mudler · mudler · Dec 1, 2025 · Dec 1, 2025
diff --git a/core/config/application_config.go b/core/config/application_config.go
@@ -72,6 +72,8 @@ type ApplicationConfig struct {
 	DisableRuntimeSettings bool
 
 	AgentJobRetentionDays int // Default: 30 days
+
+	PathWithoutAuth []string
 }
 
 type AppOption func(*ApplicationConfig)
@@ -82,6 +84,15 @@ func NewApplicationConfig(o ...AppOption) *ApplicationConfig {
 		UploadLimitMB:         15,
 		Debug:                 true,
 		AgentJobRetentionDays: 30, // Default: 30 days
+		PathWithoutAuth: []string{
+			"/static/",
+			"/generated-audio/",
+			"/generated-images/",
+			"/generated-videos/",
+			"/favicon.svg",
+			"/readyz",
+			"/healthz",
+		},
 	}
 	for _, oo := range o {
 		oo(opt)

diff --git a/core/http/middleware/auth.go b/core/http/middleware/auth.go
@@ -156,21 +156,10 @@ func getApiKeyRequiredFilterFunction(applicationConfig *config.ApplicationConfig
 	return func(c echo.Context) bool {
 		path := c.Request().URL.Path
 
-		// Always skip authentication for static files
-		if strings.HasPrefix(path, "/static/") {
-			return true
-		}
-
-		// Always skip authentication for generated content
-		if strings.HasPrefix(path, "/generated-audio/") ||
-			strings.HasPrefix(path, "/generated-images/") ||
-			strings.HasPrefix(path, "/generated-videos/") {
-			return true
-		}
-
-		// Skip authentication for favicon
-		if path == "/favicon.svg" {
-			return true
+		for _, p := range applicationConfig.PathWithoutAuth {
+			if strings.HasPrefix(path, p) {
+				return true
+			}
 		}
 
 		// Handle GET request exemptions if enabled