Skip to main content

Multi-tenancy & Headers

DokStamp is a multi-tenant platform. Every resource — institutions, courses, students, certificates — is fully isolated within a tenant. There is no cross-tenant data access.

Required headers

All resource endpoints (everything except /auth/*) require these two headers:
HeaderRequiredDescription
AuthorizationYesBearer {access_token}
AcceptYesapplication/json
X-TenantYesYour tenant identifier (provided by DokStamp)

Example

GET /certificates HTTP/1.1
Host: api.dokstamp.eu
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
Accept: application/json
X-Tenant: universidade-federal-example

Finding your tenant identifier

Your tenant identifier is configured when your account is created. You can retrieve it from:
  1. The DokStamp admin dashboard under Settings → API
  2. The response body of GET /auth/me:
{
  "data": {
    "id": 1,
    "name": "João Silva",
    "email": "joao@universidade.edu.br",
    "tenant": {
      "id": 42,
      "name": "Universidade Federal Example",
      "domain": "universidade-federal-example"
    }
  }
}
Use the tenant.domain value as your X-Tenant header.

Tenant isolation rules

  • Data created under one tenant is never visible to another tenant.
  • UUIDs are globally unique, but all read/write operations are filtered by tenant.
  • Attempting to access a resource that belongs to a different tenant returns 404 Not Found (not 403) — this prevents enumeration attacks.

Multi-environment setup

If you have separate staging and production tenants, each will have its own domain and credentials. Keep them in separate environment configurations: 
# .env.staging
ASSINAMOS_BASE_URL=https://api.dokstamp.eu
ASSINAMOS_TENANT=my-institution-staging
ASSINAMOS_TOKEN=eyJ...

# .env.production
ASSINAMOS_BASE_URL=https://api.dokstamp.eu
ASSINAMOS_TENANT=my-institution
ASSINAMOS_TOKEN=eyJ...