Execution context and authentication

Each App in Domino runs with the identity and permissions of the user who starts it. This identity determines what the app can access during execution, including:

  • Datasets: Mounted with read/write access if the starter has permission.

  • Data Sources: Accessible based on the starter’s credentials.

  • Project Files: Fully available within the App container.

This model ensures that apps operate within the same security context as the user who launched them. It is particularly effective for apps designed as trusted interfaces to governed resources, such as model exploration dashboards backed by pre-approved data inputs.

Identify the requesting user

In some cases, you may want to control behavior based on who is using the App, not who started it. For example, you might want to show different data or limit functionality based on the viewer’s identity.

Domino supports this through two identity propagation mechanisms:

HTTP header (domino-username)

Domino securely injects the username of the current requester into every proxied HTTP request using the domino-username header.

  • Value is the logged-in Domino username (e.g., jane.smith).

  • Anonymous users will have the value Anonymous.

  • Supported by default in Dash and Flask.

  • Shiny requires Shiny Server Pro to receive these headers.

Tip

This is the simplest way to get per-user awareness in your app logic.

JWT token (Optional)

If the SecureIdentityPropagationToAppsEnabled feature flag is enabled, Domino also passes a signed JSON Web Token (JWT) in the Authorization header.

The token contains:

  • Username

  • User ID

  • Email

Your App can verify and decode this token to enforce fine-grained access controls or integrate with other identity systems.

Access the JWT token

You can drop this into most web frameworks (Dash, Flask, etc.) as long as request.headers behaves like a dictionary.

# Assume 'request' is the incoming HTTP request object

auth_header = request.headers.get("Authorization")

if auth_header:
    token = auth_header.replace("Bearer ", "")
    print("JWT token:", token)
else:
    print("No Authorization header found.")

Together, these options let you build Apps that are both secure and flexible, whether access is tied to the App starter or the individual user making the request.

Dataset access in Apps

If your App needs to control access to Datasets based on the requesting user’s identity, follow this pattern:

  1. From the Data menu in the App settings, choose Don’t mount Datasets to App filesystems.

    This disables direct filesystem access to Datasets and ensures access is routed through Domino’s permission-aware API.

  2. In your App code, use:

    • The domino-username header, or

    • The decoded JWT token

  3. Use the Dataset API to access specific dataset files, enforcing access logic based on the App starter’s identity.

This setup enables you to serve a single App to multiple users while tailoring data access according to Domino’s role-based permissions.

Next steps

  • Apps in Domino gives an overview of how apps work within the Domino ecosystem.

  • Persist data using Datasets or external storage to make your Apps more dynamic and interactive.

  • Create and Publish an App has instructions on creating and publishing your Apps, customizing the App’s URL, and sharing Apps with authorized users.