> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dokstamp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Multi-tenancy & Headers

> Every API resource is scoped to a tenant. Learn how to pass your tenant identifier.

# Multi-tenancy & Headers

DokStamp is a **multi-tenant** platform. Every resource — institutions, courses, students, certificates — is fully isolated within a tenant. There is no cross-tenant data access.

***

## Required headers

All resource endpoints (everything except `/oauth/token` and `/auth/*`) require these headers:

| Header          | Required | Description                                   |
| --------------- | -------- | --------------------------------------------- |
| `Authorization` | Yes      | `Bearer {access_token}`                       |
| `Accept`        | Yes      | `application/json`                            |
| `X-Tenant`      | Yes      | Your tenant identifier (provided by DokStamp) |

### Example

```http theme={null}
GET /certificates HTTP/1.1
Host: api.dokstamp.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
Accept: application/json
X-Tenant: universidade-federal-example
```

***

## Finding your tenant identifier

Your tenant identifier is provided when your account is created. You can also retrieve it from the response body of `GET /auth/me`:

```json theme={null}
{
  "data": {
    "uuid": "550e8400-e29b-41d4-a716-446655440000",
    "name": "João Silva",
    "email": "joao@universidade.edu.br",
    "tenant": {
      "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "name": "Universidade Federal Example",
      "domain": "universidade-federal-example"
    }
  }
}
```

Use the `tenant.domain` value as your `X-Tenant` header.

***

## Tenant isolation rules

* Data created under one tenant is **never visible** to another tenant.
* UUIDs are globally unique, but all read/write operations are filtered by tenant.
* Attempting to access a resource that belongs to a different tenant returns `404 Not Found` (not `403`) — this prevents enumeration attacks.
