Skip to main content
This page explains how to:
  1. Create YOUR OWN proxy server that forwards requests to your Databrain backend
  2. Configure the proxy to validate requests and add authentication headers
Your proxy acts as a secure gateway between your frontend and the Databrain backend.
Proxy authentication lets you host a secure intermediary server that validates incoming requests and forwards them to your Databrain backend. This approach keeps your plugin tokens secure on your server, never exposing them to the client.
Enhanced Security: With proxy authentication, your frontend never handles plugin tokens. Your proxy validates requests and adds the required authentication before forwarding to Databrain.

How Proxy Authentication Works

1

Client Sends Request

Your frontend sends a request to your proxy server with the X-Proxy-Auth-Key: <your-secret-key> or X-Authorization: <your-secret-key> header for validation.
2

Proxy Validates Request

Your proxy validates the X-Proxy-Auth-Key: <your-secret-key> or X-Authorization: <your-secret-key> header. If invalid or missing, return an error response.
3

Proxy Forwards Request

Your proxy constructs the upstream URL, adds the X-Plugin-Token header, and forwards the request to your Databrain backend exactly as received.
4

Response Returned

Your proxy returns the Databrain backend response to the client exactly as received (status code, body, and headers).

What Your Proxy Must Do

Your proxy can be built on any backend: Node.js, Express, FastAPI, Python, Go, Lambda, Cloudflare Worker, etc. It must receive requests from your frontend and forward them to your Databrain backend exactly as-is, with required headers added.

1. Read the Incoming Request

Capture all parts of the incoming request:
  • Path
  • Query parameters
  • HTTP method
  • Headers
  • Body (JSON, text, or binary/raw)
Body must not be modified. Preserve the raw content if it’s binary (zip, pdf, excel, etc.) or text/JSON for other API calls.

2. Validate Proxy Authentication

Your proxy must read and validate either the X-Proxy-Auth-Key header or the X-Authorization header:
Or:
Compare with your stored secret value. If missing or invalid, return an error:
Return appropriate HTTP status (401 or 403).

3. Forward Request to Databrain Backend

Construct Upstream URL

Forward Original Method

Forward the exact HTTP method: GET, POST, PUT, PATCH, DELETE.

Forward Body Exactly

Do not modify the request payload in any way.

Required Upstream Headers

Send these headers to your Databrain backend:

4. Return Response Exactly

Return exactly what the Databrain backend returns:
  • Status code
  • Response body (binary or text, do not transform)
  • Response headers
Binary responses (zip, pdf, xlsx) must be forwarded as-is. Do not convert binary content to text.

About X-Plugin-Token

The X-Plugin-Token header authenticates your requests with the Databrain backend. You can provide this token in two ways:
  1. A saved token - Use a pre-generated guest token stored in your environment
  2. Generate on demand - Call the Databrain Guest Token API to generate tokens dynamically

Error Response Format

Every error your proxy returns should follow this format:
Examples:

Requirements Summary

  • Keep method, path, and query unchanged
  • Preserve body type: JSON, text, or binary
  • Pass all required headers (including Origin)
  • Add X-Plugin-Token header
  • Validate X-Proxy-Auth-Key or X-Authorization before forwarding
  • Use correct error format
  • Return upstream response exactly (status, body, headers)
  • Forward binary responses (zip, pdf, xlsx) as-is
  • Do not rewrite paths
  • Do not remove fields from body
  • Do not add custom fields to body
  • Do not modify query parameters
  • Do not transform the response

Implementation Examples

Frontend Configuration

Configure your frontend to send requests through your proxy server instead of directly to the Databrain backend.

Configuration Setup

TypeScript Users: You need to declare the global window.dbn type in your project:

Configuration Properties

Generate a strong, random key and store it securely. This key must match the one your proxy expects.

Environment Variables

Your proxy server requires these environment variables:

Security Best Practices

  • Use Strong Keys: Generate a cryptographically random proxy authentication key
  • Validate Every Request: Always verify the X-Proxy-Auth-Key header
  • HTTPS Only: Ensure your proxy endpoint is only accessible via HTTPS
  • Rotate Keys: Periodically rotate your proxy authentication keys
Add rate limiting to prevent abuse:
  • Limit requests per IP address
  • Limit requests per user/session
  • Implement exponential backoff for repeated failures
  • Log all proxy requests for audit purposes
  • Monitor for unusual traffic patterns
  • Set up alerts for authentication failures
  • Store GUEST_TOKEN securely in environment variables
  • Never expose tokens in client-side code
  • Consider generating tokens dynamically for enhanced security

Error Handling

Common Errors

Error: {"error": {"message": "missing or invalid X-Proxy-Auth-Key"}}Cause: The X-Proxy-Auth-Key header is missing or doesn’t match.Solution: Verify that window.dbn.proxyAuthKey matches your proxy’s PROXY_AUTH_KEY environment variable.
Error: {"error": {"message": "upstream fetch failed"}}Cause: Your proxy cannot reach the Databrain backend.Solution:
  • Verify SELFHOSTED_BACKEND_URL is correct
  • Check network connectivity from your proxy server
  • Verify firewall rules allow outbound connections
Error: {"error": {"message": "internal server error"}}Cause: An unexpected error occurred in your proxy.Solution: Check your proxy server logs for detailed error information.

Testing Your Proxy

Use curl to test your proxy endpoint:

Guest Token API

Learn about generating guest tokens for your proxy

Component Options

Explore all DataBrain component configuration options

Authentication Guide

Comprehensive guide to DataBrain authentication

Security Best Practices

Learn about multi-tenant access control and security