This page explains how to:
- Create YOUR OWN proxy server that forwards requests to your Databrain backend
- Configure the proxy to validate requests and add authentication headers
Enhanced Security: With proxy authentication, your frontend never handles plugin tokens. Your proxy validates requests and adds the required authentication before forwarding to Databrain.
How Proxy Authentication Works
1
Client Sends Request
Your frontend sends a request to your proxy server with the
X-Proxy-Auth-Key: <your-secret-key> or X-Authorization: <your-secret-key> header for validation.2
Proxy Validates Request
Your proxy validates the
X-Proxy-Auth-Key: <your-secret-key> or X-Authorization: <your-secret-key> header. If invalid or missing, return an error response.3
Proxy Forwards Request
Your proxy constructs the upstream URL, adds the
X-Plugin-Token header, and forwards the request to your Databrain backend exactly as received.4
Response Returned
Your proxy returns the Databrain backend response to the client exactly as received (status code, body, and headers).
What Your Proxy Must Do
Your proxy can be built on any backend: Node.js, Express, FastAPI, Python, Go, Lambda, Cloudflare Worker, etc. It must receive requests from your frontend and forward them to your Databrain backend exactly as-is, with required headers added.1. Read the Incoming Request
Capture all parts of the incoming request:- Path
- Query parameters
- HTTP method
- Headers
- Body (JSON, text, or binary/raw)
2. Validate Proxy Authentication
Your proxy must read and validate either theX-Proxy-Auth-Key header or the X-Authorization header:
3. Forward Request to Databrain Backend
Construct Upstream URL
Forward Original Method
Forward the exact HTTP method: GET, POST, PUT, PATCH, DELETE.Forward Body Exactly
Do not modify the request payload in any way.Required Upstream Headers
Send these headers to your Databrain backend:4. Return Response Exactly
Return exactly what the Databrain backend returns:- Status code
- Response body (binary or text, do not transform)
- Response headers
Binary responses (zip, pdf, xlsx) must be forwarded as-is. Do not convert binary content to text.
About X-Plugin-Token
TheX-Plugin-Token header authenticates your requests with the Databrain backend. You can provide this token in two ways:
- A saved token - Use a pre-generated guest token stored in your environment
- Generate on demand - Call the Databrain Guest Token API to generate tokens dynamically
Error Response Format
Every error your proxy returns should follow this format:Requirements Summary
Things Your Proxy MUST Do
Things Your Proxy MUST Do
- Keep method, path, and query unchanged
- Preserve body type: JSON, text, or binary
- Pass all required headers (including
Origin) - Add
X-Plugin-Tokenheader - Validate
X-Proxy-Auth-KeyorX-Authorizationbefore forwarding - Use correct error format
- Return upstream response exactly (status, body, headers)
- Forward binary responses (zip, pdf, xlsx) as-is
Things Your Proxy Must NOT Do
Things Your Proxy Must NOT Do
- Do not rewrite paths
- Do not remove fields from body
- Do not add custom fields to body
- Do not modify query parameters
- Do not transform the response
Implementation Examples
- Node.js/Express
- Python/FastAPI
- Python/Flask
- Java/Spring Boot
- Go
Frontend Configuration
Configure your frontend to send requests through your proxy server instead of directly to the Databrain backend.Configuration Setup
Configuration Properties
Environment Variables
Your proxy server requires these environment variables:Security Best Practices
Authentication
Authentication
- Use Strong Keys: Generate a cryptographically random proxy authentication key
- Validate Every Request: Always verify the
X-Proxy-Auth-Keyheader - HTTPS Only: Ensure your proxy endpoint is only accessible via HTTPS
- Rotate Keys: Periodically rotate your proxy authentication keys
Rate Limiting
Rate Limiting
Add rate limiting to prevent abuse:
- Limit requests per IP address
- Limit requests per user/session
- Implement exponential backoff for repeated failures
Logging & Monitoring
Logging & Monitoring
- Log all proxy requests for audit purposes
- Monitor for unusual traffic patterns
- Set up alerts for authentication failures
Token Management
Token Management
- Store
GUEST_TOKENsecurely in environment variables - Never expose tokens in client-side code
- Consider generating tokens dynamically for enhanced security
Error Handling
Common Errors
401 - Missing or Invalid Proxy Key
401 - Missing or Invalid Proxy Key
Error:
{"error": {"message": "missing or invalid X-Proxy-Auth-Key"}}Cause: The X-Proxy-Auth-Key header is missing or doesn’t match.Solution: Verify that window.dbn.proxyAuthKey matches your proxy’s PROXY_AUTH_KEY environment variable.502 - Upstream Fetch Failed
502 - Upstream Fetch Failed
Error:
{"error": {"message": "upstream fetch failed"}}Cause: Your proxy cannot reach the Databrain backend.Solution:- Verify
SELFHOSTED_BACKEND_URLis correct - Check network connectivity from your proxy server
- Verify firewall rules allow outbound connections
500 - Internal Server Error
500 - Internal Server Error
Error:
{"error": {"message": "internal server error"}}Cause: An unexpected error occurred in your proxy.Solution: Check your proxy server logs for detailed error information.Testing Your Proxy
Use curl to test your proxy endpoint:Related Resources
Guest Token API
Learn about generating guest tokens for your proxy
Component Options
Explore all DataBrain component configuration options
Authentication Guide
Comprehensive guide to DataBrain authentication
Security Best Practices
Learn about multi-tenant access control and security

