walwarden
Reference

API auth and scopes

Generated guide for API key authentication and endpoint scopes.

Use a scoped Walwarden API key with the HTTP bearer scheme:

curl -H 'Authorization: Bearer $WALWARDEN_API_KEY' \
  '$WALWARDEN_BASE_URL/api/v1/databases'

Issue, scope, and revoke these keys from the dashboard — see Issue a dashboard API token.

Missing, inactive, or expired keys return 401 unauthorized. Keys without the endpoint scope return 403 forbidden with requiredScope and nextAction in the structured error body.

Mutation endpoints require an Idempotency-Key header. Reusing a key with a different request body returns 409 conflict.

Scopes Used By Public API v1 Alpha

ScopeLabelDescription
databases:readRead protected databasesList and inspect protected database records.
destinations:readRead backup destinationsList and inspect configured backup destinations.
backups:triggerTrigger backup jobsStart, cancel, and dismiss backup jobs.
restores:readRead restore jobsList and inspect restore jobs and restore-drill state.
restores:writeRun restore jobsStart restore jobs and restore drills with explicit targets.
evidence:readRead evidence bundlesRead backup, restore, and verification evidence artifacts.

Endpoint Scope Matrix

MethodPathOperationRequired scope
GET/profilegetProfilenone
GET/databaseslistDatabasesdatabases:read
GET/databases/{databaseId}getDatabasedatabases:read
GET/destinationslistDestinationsdestinations:read
GET/destinations/{destinationId}getDestinationdestinations:read
GET/databases/{databaseId}/backupslistDatabaseBackupsdatabases:read
POST/databases/{databaseId}/backupstriggerBackupbackups:trigger
GET/backups/{backupJobId}getBackupdatabases:read
GET/evidencelistEvidenceevidence:read
GET/evidence/{backupJobId}getEvidenceevidence:read
POST/restorescreateRestorerestores:write
GET/restores/{restoreJobId}getRestorerestores:read
GET/databases/{databaseId}/recovery/summarygetRecoverySummarydatabases:read
GET/databases/{databaseId}/recovery/candidategetRecoveryCandidatedatabases:read
GET/recovery/windows/{windowId}/proofgetRecoveryWindowProofdatabases:read