Endpoints
Grafana Cloud exposes a region-scoped OTLP gateway:https://otlp-gateway-prod-us-east-3.grafana.net/otlp (the
collector’s hard-coded default) or https://otlp-gateway-prod-eu-west-2.grafana.net/otlp.
The collector strips any trailing /v1/traces / /v1/logs you paste, so either the
base (.../otlp) or a full-signal URL works.
Authentication (Basic, not Bearer)
Unlike the other providers (Dash0, HyperDX, Logfire all useBearer), Grafana
Cloud’s OTLP gateway authenticates with HTTP Basic auth:
<instance_id>— the numeric OTLP-gateway instance / user id shown on the Grafana Cloud “OpenTelemetry” config page. This is not the org id embedded in theglc_token.<token>— a Grafana Cloud access-policy token (starts withglc_) scoped to write metrics/logs/traces.
GRAFANA_OTLP_AUTH) at deploy time
(see _grafana_basic_auth / _collector_secret_payload in src/otel_collector.py),
so the raw glc_ token never reaches the collector container or the rendered config.
Set up secrets in Infisical
Add these secrets to your Infisical project (dev environment):1. GRAFANA_INSTANCE_ID
- Name:
GRAFANA_INSTANCE_ID - Value: The numeric OTLP-gateway instance id (e.g.
1718830) - Type: Secret
- Environment: dev
2. GRAFANA_API_KEY
- Name:
GRAFANA_API_KEY - Value: Your Grafana Cloud access-policy token (starts with
glc_) - Type: Secret
- Environment: dev
3. GRAFANA_OTLP_ENDPOINT (Optional)
- Name:
GRAFANA_OTLP_ENDPOINT - Value: Your regional OTLP gateway, e.g.
https://otlp-gateway-prod-us-east-3.grafana.net/otlp - Type: Secret
- Environment: dev
- Omit to use the hard-coded default (
us-east-3).
Set secrets via CLI
Deploy the collector
Once secrets are set, deploy the otel-collector:GRAFANA_INSTANCE_ID + GRAFANA_API_KEY are collapsed into
the pre-encoded GRAFANA_OTLP_AUTH Basic credential and embedded in the collector’s
secret, so when the container starts Grafana is already configured.
Verify configuration
Check that Grafana was included in the collector config:Collector architecture
When the collector is deployed:libs/telemetry.py and src/otel_collector.py for implementation details.
Troubleshooting
Secrets not found
401 / 403 from the gateway
- Grafana Cloud uses Basic auth, not Bearer — a Bearer header returns 401. This is
handled automatically by the collector; if you see 401s, re-check that
GRAFANA_INSTANCE_IDis the numeric OTLP-gateway instance id (not the org id) and that theglc_token’s access policy has write scope for the signals. - Confirm the endpoint region matches the stack the token belongs to.
Collector not starting
Check the Modal logs for the otel-collector app:No telemetry in Grafana
- Verify the collector is running and Grafana is in the exporter list (see above).
- Check Modal logs for export errors.
- Verify the OTLP endpoint region is reachable and matches the token’s stack.
Mixing Grafana with other providers
You can enable multiple providers simultaneously — the collector fans out to all configured exporters. Grafana coexists with Dash0, HyperDX, and Logfire.Reference
- Grafana Cloud OTLP endpoint docs
- OpenTelemetry Collector OTLPHTTP Exporter
src/otel_collector.py— Collector app and config builderlibs/telemetry.py— App-side telemetry initialization