docs: add HyperDX RUM configuration guide

content/docs/configuration/dotenv.mdx

@@ -345,6 +345,83 @@ Note:
 
 Note: `DEBUG_CONSOLE` is not recommended, as the outputs can be quite verbose, and so it's disabled by default.
 
+### Real User Monitoring (Browser)
+
+Browser-side Real User Monitoring (RUM) can send frontend performance and interaction telemetry to HyperDX. RUM is disabled by default. See [Real User Monitoring](/docs/configuration/rum) for setup guidance, authentication modes, trace propagation, and privacy controls.
+
+<OptionTable
+  options={[
+    ['RUM_ENABLED', 'boolean', 'Enable browser Real User Monitoring.', 'RUM_ENABLED=false'],
+    [
+      'RUM_PROVIDER',
+      'string',
+      'RUM provider. Currently supports `hyperdx`.',
+      'RUM_PROVIDER=hyperdx',
+    ],
+    [
+      'RUM_URL',
+      'string',
+      'OTLP HTTP ingest URL for browser telemetry.',
+      'RUM_URL=http://localhost:4318',
+    ],
+    [
+      'RUM_SERVICE_NAME',
+      'string',
+      'Service name attached to browser telemetry.',
+      'RUM_SERVICE_NAME=librechat-web',
+    ],
+    [
+      'RUM_ENVIRONMENT',
+      'string',
+      'Environment name attached to browser telemetry.',
+      'RUM_ENVIRONMENT=production',
+    ],
+    [
+      'RUM_AUTH_MODE',
+      'string',
+      'Authentication mode for browser telemetry: `publicToken` or `userJwt`.',
+      'RUM_AUTH_MODE=publicToken',
+    ],
+    [
+      'RUM_PUBLIC_TOKEN',
+      'string',
+      'Browser-safe ingest token used when `RUM_AUTH_MODE=publicToken`.',
+      'RUM_PUBLIC_TOKEN=your-browser-ingest-token',
+    ],
+    [
+      'RUM_AUTH_HEADER_SCHEME',
+      'string',
+      'Authorization header scheme used with `userJwt` mode.',
+      'RUM_AUTH_HEADER_SCHEME=Bearer',
+    ],
+    [
+      'RUM_TRACE_PROPAGATION_TARGETS',
+      'string',
+      'Comma-separated first-party HTTPS origins or URL prefixes that should receive browser trace context headers.',
+      'RUM_TRACE_PROPAGATION_TARGETS=https://api.example.com',
+    ],
+    ['RUM_DISABLE_REPLAY', 'boolean', 'Disable session replay capture.', 'RUM_DISABLE_REPLAY=true'],
+    [
+      'RUM_CONSOLE_CAPTURE',
+      'boolean',
+      'Enable browser console capture. Disabled by default.',
+      'RUM_CONSOLE_CAPTURE=false',
+    ],
+    [
+      'RUM_ADVANCED_NETWORK_CAPTURE',
+      'boolean',
+      'Enable advanced network capture. Disabled by default.',
+      'RUM_ADVANCED_NETWORK_CAPTURE=false',
+    ],
+    [
+      'RUM_SAMPLE_RATE',
+      'number',
+      'Client-side RUM sample rate between 0 and 1.',
+      'RUM_SAMPLE_RATE=1',
+    ],
+  ]}
+/>
+
 ### Permission
 
 > UID and GID are numbers assigned by Linux to each user and group on the system. If you have permission problems, set here the UID and GID of the user running the Docker Compose command. The applications in the container will run with these UID/GID.

content/docs/configuration/meta.json

@@ -20,6 +20,7 @@
     "mod_system",
     "langfuse",
     "logging",
+    "rum",
     "metrics",
     "meilisearch",
     "---UI---",

content/docs/configuration/rum.mdx

@@ -0,0 +1,161 @@
+---
+title: Real User Monitoring
+icon: Activity
+description: Configure browser-side real user monitoring for LibreChat.
+---
+
+Real User Monitoring (RUM) sends browser performance and interaction telemetry to an observability backend. LibreChat supports HyperDX through the browser startup configuration served by the API.
+
+RUM is disabled by default. Enable it only after you have chosen an ingest endpoint and authentication mode.
+
+## HyperDX Setup
+
+For a local HyperDX collector, use:
+
+```bash filename=".env"
+RUM_ENABLED=true
+RUM_PROVIDER=hyperdx
+RUM_URL=http://localhost:4318
+RUM_SERVICE_NAME=librechat-web
+RUM_ENVIRONMENT=development
+RUM_AUTH_MODE=publicToken
+RUM_PUBLIC_TOKEN=local-dev-token
+```
+
+For hosted or production collectors, use an HTTPS collector URL:
+
+```bash filename=".env"
+RUM_ENABLED=true
+RUM_PROVIDER=hyperdx
+RUM_URL=https://rum.example.com/v1/traces
+RUM_SERVICE_NAME=librechat-web
+RUM_ENVIRONMENT=production
+```
+
+## Authentication Modes
+
+### Public Token
+
+Use `publicToken` when your collector expects a browser-safe ingest token:
+
+```bash filename=".env"
+RUM_AUTH_MODE=publicToken
+RUM_PUBLIC_TOKEN=your-browser-ingest-token
+```
+
+This is the easiest mode for OSS deployments because it does not depend on LibreChat user authentication.
+
+### User JWT
+
+Use `userJwt` when your collector is behind infrastructure that accepts the current LibreChat user JWT:
+
+```bash filename=".env"
+RUM_AUTH_MODE=userJwt
+RUM_AUTH_HEADER_SCHEME=Bearer
+RUM_URL=https://rum.example.com/otlp/v1/traces
+```
+
+When `userJwt` is used, LibreChat only returns the RUM config to authenticated users. The active LibreChat user JWT is attached only to requests sent to the configured `RUM_URL`, so use this mode only with a trusted HTTPS collector endpoint that will not log or expose authorization headers.
+
+## Trace Propagation
+
+You can opt in to browser trace context propagation for your own first-party HTTPS services:
+
+```bash filename=".env"
+RUM_TRACE_PROPAGATION_TARGETS=https://api.example.com,https://gateway.example.com
+```
+
+Only add services you operate or explicitly trust. LibreChat ignores wildcard and non-HTTPS entries, but otherwise treats `RUM_TRACE_PROPAGATION_TARGETS` as an explicit allowlist.
+
+## Privacy Controls
+
+RUM uses conservative defaults:
+
+- Session replay is disabled by default.
+- Console capture is disabled by default.
+- Advanced network capture is disabled by default.
+- User attributes avoid names, emails, prompts, and message content.
+
+You can override these defaults if your deployment has appropriate consent and data-handling controls:
+
+```bash filename=".env"
+RUM_DISABLE_REPLAY=true
+RUM_CONSOLE_CAPTURE=false
+RUM_ADVANCED_NETWORK_CAPTURE=false
+RUM_SAMPLE_RATE=1
+```
+
+## Environment Variables
+
+<OptionTable
+  options={[
+    ['RUM_ENABLED', 'boolean', 'Enable browser Real User Monitoring.', 'RUM_ENABLED=false'],
+    [
+      'RUM_PROVIDER',
+      'string',
+      'RUM provider. Currently supports `hyperdx`.',
+      'RUM_PROVIDER=hyperdx',
+    ],
+    [
+      'RUM_URL',
+      'string',
+      'OTLP HTTP ingest URL for browser telemetry.',
+      'RUM_URL=http://localhost:4318',
+    ],
+    [
+      'RUM_SERVICE_NAME',
+      'string',
+      'Service name attached to browser telemetry.',
+      'RUM_SERVICE_NAME=librechat-web',
+    ],
+    [
+      'RUM_ENVIRONMENT',
+      'string',
+      'Environment name attached to browser telemetry.',
+      'RUM_ENVIRONMENT=production',
+    ],
+    [
+      'RUM_AUTH_MODE',
+      'string',
+      'Authentication mode for browser telemetry: `publicToken` or `userJwt`.',
+      'RUM_AUTH_MODE=publicToken',
+    ],
+    [
+      'RUM_PUBLIC_TOKEN',
+      'string',
+      'Browser-safe ingest token used when `RUM_AUTH_MODE=publicToken`.',
+      'RUM_PUBLIC_TOKEN=your-browser-ingest-token',
+    ],
+    [
+      'RUM_AUTH_HEADER_SCHEME',
+      'string',
+      'Authorization header scheme used with `userJwt` mode.',
+      'RUM_AUTH_HEADER_SCHEME=Bearer',
+    ],
+    [
+      'RUM_TRACE_PROPAGATION_TARGETS',
+      'string',
+      'Comma-separated first-party HTTPS origins or URL prefixes that should receive browser trace context headers.',
+      'RUM_TRACE_PROPAGATION_TARGETS=https://api.example.com',
+    ],
+    ['RUM_DISABLE_REPLAY', 'boolean', 'Disable session replay capture.', 'RUM_DISABLE_REPLAY=true'],
+    [
+      'RUM_CONSOLE_CAPTURE',
+      'boolean',
+      'Enable browser console capture. Disabled by default.',
+      'RUM_CONSOLE_CAPTURE=false',
+    ],
+    [
+      'RUM_ADVANCED_NETWORK_CAPTURE',
+      'boolean',
+      'Enable advanced network capture. Disabled by default.',
+      'RUM_ADVANCED_NETWORK_CAPTURE=false',
+    ],
+    [
+      'RUM_SAMPLE_RATE',
+      'number',
+      'Client-side RUM sample rate between 0 and 1.',
+      'RUM_SAMPLE_RATE=1',
+    ],
+  ]}
+/>