This guide walks you through the complete authentication flow for self-hosted Databrain instances. Follow these steps in order to set up your admin account and service tokens.
Step-by-Step Process
1. Create Admin Account (First Time Only)
If this is your first time setting up your self-hosted instance, create the initial admin account using the Create Admin Account endpoint.What you need:
- Admin first name
- Admin email address
- Secure password (meets complexity requirements)
- Company name
- An
accessToken(JWT) that you can use for subsequent admin operations
This step is only needed once. If an admin account already exists, proceed to step 2.
2. Create Admin JWT (Sign In)
For existing admin accounts, sign in using the Create Admin JWT endpoint to receive an access token.What you need:
- Admin email address
- Admin password
- An
accessToken(JWT) for authenticated admin operations
Authorization: Bearer <accessToken> header for admin-only endpoints.3. Create Service Token
Once you have an admin access token, create a service token using the Create Service Token endpoint.What you need:
- Admin
accessTokenfrom step 1 or 2 (in Authorization header) - A UUID value for the service token
- A
serviceToken(UUID) that can be used for organization-level operations such as:- Creating Data App API tokens
- Managing Data Apps
- Export/import operations
4. Rotate Service Token (Optional)
Periodically rotate your service token for enhanced security using the Rotate Service Token endpoint.What you need:
- Admin
accessToken(in Authorization header) - Current service token UUID
- Expiration grace period (in seconds)
- A new
serviceTokenUUID - The old token expires after the grace period
Use a grace period (e.g., 3600 seconds = 1 hour) to allow time for updating clients before the old token stops working.
5. Reset Admin Password (Optional)
Change your admin password using the Reset Admin Password endpoint.What you need:
- Admin
accessToken(in Authorization header) - Current password
- New password (meets complexity requirements)
- Confirmation that the password was changed successfully
Common Scenarios
First-Time Setup
First-Time Setup
Complete flow for new installations:
- Create Admin Account → Get
accessToken - Create Service Token → Get
serviceToken - Use
serviceTokenfor organization operations
Regular Sign-In
Regular Sign-In
For existing admin accounts:
- Create Admin JWT → Get
accessToken - Use
accessTokenfor admin operations - Create or rotate service tokens as needed
Token Rotation
Token Rotation
For security best practices:
- Create Admin JWT → Get
accessToken - Rotate Service Token → Get new
serviceToken - Update all clients with new
serviceToken - Old token expires after grace period
Password Reset
Password Reset
When you need to change your password:
- Create Admin JWT → Get
accessToken - Reset Admin Password → Confirm change
- Create Admin JWT again → Get new
accessToken
Security Best Practices
Store Tokens Securely
- Never commit tokens to version control
- Use environment variables or secrets managers
- Rotate tokens regularly
Use Strong Passwords
- Minimum 8 characters
- Mix of uppercase, lowercase, digits, and special characters
- No spaces
Rotate Regularly
- Rotate service tokens every 6 months
- Use grace periods during rotation
- Update all clients before expiration
Monitor Access
- Track token usage
- Revoke compromised tokens immediately
- Use separate tokens for different environments
Related Documentation
- Create Admin Account – Create the first admin account
- Create Admin JWT – Sign in and get access token
- Create Service Token – Create organization service token
- Rotate Service Token – Rotate service token securely
- Reset Admin Password – Change admin password