Skip to content
DevOps AI ToolKit
Newsletter
All guides
AI for Loki By James Joyner IV · · 8 min read

Loki Error Guide: 'no org id' — Supply the X-Scope-OrgID Tenant Header

Quick answer

Fix Loki 'no org id' errors: understand multi-tenancy and the X-Scope-OrgID header, why pushes and queries fail without a tenant, and how to set it in clients, Grafana, and the ruler.

  • #loki
  • #logging
  • #troubleshooting
  • #errors
Free toolkit

Fixing errors like this? Get 500 free DevOps AI prompts

500 copy-paste AI prompts for the stack you actually run — one PDF, free.

Overview

When multi-tenancy is enabled (auth_enabled: true), Loki requires every request to declare a tenant via the X-Scope-OrgID HTTP header. Requests without it are rejected:

no org id

The HTTP status is 401 Unauthorized on the read path and a 400/401 on push. Loki does not authenticate the tenant itself — it trusts the header (a proxy or gateway is expected to set/validate it) — but it will not process any request that lacks one when auth is enabled.

Symptoms

  • Every push or query fails with no org id immediately after enabling auth_enabled: true.
  • Grafana Explore returns no org id while a direct curl with the header works.
  • Promtail/Alloy logs server returned HTTP status 401 Unauthorized (no org id).
  • The ruler fails to evaluate rules with no org id.
  • Works in single-tenant mode (auth_enabled: false) but breaks after enabling multi-tenancy.

Common Root Causes

  • Client not sending the header — Promtail/Alloy tenant_id/X-Scope-OrgID not configured.
  • Grafana datasource missing the tenant — no custom X-Scope-OrgID header on the Loki datasource.
  • Gateway/proxy not injecting it — the NGINX/gateway in front of Loki isn’t adding the header per route.
  • Ruler/compactor lacking a tenant — internal components that need an explicit tenant for per-tenant operations.
  • auth_enabled toggled without updating clients — enabling multi-tenancy but leaving callers unchanged.
  • Empty or whitespace header — the header present but blank, which Loki treats as missing.

Diagnostic Workflow

Confirm multi-tenancy is on:

auth_enabled: true

Reproduce with and without the header to isolate the problem:

# Fails: no org id
curl -s "http://loki-gateway/loki/api/v1/labels"

# Succeeds: tenant supplied
curl -s -H "X-Scope-OrgID: tenant-a" "http://loki-gateway/loki/api/v1/labels"

Set the tenant on Promtail/Alloy write:

loki.write "default" {
  endpoint {
    url       = "http://loki-gateway/loki/api/v1/push"
    tenant_id = "tenant-a"
  }
}

Promtail equivalent:

clients:
  - url: http://loki-gateway/loki/api/v1/push
    tenant_id: tenant-a

Set it on the Grafana Loki datasource so queries carry a tenant:

# Grafana datasource provisioning
jsonData:
  httpHeaderName1: X-Scope-OrgID
secureJsonData:
  httpHeaderValue1: tenant-a

For the ruler, provide the tenant list it evaluates rules for, or configure per-tenant rule storage so each group runs under its own org id.

Example Root Cause Analysis

A platform team flipped auth_enabled: true to prepare for onboarding a second team. Immediately, all dashboards showed no org id and Promtail logged 401 Unauthorized (no org id), even though nothing about the data had changed. A curl without the header reproduced the error, and the same curl with -H "X-Scope-OrgID: tenant-a" succeeded — proving Loki itself was healthy and the requests simply lacked a tenant.

The fix touched three callers: they added tenant_id: "tenant-a" to Promtail’s client block, added an X-Scope-OrgID: tenant-a custom header to the Grafana Loki datasource, and configured the ruler with an explicit tenant so recording rules kept evaluating. Because Loki trusts the header rather than authenticating it, they also put an authenticating gateway in front that injects X-Scope-OrgID per authenticated route, so clients can’t spoof another tenant. After that, writes, queries, and rules all resumed under the correct tenant.

Prevention Best Practices

  • Decide multi-tenancy up front; if you enable auth_enabled: true, update every client, datasource, and internal component in the same change.
  • Put an authenticating gateway/proxy in front of Loki that injects a trusted X-Scope-OrgID per route — never rely on clients to self-declare honestly in production.
  • Template the tenant header into Grafana datasource provisioning so new datasources always carry it.
  • Configure the ruler and any internal jobs with explicit tenant context.
  • Add a smoke test that pushes and queries with the header after any auth-related change.
  • Remember Loki does not authenticate the header value — treat it as trusted only behind your proxy.

Quick Command Reference

# Reproduce the error (no header)
curl -s "http://loki-gateway/loki/api/v1/labels"

# Correct request with tenant
curl -s -H "X-Scope-OrgID: tenant-a" "http://loki-gateway/loki/api/v1/labels"

# Push with a tenant
curl -s -H "X-Scope-OrgID: tenant-a" -H "Content-Type: application/json" \
  -XPOST "http://loki-gateway/loki/api/v1/push" -d @push.json

# Confirm multi-tenancy setting
logcli --addr=http://loki-gateway/ config | grep -i auth_enabled

Conclusion

no org id is Loki telling you multi-tenancy is enabled but a request arrived without an X-Scope-OrgID tenant header. Reproduce it with and without the header to confirm, then set the tenant on every caller: log clients (tenant_id), the Grafana datasource (custom header), and internal components like the ruler. Because Loki trusts rather than authenticates the header, front it with a gateway that injects the tenant per authenticated route, and add a post-change smoke test so enabling auth never silently breaks writes and queries.

Free download · 368-page PDF

Get 500 Battle-Tested DevOps AI Prompts — Free

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.