Ingest New Documentation (#2828)

Co-authored-by: netdatabot <43409846+netdatabot@users.noreply.github.com>

Author: github-actions[bot]

docs/Alerts & Notifications/Alert Configuration Reference.mdx

@@ -812,11 +812,14 @@ chart labels: mount_point=/mnt/disk1 device=sda
 
 This requires BOTH conditions to be true (AND logic).
 
-**Important Notes:**
+:::important
 
 - Space-separated list with [simple patterns](/docs/developer-and-contributor-corner/libnetdata/simple-patterns) support
 - If a specified label doesn't exist on the chart, the chart won't match
 - Multiple labels use AND logic
+- Alerts based on `chart labels` require the underlying chart to exist. For example, a `disk.space` chart is only created when a mount point is present and collected. For example, if a CIFS mount fails to mount after a system reboot, no `disk.space` chart will exist for that mount point, and the alert will not activate
+
+:::
 
 #### Alert Line `summary`
 

docs/Netdata Agent/Configuration/Dynamic Configuration Manager.mdx

@@ -10,14 +10,6 @@ slug: "/netdata-agent/configuration/dynamic-configuration-manager"
 
 # Dynamic Configuration Manager
 
-## Table of Contents
-
-- [Overview](#overview)
-- [Quick Access Methods](#quick-access-methods)
-- [Getting Started](#getting-started)
-- [Collectors](#collectors)
-- [Multi-Node Deployment](#multi-node-deployment)
-
 ## Overview
 
 :::important
@@ -283,6 +275,36 @@ This feature is particularly valuable for managing large infrastructures where m
 
 :::
 
+## Troubleshooting
+
+### HTTP 412 Error When Editing Alert Configurations
+
+If you receive an **HTTP 412 error** with a message like "Request failed with status 412" when editing alert configurations, this indicates an **authentication issue**, not a schema validation error.
+
+:::important
+
+In Netdata, HTTP 412 is used to indicate that an authorization bearer token was required but was not present in the request. This differs from the generic HTTP 412 "Precondition Failed" response.
+
+:::
+
+**Common causes:**
+
+1. **Bearer token protection enabled** - Your agent requires Cloud authentication for API access
+2. **Cloud connection lost** - Agent disconnected from Netdata Cloud
+3. **Session expired** - Bearer token has expired (tokens expire after 24 hours)
+4. **Missing browser authentication state** - Your browser is no longer sending a valid Cloud bearer token with the request
+
+**Resolution steps:**
+
+1. **Verify claim and Cloud connection**: Check `http://IP:19999/api/v3/info` and inspect the `cloud` section. Use `cloud.status` to verify whether the Agent is connected to Netdata Cloud, and if it is not `online`, inspect `cloud.reason` for the failure details.
+2. **Re-authenticate**: Log out and log back into Netdata Cloud to refresh your bearer token.
+3. **Verify bearer token protection setting**: If enabled in `netdata.conf`, ensure you're accessing the agent through a Cloud-authenticated session.
+4. **Check permissions only if you get HTTP 403**: If the request changes from HTTP 412 to HTTP 403 after re-authenticating, ensure you have Admin or Manager role in the space containing the agent.
+
+For more information, see [Secure Your Netdata Agent with Bearer Token Protection](/docs/netdata-agent/configuration/securing-agents/bearer-token-protection).
+
+---
+
 Experience the efficiency and power of the Dynamic Configuration Manager in Netdata today. Whether you're managing a handful of nodes or a vast infrastructure, this feature will make your monitoring and alerting tasks smoother and more intuitive.
 
 Developing with dynamic configuration? [Click here](https://learn.netdata.cloud/docs/developer-and-contributor-corner/dynamic-configuration/).

docs/Netdata Agent/Configuration/Securing Agents/Bearer Token Protection.mdx

@@ -0,0 +1,156 @@
+---
+custom_edit_url: "https://github.com/netdata/netdata/edit/master/docs/netdata-agent/configuration/secure-your-netdata-agent-with-bearer-token.md"
+sidebar_label: "Bearer Token Protection"
+learn_status: "Published"
+learn_rel_path: "Netdata Agent/Configuration/Securing Agents"
+sidebar_position: "20"
+learn_link: "https://learn.netdata.cloud/docs/netdata-agent/configuration/securing-agents/bearer-token-protection"
+slug: "/netdata-agent/configuration/securing-agents/bearer-token-protection"
+---
+
+# Secure Your Netdata Agent with Bearer Token Protection
+
+Netdata provides native bearer token protection that integrates with Netdata Cloud Single Sign-On (SSO). With a single configuration setting, you can secure direct access to your Netdata Agents and Parents while inheriting the same permissions and roles your users have in Netdata Cloud.
+
+## Who Can Use This
+
+Bearer token protection is available to all Netdata Cloud users:
+
+- **Community plan** (free)
+- **Business plan** (paid)
+
+Your agent must be [claimed to Netdata Cloud](/docs/netdata-cloud/connect-agent) to use this feature.
+
+## How It Works
+
+When bearer token protection is enabled:
+
+1. Users visit your agent's dashboard directly (e.g., `http://your-server:19999`)
+2. The agent redirects them to Netdata Cloud for authentication
+3. After successful Cloud SSO login, users receive a time-limited bearer token
+4. The token grants access based on their Netdata Cloud role (Admin, Manager, Troubleshooter, etc.)
+5. Tokens expire after 24 hours and are automatically renewed through Cloud
+
+This means:
+
+- **Single Sign-On**: Users authenticate once via Netdata Cloud
+- **Role-Based Access**: Cloud roles and permissions apply to direct agent access
+- **Centralized Control**: Manage access through Netdata Cloud, not per-agent configurations
+- **No Password Files**: No htpasswd files or reverse proxy auth configuration needed
+
+## Enable Bearer Token Protection
+
+Edit your `netdata.conf` using the [`edit-config`](/docs/netdata-agent/configuration#edit-configuration-files) script:
+
+```bash
+cd /etc/netdata
+sudo ./edit-config netdata.conf
+```
+
+Add or modify the `[web]` section:
+
+```ini
+[web]
+    bearer token protection = yes
+```
+
+Restart Netdata to apply:
+
+```bash
+sudo systemctl restart netdata
+```
+
+## What Gets Protected
+
+When enabled, bearer token protection secures **all data APIs**, including:
+
+- Metrics and charts (`/api/v3/data`, `/api/v3/allmetrics`)
+- Alerts (`/api/v3/alerts`, `/api/v3/alert_transitions`)
+- Contexts and nodes (`/api/v3/contexts`, `/api/v3/nodes`)
+- Functions (`/api/v3/function`, `/api/v3/functions`)
+- Dynamic configuration (`/api/v3/config`)
+
+## What Remains Public
+
+**Static web files** (HTML, CSS, JavaScript) in Netdata's web directory are **not protected**. This means:
+
+- Users can still download and view the dashboard UI
+- The dashboard will load but **won't display any data**
+- All API calls from the dashboard will fail until the user authenticates
+
+This is by design - it allows the dashboard to redirect users to Netdata Cloud for authentication.
+
+A small set of APIs also remain publicly accessible for operational reasons:
+
+| API | What it exposes |
+|-----|-----------------|
+| `/api/v3/info` | Agent version, OS, build info, capabilities |
+| `/api/v3/me` | Current user authentication status |
+| `/api/v3/claim` | Agent claiming endpoint (protected by separate security key) |
+| `/api/v3/stream_info` | Streaming connection statistics |
+| `/api/v2/claim` | Agent claiming endpoint (v2, protected by security key) |
+| `/api/v1/registry?action=hello` | Node list, machine GUIDs, cloud connection status |
+| `/api/v1/manage/health` | Alert silencing (protected by separate X-Auth-Token) |
+
+These APIs are required for the authentication flow and dashboard initialization. The registry `hello` action returns node identifiers and cloud connection status, which the dashboard needs to initiate the authentication redirect.
+
+**Note:** Other v1 and v2 APIs (like `/api/v2/info`, `/api/v3/versions`, `/api/v3/progress`) **are protected** by bearer token - only the specific endpoints listed above bypass protection.
+
+## Requirements
+
+- Agent must be claimed to Netdata Cloud
+- ACLK connection must be active (agent connected to Cloud)
+- Users must have a Netdata Cloud account with access to the space containing the agent
+
+## Comparison with Other Methods
+
+| Method | Setup Complexity | SSO | Centralized Management | Works Offline |
+|--------|-----------------|-----|----------------------|---------------|
+| **Bearer Token Protection** | Single setting | Yes | Yes | No |
+| Reverse Proxy + Basic Auth | High (proxy + htpasswd) | No | No | Yes |
+| IP-Based Restrictions | Medium | No | No | Yes |
+| Disable Dashboard | Single setting | N/A | N/A | N/A |
+
+Choose bearer token protection when you want the simplest setup with Cloud SSO integration. Choose reverse proxy if you need custom authentication, don't use Netdata Cloud, or require offline access.
+
+## Combining with Other Security Measures
+
+Bearer token protection can be combined with:
+
+- **TLS/SSL encryption**: Configure [TLS in Netdata](/docs/netdata-agent/configuration/securing-agents/web-server-reference#examples) for encrypted connections
+- **IP restrictions**: Add `allow connections from` to limit which IPs can even attempt to connect
+- **Firewall rules**: Block port 19999 from untrusted networks
+
+Example combining bearer token with IP restrictions:
+
+```ini
+[web]
+    bearer token protection = yes
+    allow connections from = 10.* 192.168.* localhost
+```
+
+## Troubleshooting
+
+**Users can't authenticate:**
+
+- Verify the Agent is claimed and connected to Cloud: Check `http://your-server:19999/api/v3/info` and inspect the `cloud` section. Use `cloud.status` to verify whether the agent is connected to Netdata Cloud, and if it is not `online`, inspect `cloud.reason` for the failure details
+- If needed, run `sudo netdatacli aclk-state` to diagnose the ACLK connection
+- Ensure users have access to the same Cloud Space as the Agent
+
+**Token expired errors:**
+
+- Tokens automatically renew when users have an active Cloud session
+- If tokens expire, users simply re-authenticate through Cloud
+
+**Want to disable temporarily:**
+
+```ini
+[web]
+    bearer token protection = no
+```
+
+Or via API (requires Admin/Manager role via Cloud):
+
+```
+POST /api/v3/bearer_protection
+```

docs/Netdata Agent/Configuration/Securing Agents/Running the Agent behind a reverse proxy/Apache.mdx

@@ -171,7 +171,7 @@ Repeat the operation for as many servers as you need.
 
 :::tip Simpler Alternative
 
-If you use Netdata Cloud, [Bearer Token Protection](https://github.com/netdata/netdata/blob/master/docs/netdata-agent/configuration/secure-your-netdata-agent-with-bearer-token.md) provides authentication with a single setting - no htpasswd files or Apache auth configuration needed.
+If you use Netdata Cloud, [Bearer Token Protection](/docs/netdata-agent/configuration/securing-agents/bearer-token-protection) provides authentication with a single setting - no htpasswd files or Apache auth configuration needed.
 
 :::
 

docs/Netdata Agent/Configuration/Securing Agents/Running the Agent behind a reverse proxy/Caddy.mdx

@@ -34,7 +34,7 @@ netdata.domain.tld {
 
 :::tip Simpler Alternative
 
-If you use Netdata Cloud, [Bearer Token Protection](https://github.com/netdata/netdata/blob/master/docs/netdata-agent/configuration/secure-your-netdata-agent-with-bearer-token.md) provides authentication with a single setting - no Caddy auth configuration needed.
+If you use Netdata Cloud, [Bearer Token Protection](/docs/netdata-agent/configuration/securing-agents/bearer-token-protection) provides authentication with a single setting - no Caddy auth configuration needed.
 
 :::
 

docs/Netdata Agent/Configuration/Securing Agents/Running the Agent behind a reverse proxy/H2O.mdx

@@ -114,7 +114,7 @@ necessary to specify inside the H2O configuration that the final destination is
 
 :::tip Simpler Alternative
 
-If you use Netdata Cloud, [Bearer Token Protection](https://github.com/netdata/netdata/blob/master/docs/netdata-agent/configuration/secure-your-netdata-agent-with-bearer-token.md) provides authentication with a single setting - no htpasswd files or H2O auth configuration needed.
+If you use Netdata Cloud, [Bearer Token Protection](/docs/netdata-agent/configuration/securing-agents/bearer-token-protection) provides authentication with a single setting - no htpasswd files or H2O auth configuration needed.
 
 :::
 

docs/Netdata Agent/Configuration/Securing Agents/Running the Agent behind a reverse proxy/HAProxy.mdx

@@ -172,7 +172,7 @@ backend netdata_backend
 
 :::tip Simpler Alternative
 
-If you use Netdata Cloud, [Bearer Token Protection](https://github.com/netdata/netdata/blob/master/docs/netdata-agent/configuration/secure-your-netdata-agent-with-bearer-token.md) provides authentication with a single setting - no HAProxy userlist configuration needed.
+If you use Netdata Cloud, [Bearer Token Protection](/docs/netdata-agent/configuration/securing-agents/bearer-token-protection) provides authentication with a single setting - no HAProxy userlist configuration needed.
 
 :::
 

docs/Netdata Agent/Configuration/Securing Agents/Running the Agent behind a reverse proxy/Lighttpd v1.4.x.mdx

@@ -43,7 +43,7 @@ Though if it's public facing, you might then want to put some authentication on
 
 :::tip Simpler Alternative
 
-If you use Netdata Cloud, [Bearer Token Protection](https://github.com/netdata/netdata/blob/master/docs/netdata-agent/configuration/secure-your-netdata-agent-with-bearer-token.md) provides authentication with a single setting - no htdigest files or lighttpd auth configuration needed.
+If you use Netdata Cloud, [Bearer Token Protection](/docs/netdata-agent/configuration/securing-agents/bearer-token-protection) provides authentication with a single setting - no htdigest files or lighttpd auth configuration needed.
 
 :::
 

docs/Netdata Agent/Configuration/Securing Agents/Running the Agent behind a reverse proxy/Nginx.mdx

@@ -191,7 +191,7 @@ If Nginx is not configured as described here, you will probably receive the erro
 
 :::tip Simpler Alternative
 
-If you use Netdata Cloud, [Bearer Token Protection](https://github.com/netdata/netdata/blob/master/docs/netdata-agent/configuration/secure-your-netdata-agent-with-bearer-token.md) provides authentication with a single setting - no htpasswd files or nginx auth configuration needed.
+If you use Netdata Cloud, [Bearer Token Protection](/docs/netdata-agent/configuration/securing-agents/bearer-token-protection) provides authentication with a single setting - no htpasswd files or nginx auth configuration needed.
 
 :::
 

docs/Netdata Agent/Configuration/Securing Agents/Running the Agent behind a reverse proxy/Running the Agent behind a reverse proxy.mdx

@@ -3,7 +3,7 @@ custom_edit_url: "https://github.com/netdata/netdata/edit/master/docs/netdata-ag
 sidebar_label: "Running the Agent behind a reverse proxy"
 learn_status: "Published"
 learn_rel_path: "Netdata Agent/Configuration/Securing Agents/Running the Agent behind a reverse proxy"
-sidebar_position: "20"
+sidebar_position: "30"
 learn_link: "https://learn.netdata.cloud/docs/netdata-agent/configuration/securing-agents/running-the-agent-behind-a-reverse-proxy"
 slug: "/netdata-agent/configuration/securing-agents/running-the-agent-behind-a-reverse-proxy"
 ---
@@ -12,7 +12,7 @@ slug: "/netdata-agent/configuration/securing-agents/running-the-agent-behind-a-r
 
 :::tip Simpler Alternative for Netdata Cloud Users
 
-If you use Netdata Cloud (free or paid), consider [Bearer Token Protection](https://github.com/netdata/netdata/blob/master/docs/netdata-agent/configuration/secure-your-netdata-agent-with-bearer-token.md) instead. With a single setting (`bearer token protection = yes`), you get:
+If you use Netdata Cloud (free or paid), consider [Bearer Token Protection](/docs/netdata-agent/configuration/securing-agents/bearer-token-protection) instead. With a single setting (`bearer token protection = yes`), you get:
 
 - **Cloud SSO authentication** - Users sign in through Netdata Cloud
 - **Role-based access** - Cloud roles apply to direct agent access