X-Bunker-Token header. Databunker Pro has a small hierarchy of credential types, each scoped to a different level of access. This page is the single reference for all of them.
Request headers
| Header | Required | Purpose |
|---|---|---|
X-Bunker-Token | Yes (for authenticated endpoints) | The access credential — any of the token types below |
X-Bunker-Tenant | No | Selects the tenant by name in multi-tenant deployments |
X-Bunker-Tenant is omitted, Databunker Pro derives the tenant from the subdomain of the request host (acme.databunker.example.com → tenant acme). Requests to localhost or a bare host resolve to the default tenant.
Credential hierarchy
| Credential | Token type | Obtained via | Expiry |
|---|---|---|---|
| Root token | root | Interactive setup or unattended install | Never |
| Tenant access token | root (tenant-scoped) | TenantCreate | Never |
| Role xtoken | role | XTokenCreateForRole | Default 10 minutes; capped by max_xtoken_retention_period |
| User login xtoken | login | XTokenCreateForUser | Default 10 minutes; capped by max_xtoken_retention_period |
| Bulk-unlock UUID | request gate | BulkListUnlock | 60 seconds |
Root token
The highest-privilege credential of the deployment, created once at installation:- Interactive setup — shown once on the setup completion screen. See Generate admin credentials.
- Unattended install — returned by the
/autoinstallendpoint, which is enabled only while theDATABUNKER_SETUPKEYenvironment variable is set. See Unattended installation.
Tenant access token
In multi-tenant deployments,TenantCreate returns an xtoken — the tenant administrator’s credential. It behaves like a root token scoped to that tenant:
X-Bunker-Token, together with X-Bunker-Tenant: acme (or the tenant subdomain). See Multi-tenancy.
Role xtoken
Scoped service credentials governed by access-control policies. Setup is three calls:finaltime the xtoken expires after 10 minutes. A supplied finaltime is capped by the max_xtoken_retention_period configuration policy.
User login xtoken
A short-lived credential that lets an end user act on their own record only (e.g. from the user privacy portal):max_xtoken_retention_period.
For safety, a login xtoken cannot invoke
UserDelete, UserUpdate, UserPatch, AppdataUpdate, or AgreementCancel on its own record — these self-service operations must go through an admin or a user request workflow with approval.Bulk-unlock UUID
Bulk read and delete operations are denied by default — an admin token alone is not enough. You must first obtain a short-lived unlock UUID, then pass it with the bulk call:BulkList*, BulkDeleteTokens, UserSearch, and the cross-tenant System* lookups. See Select security for the design rationale.
Endpoint permission levels
- Public endpoints — no token required:
UserPrelogin,UserLogin,CaptchaCreate,SharedRecordGet,TenantGetUIConf. Calls to these are not written to the audit trail. - Authenticated endpoints — everything else requires
X-Bunker-Tokenand passes policy evaluation: root tokens bypass policy checks, role xtokens are evaluated against their linked policies, and login xtokens are restricted to the user’s own record. - Main-tenant-only endpoints — denied to sub-tenant admins even with a valid tenant token:
RoleCreate,RoleUpdate,PolicyCreate,PolicyUpdate,TenantListTenants,SystemGenerateWrappingKey, and all cross-tenantSystem*operations.
403 with {"status":"error","message":"Access denied"} — see Errors.