> ## Documentation Index
> Fetch the complete documentation index at: https://docs.domino.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication and identity for Apps

Domino Apps provide built-in security features that control what users can access and interact with from your App.

## How apps use identity

Each App adopts the permissions of the current viewer by default. This determines what the user can access from the App, including Datasets, Data Sources, and project files.

If the `SecureIdentityPropagationToAppsEnabled` feature flag is disabled, the App runs with the App creator’s permissions instead.

You can also identify individual users who interact with the App, enabling personalized experiences and permission-aware behavior.

[App security and identity](/6.3/platform-capabilities/core-concepts/products/apps/authentication-and-identity/app-security) has complete details about identity propagation, authentication headers, and JWT tokens.

## NetApp Volume and Dataset access in Apps

By default, Apps mount NetApp Volumes and Datasets that the App creator can access, which means viewers can inherit permissions to data they wouldn’t normally have.

To enforce viewer-specific permissions, use the `dominodatalab-data` SDK. The SDK routes access through Domino’s API and applies the viewer’s actual permissions.

Before you begin, verify with your Domino administrator that `SecureIdentityPropagationToAppsEnabled` is enabled. Administrators can [disable direct mounting entirely](/6.3/admin/configuration/central-configuration#Apps) to prevent permission inheritance.

<Tabs>
  <Tab title="NetApp Volumes">
    1. In **Publish Domino App** on the **Data** menu, select **Mount NetApp Volumes to App file system**.

    2. In your App code, use:

       1. The `domino-username` header, or

       2. The decoded JWT token

    3. Use the `dominodatalab-data` Python or R SDK to read, write, and download volume files based on the viewer’s identity.
  </Tab>

  <Tab title="Datasets">
    1. In **Publish Domino App** on the **Data** menu, select **Mount all datasets to App file system**.

    2. The JWT token is included when you query the dataset.

    3. Use the `dominodatalab-data` Python or R SDK to read, write, and download volume files based on the viewer’s identity.
  </Tab>
</Tabs>

This setup lets you serve a single App to multiple users while tailoring data access according to Domino’s role-based permissions.

## Next steps

* [Apps security and identity](/6.3/platform-capabilities/core-concepts/products/apps/authentication-and-identity/app-security) has complete details about identity propagation, authentication headers, and JWT tokens.

* [Persist data](/6.3/platform-capabilities/core-concepts/products/apps/persist-data-in-apps) using Datasets or external storage to make your Apps more dynamic and interactive.

* [Create and Publish an App](/6.3/platform-capabilities/core-concepts/products/apps/publish-an-app) has instructions on creating and publishing your Apps, customizing the App’s URL, and sharing Apps with authorized users.
