universe docs source
browse docs
introduction.md quickstart.md architecture.md
configuration/
node-config.md instance-config.md templates.md database.md
runtimes/
overview.md screen-tmux.md docker.md kubernetes.md
extensions/
overview.md storage-s3.md databases.md metrics.md tailscale.md gitops.md argocd.md discord.md building-extensions.md
minecraft/
overview.md plugins.md proxy-plugins.md api.md
operations/
console-commands.md logging.md networking.md security.md
api-reference/
overview.md authentication.md instances.md configurations.md templates.md cluster.md node.md commands.md websockets.md
docs /operations /security

Security

Bearer-token authentication, the ALL and PUBLIC scopes, rate limiting on public keys, the key lifecycle, and the infrastructure boundaries that matter most in production.

The REST API authenticates every request with a bearer token. Each token carries one of two scopes that decide what it can do, and public-scope tokens are rate limited. Tokens are created and revoked from the console, and the most important hardening work happens at the network boundary rather than in the application.

Authentication

Send the token in the Authorization header on every request. Tokens are prefixed with unv_.

curl -H "Authorization: Bearer unv_your_token_here" \
  http://localhost:7000/api/instances
i
note

Token lookups are cached in memory for 15 seconds. A deleted key can therefore remain valid for up to that window before the cache refreshes, so plan revocations with that lag in mind.

Permission scopes

Every key is created with one of two permission levels:

  • ALL grants complete administrative access to every endpoint, including instance lifecycle, configuration control, and command execution. It bypasses rate limiting entirely.
  • PUBLIC is restricted to read-only operations such as status, listing, and informational queries. Write and lifecycle calls return 401 Unauthorized, and the key is rate limited.
CapabilityALLPUBLIC
Instance lifecycle (create, stop, kill, restart)yesno
Instance queries and logsyesyes
Configuration managementyesno
Template synchronizationyesno
Console commandsyesno
Rate limiting appliednoyes (100 / 60s)

Managing keys

Keys are created, listed, and deleted from the console. The full token is shown exactly once at creation; afterward key list only ever displays a masked form.

# The full token prints once at creation, then never again.
key create ci-pipeline ALL

# List keys with masked tokens.
key list

# Revoke immediately when a system is decommissioned.
key delete ci-pipeline
!
warning

Because the token cannot be retrieved after creation, store it immediately in a secrets manager or an environment variable. If it is lost, delete the key and issue a new one.

Rate limiting

PUBLIC keys are held to a sliding window of 100 calls per 60 seconds. Crossing the limit returns HTTP 429 with the time to wait before retrying. ALL keys are never rate limited.

HTTP 429 Too Many Requests
{
  "error": "Rate limit exceeded",
  "message": "100 calls were already made during 1m",
  "retryAfterMs": 42000
}

WebSocket authentication

WebSocket endpoints, including the live-log stream, require the bearer token in the Authorization header during the HTTP upgrade handshake. Browser clients cannot set arbitrary WebSocket headers, so query-parameter tokens work only with a reverse proxy that rewrites the parameter into the header before forwarding the handshake.

Infrastructure hardening

!
warning

The Hazelcast port (6000 by default) grants full cluster membership to any process that connects. Never expose it to the public internet; restrict it at the firewall to internal Master and Wrapper traffic only.

When the Docker runtime is in use, the Universe process talks to /var/run/docker.sock. That access is equivalent to root on the host, so treat any key that can trigger Docker-backed deploys as a host-level credential. Consider a Docker socket proxy or a read-only mount to narrow which API calls are permitted.

Production recommendations

  • Issue one ALL key per automated system and rotate keys on a schedule.
  • Use separate PUBLIC keys for monitoring and dashboards so they stay rate limited.
  • Delete keys for decommissioned systems the moment they are retired.
  • Store tokens in a secrets manager, never in source control.
  • Keep Hazelcast traffic confined to Master and Wrapper links only.
  • Expose the REST API solely to trusted networks or behind an authenticated reverse proxy.
  • Restrict Docker socket access with a proxy or a read-only mount.
Console commands

The key create, key list, and key delete commands in context.
Networking

Firewall posture for the REST, Hazelcast, and instance ports.
Logging

Bearer auth on the log retrieval and live-log endpoints.
Authentication

The auth model from the API reference side, with header details and error codes.