Getting Started with Bulwark
Bulwark is the identity platform for the agentic era — bringing human users and AI agents under a single, unified auth layer.
What is Bulwark?
Bulwark provides:
- Agent Identity — First-class principals for AI agents with scoped credentials
- Biscuit Token Delegation — Unforgeable, attenuatable tokens for agent-to-agent auth
- Credential Proxy — Secure, policy-gated API credential injection without exposing secrets
- Token Vault — Store and manage third-party OAuth tokens on behalf of agents
- CIBA — Client Initiated Backchannel Authentication for human-in-the-loop approval flows
- FGA — Fine-grained authorization with relationship-based access control
- Secret Vault — Encrypted secret storage with audit trails
Architecture
┌──────────────────────────────────────────────┐
│ Bulwark Platform │
│ │
│ ┌───────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Auth API │ │ Agent │ │ Proxy │ │
│ │ (Go/Fiber)│ │ Registry │ │ Layer │ │
│ └───────────┘ └──────────┘ └──────────┘ │
│ │
│ ┌───────────┐ ┌──────────┐ ┌──────────┐ │
│ │ PostgreSQL│ │ Valkey │ │ Vault │ │
│ │ (store) │ │ (cache) │ │ (secrets)│ │
│ └───────────┘ └──────────┘ └──────────┘ │
└──────────────────────────────────────────────┘
Quick Links
- 5-Minute Quickstart — Get up and running fast
- Architecture Overview — How Bulwark works under the hood
- Self-Hosting Guide — Deploy with Docker or Railway
- API Reference — Full REST API documentation
- SDKs — TypeScript, React, Next.js, NestJS, and AI framework SDKs
Base URL
https://api.bulwarkauth.io/api/v1
All requests require a tenant header:
X-Bulwark-Tenant: <your-tenant-id>
Authentication
Most endpoints require a Bearer token:
Authorization: Bearer <token>
Use your API key for server-to-server calls:
Authorization: Bearer bwk_live_...