# otlp_grpc

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [cloud-data-platform-full.txt](https://docs.redpanda.com/cloud-data-platform-full.txt)

---
title: otlp_grpc
latest-operator-version: v26.1.4
latest-console-tag: v3.7.3
latest-connect-version: 4.93.0
latest-redpanda-tag: v26.1.9
docname: connect/components/inputs/otlp_grpc
page-component-name: cloud-data-platform
page-version: master
page-component-version: master
page-component-title: Cloud
page-relative-src-path: connect/components/inputs/otlp_grpc.adoc
page-edit-url: https://github.com/redpanda-data/cloud-docs/edit/main/modules/develop/pages/connect/components/inputs/otlp_grpc.adoc
page-git-created-date: "2026-01-23"
page-git-modified-date: "2026-05-26"
---

<!-- Source: https://docs.redpanda.com/cloud-data-platform/develop/connect/components/inputs/otlp_grpc.md -->

**Type:** Input ▼

[Input](https://docs.redpanda.com/cloud-data-platform/develop/connect/components/inputs/otlp_grpc/)[Output](https://docs.redpanda.com/cloud-data-platform/develop/connect/components/outputs/otlp_grpc/)

**Available in:** Cloud, [Self-Managed](https://docs.redpanda.com/connect/components/inputs/otlp_grpc/%20%22View%20the%20Self-Managed%20version%20of%20this%20component%22)

Receive OpenTelemetry traces, logs, and metrics via OTLP/gRPC protocol.

Exposes an OpenTelemetry Collector gRPC receiver that accepts traces, logs, and metrics via gRPC.

Telemetry data is received in OTLP protobuf format and converted to individual Redpanda OTEL v1 protobuf messages. Each signal (span, log record, or metric) becomes a separate message with embedded Resource and Scope metadata, optimized for Kafka partitioning.

#### Common

```yml
inputs:
  label: ""
  otlp_grpc:
    encoding: json
    address: 0.0.0.0:4317
    rate_limit: ""
```

#### Advanced

```yml
inputs:
  label: ""
  otlp_grpc:
    encoding: json
    address: 0.0.0.0:4317
    tls:
      enabled: false
      cert_file: ""
      key_file: ""
    auth_token: ""
    max_recv_msg_size: 4194304
    rate_limit: ""
    tcp:
      reuse_addr: false
      reuse_port: false
    schema_registry:
      url: "" # No default (required)
      timeout: 5s
      tls:
        enabled: false
        skip_cert_verify: false
        enable_renegotiation: false
        root_cas: ""
        root_cas_file: ""
        client_certs: []
      oauth2:
        enabled: false
        client_key: ""
        client_secret: ""
        token_url: ""
        scopes: []
        endpoint_params: {}
      oauth:
        enabled: false
        consumer_key: ""
        consumer_secret: ""
        access_token: ""
        access_token_secret: ""
      basic_auth:
        enabled: false
        username: ""
        password: ""
      jwt:
        enabled: false
        private_key_file: ""
        signing_method: ""
        claims: {}
        headers: {}
      common_subject: ""
      trace_subject: ""
      log_subject: ""
      metric_subject: ""
```

## [](#protocols)Protocols

This input supports OTLP/gRPC on the default port 4317 using the standard OTLP protobuf format for all signal types (traces, logs, metrics).

## [](#output-format)Output format

Each OTLP export request is unbatched into individual messages:

-   **Traces**: One message per span

-   **Logs**: One message per log record

-   **Metrics**: One message per metric


Messages are encoded in Redpanda OTEL v1 protobuf format.

## [](#metadata)Metadata

This input adds the following metadata fields to each message:

-   `signal_type` - The signal type: "trace", "log", or "metric"


You can access these metadata fields using [function interpolation](https://docs.redpanda.com/cloud-data-platform/develop/connect/configuration/interpolation/#bloblang-queries).

## [](#authentication)Authentication

When `auth_token` is configured, clients must include the token in the gRPC metadata.

### [](#go-client-example)Go client example

```go
import (
    "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
)

exporter, err := otlptracegrpc.New(ctx,
    otlptracegrpc.WithEndpoint("localhost:4317"),
    otlptracegrpc.WithInsecure(), // or WithTLSCredentials() for TLS
    otlptracegrpc.WithHeaders(map[string]string{
        "authorization": "Bearer your-token-here",
    }),
)
```

### [](#environment-variable)Environment variable

```bash
export OTEL_EXPORTER_OTLP_HEADERS="authorization=Bearer your-token-here"
```

## [](#rate-limiting)Rate limiting

An optional rate limit resource can be specified to throttle incoming requests. When the rate limit is breached, requests will receive a ResourceExhausted gRPC status code.

## [](#fields)Fields

### [](#address)`address`

The address to listen on for gRPC connections.

**Type**: `string`

**Default**: `0.0.0.0:4317`

### [](#auth_token)`auth_token`

Optional bearer token for authentication. When set, requests must include 'authorization: Bearer <token>' metadata.

> ⚠️ **CAUTION**
>
> This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see [Manage Secrets](https://docs.redpanda.com/cloud-data-platform/develop/connect/configuration/secret-management/) before adding it to your configuration.

**Type**: `string`

**Default**: `""`

### [](#encoding)`encoding`

Encoding format for messages in the batch. Options: 'protobuf' or 'json'.

**Type**: `string`

**Default**: `json`

**Options**: `protobuf`, `json`

### [](#max_recv_msg_size)`max_recv_msg_size`

Maximum size of gRPC messages to receive in bytes.

**Type**: `int`

**Default**: `4194304`

### [](#rate_limit)`rate_limit`

An optional rate limit resource to throttle requests.

**Type**: `string`

**Default**: `""`

### [](#schema_registry)`schema_registry`

Optional Schema Registry configuration for adding Schema Registry wire format headers to messages.

**Type**: `object`

### [](#schema_registry-basic_auth)`schema_registry.basic_auth`

Allows you to specify basic authentication.

**Type**: `object`

### [](#schema_registry-basic_auth-enabled)`schema_registry.basic_auth.enabled`

Whether to use basic authentication in requests.

**Type**: `bool`

**Default**: `false`

### [](#schema_registry-basic_auth-password)`schema_registry.basic_auth.password`

A password to authenticate with.

> ⚠️ **CAUTION**
>
> This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see [Manage Secrets](https://docs.redpanda.com/cloud-data-platform/develop/connect/configuration/secret-management/) before adding it to your configuration.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-basic_auth-username)`schema_registry.basic_auth.username`

A username to authenticate as.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-common_subject)`schema_registry.common_subject`

Schema subject name for the common protobuf schema. Only used when encoding is 'protobuf'. Defaults to 'redpanda-otel-common' for protobuf encoding or 'redpanda-otel-common-json' for JSON encoding.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-jwt)`schema_registry.jwt`

Beta

Allows you to specify JWT authentication.

**Type**: `object`

### [](#schema_registry-jwt-claims)`schema_registry.jwt.claims`

A value used to identify the claims that issued the JWT.

**Type**: `object`

**Default**: `{}`

### [](#schema_registry-jwt-enabled)`schema_registry.jwt.enabled`

Whether to use JWT authentication in requests.

**Type**: `bool`

**Default**: `false`

### [](#schema_registry-jwt-headers)`schema_registry.jwt.headers`

Add optional key/value headers to the JWT.

**Type**: `object`

**Default**: `{}`

### [](#schema_registry-jwt-private_key_file)`schema_registry.jwt.private_key_file`

A file with the PEM encoded via PKCS1 or PKCS8 as private key.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-jwt-signing_method)`schema_registry.jwt.signing_method`

A method used to sign the token such as RS256, RS384, RS512 or EdDSA.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-log_subject)`schema_registry.log_subject`

Schema subject name for log data. Defaults to 'redpanda-otel-logs' for protobuf encoding or 'redpanda-otel-logs-json' for JSON encoding.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-metric_subject)`schema_registry.metric_subject`

Schema subject name for metric data. Defaults to 'redpanda-otel-metrics' for protobuf encoding or 'redpanda-otel-metrics-json' for JSON encoding.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-oauth)`schema_registry.oauth`

Allows you to specify open authentication via OAuth version 1.

**Type**: `object`

### [](#schema_registry-oauth-access_token)`schema_registry.oauth.access_token`

A value used to gain access to the protected resources on behalf of the user.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-oauth-access_token_secret)`schema_registry.oauth.access_token_secret`

A secret provided in order to establish ownership of a given access token.

> ⚠️ **CAUTION**
>
> This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see [Manage Secrets](https://docs.redpanda.com/cloud-data-platform/develop/connect/configuration/secret-management/) before adding it to your configuration.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-oauth-consumer_key)`schema_registry.oauth.consumer_key`

A value used to identify the client to the service provider.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-oauth-consumer_secret)`schema_registry.oauth.consumer_secret`

A secret used to establish ownership of the consumer key.

> ⚠️ **CAUTION**
>
> This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see [Manage Secrets](https://docs.redpanda.com/cloud-data-platform/develop/connect/configuration/secret-management/) before adding it to your configuration.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-oauth-enabled)`schema_registry.oauth.enabled`

Whether to use OAuth version 1 in requests.

**Type**: `bool`

**Default**: `false`

### [](#schema_registry-oauth2)`schema_registry.oauth2`

Allows you to specify open authentication via OAuth version 2 using the client credentials token flow.

**Type**: `object`

### [](#schema_registry-oauth2-client_key)`schema_registry.oauth2.client_key`

A value used to identify the client to the token provider.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-oauth2-client_secret)`schema_registry.oauth2.client_secret`

A secret used to establish ownership of the client key.

> ⚠️ **CAUTION**
>
> This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see [Manage Secrets](https://docs.redpanda.com/cloud-data-platform/develop/connect/configuration/secret-management/) before adding it to your configuration.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-oauth2-enabled)`schema_registry.oauth2.enabled`

Whether to use OAuth version 2 in requests.

**Type**: `bool`

**Default**: `false`

### [](#schema_registry-oauth2-endpoint_params)`schema_registry.oauth2.endpoint_params`

A list of optional endpoint parameters, values should be arrays of strings.

**Type**: `object`

**Default**: `{}`

```yaml
# Examples:
endpoint_params:
  audience:
    - https://example.com
  resource:
    - https://api.example.com
```

### [](#schema_registry-oauth2-scopes)`schema_registry.oauth2.scopes[]`

A list of optional requested permissions.

**Type**: `array`

**Default**: `[]`

### [](#schema_registry-oauth2-token_url)`schema_registry.oauth2.token_url`

The URL of the token provider.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-timeout)`schema_registry.timeout`

HTTP client timeout for Schema Registry requests.

**Type**: `string`

**Default**: `5s`

### [](#schema_registry-tls)`schema_registry.tls`

Custom TLS settings can be used to override system defaults.

**Type**: `object`

### [](#schema_registry-tls-client_certs)`schema_registry.tls.client_certs[]`

A list of client certificates to use. For each certificate either the fields `cert` and `key`, or `cert_file` and `key_file` should be specified, but not both.

**Type**: `object`

**Default**: `[]`

```yaml
# Examples:
client_certs:
  - cert: foo
    key: bar

# ---

client_certs:
  - cert_file: ./example.pem
    key_file: ./example.key
```

### [](#schema_registry-tls-client_certs-cert)`schema_registry.tls.client_certs[].cert`

A plain text certificate to use.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-tls-client_certs-cert_file)`schema_registry.tls.client_certs[].cert_file`

The path of a certificate to use.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-tls-client_certs-key)`schema_registry.tls.client_certs[].key`

A plain text certificate key to use.

> ⚠️ **CAUTION**
>
> This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see [Manage Secrets](https://docs.redpanda.com/cloud-data-platform/develop/connect/configuration/secret-management/) before adding it to your configuration.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-tls-client_certs-key_file)`schema_registry.tls.client_certs[].key_file`

The path of a certificate key to use.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-tls-client_certs-password)`schema_registry.tls.client_certs[].password`

A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete `pbeWithMD5AndDES-CBC` algorithm is not supported for the PKCS#8 format.

Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

> ⚠️ **CAUTION**
>
> This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see [Manage Secrets](https://docs.redpanda.com/cloud-data-platform/develop/connect/configuration/secret-management/) before adding it to your configuration.

**Type**: `string`

**Default**: `""`

```yaml
# Examples:
password: foo

# ---

password: ${KEY_PASSWORD}
```

### [](#schema_registry-tls-enable_renegotiation)`schema_registry.tls.enable_renegotiation`

Whether to allow the remote server to repeatedly request renegotiation. Enable this option if you’re seeing the error message `local error: tls: no renegotiation`.

**Type**: `bool`

**Default**: `false`

### [](#schema_registry-tls-enabled)`schema_registry.tls.enabled`

Whether custom TLS settings are enabled.

**Type**: `bool`

**Default**: `false`

### [](#schema_registry-tls-root_cas)`schema_registry.tls.root_cas`

An optional root certificate authority to use. This is a string, representing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.

> ⚠️ **CAUTION**
>
> This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see [Manage Secrets](https://docs.redpanda.com/cloud-data-platform/develop/connect/configuration/secret-management/) before adding it to your configuration.

**Type**: `string`

**Default**: `""`

```yaml
# Examples:
root_cas: |-
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
```

### [](#schema_registry-tls-root_cas_file)`schema_registry.tls.root_cas_file`

An optional path of a root certificate authority file to use. This is a file, often with a .pem extension, containing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.

**Type**: `string`

**Default**: `""`

```yaml
# Examples:
root_cas_file: ./root_cas.pem
```

### [](#schema_registry-tls-skip_cert_verify)`schema_registry.tls.skip_cert_verify`

Whether to skip server side certificate verification.

**Type**: `bool`

**Default**: `false`

### [](#schema_registry-trace_subject)`schema_registry.trace_subject`

Schema subject name for trace data. Defaults to 'redpanda-otel-traces' for protobuf encoding or 'redpanda-otel-traces-json' for JSON encoding.

**Type**: `string`

**Default**: `""`

### [](#schema_registry-url)`schema_registry.url`

Schema Registry URL for schema operations.

**Type**: `string`

```yaml
# Examples:
url: http://localhost:8081
```

### [](#tcp)`tcp`

TCP listener socket configuration.

**Type**: `object`

### [](#tcp-reuse_addr)`tcp.reuse_addr`

Enable SO\_REUSEADDR, allowing binding to ports in TIME\_WAIT state. Useful for graceful restarts and config reloads where the server needs to rebind to the same port immediately after shutdown.

**Type**: `bool`

**Default**: `false`

### [](#tcp-reuse_port)`tcp.reuse_port`

Enable SO\_REUSEPORT, allowing multiple sockets to bind to the same port for load balancing across multiple processes/threads.

**Type**: `bool`

**Default**: `false`

### [](#tls)`tls`

TLS configuration for gRPC.

**Type**: `object`

### [](#tls-cert_file)`tls.cert_file`

Path to the TLS certificate file.

**Type**: `string`

**Default**: `""`

### [](#tls-enabled)`tls.enabled`

Enable TLS connections.

**Type**: `bool`

**Default**: `false`

### [](#tls-key_file)`tls.key_file`

Path to the TLS key file.

**Type**: `string`

**Default**: `""`