd like
Introduce a read-only way for non-admin users to retrieve license status via API.
Possible implementations:
GET /api/licenses/statusPortainerLicenseReadThis would enable secure monitoring integrations without granting Administrator rights.
Describe alternatives you've considered
Alternatives evaluated:
Using an Administrator Personal Access Token
→ Works technically, but introduces unnecessary security risk
Using /api/auth login flow and JWT
→ Still requires Administrator privileges
Scraping license warning from the UI
→ Fragile, version-dependent, not API-stable
Reading internal container data (e.g., mounted license files)
→ Requires Docker-level access, increases attack surface significantly
All alternatives are less secure or less stable than providing proper read-only API access.
Additional context
License expiration warnings are already visible to non-admin users in the web interface.
Providing read-only API access would:
Environment tested:
Beta Was this translation helpful? Give feedback.
All reactions