Skip to main content
The browser-based setup is the easiest way to install Databunker Pro by hand. For automated, repeatable deployments — CI/CD pipelines, infrastructure-as-code, container orchestration — Databunker Pro exposes a POST /autoinstall endpoint that performs the same first-time setup without a browser. This guide shows how to complete the install programmatically and capture the generated credentials.

Before you start

  • Databunker Pro deployed (see Docker Compose or Kubernetes / Helm).
  • The DATABUNKER_SETUPKEY environment variable set on the Databunker Pro container — this enables the /autoinstall endpoint (details below).
  • A reachable database. If you use a dedicated / managed database (e.g. AWS RDS), create the databunkerdb database and roles first — see Using an external database.
  • (Optional) a Databunker Pro license key. Without one, Databunker Pro runs in Trial mode.

How it works

Unattended installation is three HTTP calls against the Databunker Pro service:
  1. GET /status — wait until the service is up.
  2. GET /dbstatus — check whether setup is still required ({"installed": false}).
  3. POST /autoinstall — perform the setup and return the credentials.
Setup endpoints are ephemeral. While the vault is not yet installed, Databunker Pro runs a small setup server that hosts /dbstatus, /setup, and /autoinstall. As soon as setup completes, that server shuts down and the container restarts in normal operational mode — where only the regular API (/status, /v2/*) is served and /dbstatus returns 404. That 404 is expected: it means the vault is already installed. (/dbstatus only ever returns a boolean installed flag — no sensitive data.)
Because of this, make your installer idempotent: run /autoinstall only when /dbstatus explicitly returns installed: false. Treat a 404, a connection error, or any other response as “already installed — skip.”

Enable the setup endpoint

The /autoinstall endpoint is only available when a setup key is configured. Set DATABUNKER_SETUPKEY (and the persistent DATABUNKER_WRAPPINGKEY) in the container environment before starting Databunker Pro — for Docker Compose, in .env/databunker.env:
DATABUNKER_WRAPPINGKEY=<48-hex-character master key>
DATABUNKER_SETUPKEY=<a long random secret>
Treat DATABUNKER_SETUPKEY as a credential — anyone who can reach the service with it can initialise the vault. Use a long random value, keep it in your secrets manager, and restrict network access to the service during setup.

Run the unattended install

1

Wait until Databunker Pro is ready

Poll GET /status until it returns 200 OK:
until curl -fsS http://localhost:3000/status >/dev/null; do sleep 2; done
2

Check whether setup is required

curl -s http://localhost:3000/dbstatus
Only {"status":"ok","installed":false} means setup is needed. Any other outcome — installed: true, a 404 (the setup server has already shut down), or a connection error — means the vault is already installed, so skip /autoinstall.
3

Run autoinstall

Send the setup key (and optional license key) as form fields:
SETUPKEY=$(grep '^DATABUNKER_SETUPKEY=' .env/databunker.env | cut -d= -f2-)

curl -s -X POST http://localhost:3000/autoinstall \
  --data-urlencode "setupkey=$SETUPKEY" \
  --data-urlencode "licensekey=$LICENSEKEY"   # optional; omit for Trial mode
Use --data-urlencode (not -d): license keys are base64 and may contain + or /, which -d would corrupt.
4

Save the generated credentials

On success the response contains the vault credentials:
{
  "status": "ok",
  "root_token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "wrapping_key": "...",
  "shamir_keys": ["...", "...", "...", "...", "..."]
}
Store all of these in your secrets manager immediately.
These secrets are shown once and cannot be retrieved again. The root_token is your admin credential — you pass it as the X-Bunker-Token header on every administrative API call. Losing it means re-installing.

Verify

The setup server restarts the container in normal mode. Confirm it is serving, then use the root token for API calls:
curl -fsS http://localhost:3000/status
curl -s -X POST http://localhost:3000/v2/SystemGetSystemStats \
  -H "X-Bunker-Token: $ROOT_TOKEN"

Using an external database

The bundled Docker Compose project provisions the databunkerdb database and its roles automatically. When you point Databunker Pro at a dedicated / managed database (AWS RDS, Cloud SQL, Azure Database), create them yourself first — connect as the database master user and run:
CREATE ROLE bunkeruser NOSUPERUSER LOGIN PASSWORD '<password>';
CREATE ROLE mtenant NOSUPERUSER NOLOGIN;
CREATE ROLE madmin BYPASSRLS NOSUPERUSER NOLOGIN;
CREATE DATABASE databunkerdb OWNER bunkeruser;
-- then, connected to databunkerdb:
GRANT ALL ON SCHEMA public TO bunkeruser;
GRANT mtenant TO bunkeruser;
GRANT madmin TO bunkeruser;
Point the container at the database with the PGSQL_HOST, PGSQL_USER_NAME, PGSQL_USER_PASS, and PGSQL_SSL_MODE environment variables, then run the unattended install as above.
If you run multiple Databunker Pro instances against one shared database, they must all use the same DATABUNKER_WRAPPINGKEY (only one instance runs /autoinstall; the others start against the already-installed database). The wrapping key must persist across restarts, or the vault cannot be reopened.

Next steps