SOC 2 Compliant

Database Access

Vaultbrix uses an API-first architecture by default, with audited direct PostgreSQL access available through SSH tunnels or time-bound IP allowlist rules.

Security Model

No Open Database Ports

PostgreSQL is not left open to the internet. Production access goes through authenticated API endpoints, SSH tunnels, or a temporary direct-access allowlist rule tied to your source IP or CIDR.

What's Protected
PostgreSQL port 5432 - blocked publicly
Connection pooler port 6543 - blocked publicly
Direct port 5433 - limited to trusted IP/CIDR rules
All DDL operations require approval
Full audit trail on all queries
How to Access
REST API (PostgREST compatible)
Supabase JavaScript/Python SDK
SQL Editor in Dashboard
SSH Tunnel for direct SQL (admin/migrations)
Time-bound direct IP allowlist on port 5433
MCP Server for AI tools

Access Methods

REST API
Recommended
PostgREST-compatible REST API for all CRUD operations
# Fetch data
curl -X GET "https://api.vaultbrix.com/rest/v1/users" \
  -H "apikey: YOUR_ANON_KEY" \
  -H "Authorization: Bearer YOUR_JWT"

# Insert data
curl -X POST "https://api.vaultbrix.com/rest/v1/users" \
  -H "apikey: YOUR_ANON_KEY" \
  -H "Authorization: Bearer YOUR_JWT" \
  -H "Content-Type: application/json" \
  -d '{"name": "John", "email": "john@example.com"}'

Full PostgREST query syntax supported including filters, ordering, pagination, and joins.

Supabase SDK
Official Supabase client libraries for JavaScript, Python, and more
import { createClient } from '@supabase/supabase-js'

const supabase = createClient(
  'https://your-project.vaultbrix.com',
  'YOUR_ANON_KEY'
)

// Fetch data
const { data, error } = await supabase
  .from('users')
  .select('*')
  .eq('status', 'active')

// Insert data
const { data, error } = await supabase
  .from('users')
  .insert({ name: 'John', email: 'john@example.com' })
SQL Editor
Execute SQL queries directly from the Vaultbrix dashboard

The built-in SQL Editor provides a secure way to run queries with:

  • Real-time query classification and risk assessment
  • Automatic approval workflow for DDL operations
  • Complete audit trail for compliance
  • Syntax highlighting and auto-completion
Direct IP Allowlist
Temporary public direct PostgreSQL access for trusted source IPs

For Prisma migrations, local admin tools, CI jobs, or BI connectors that need direct PostgreSQL, add a time-bound allowlist rule from the dashboard.

  1. Open Dashboard, then Settings, Database, and Direct Database Access
  2. Choose a duration: 1 hour, 24 hours, 7 days, or 30 days
  3. Allow your current IP or add a custom IP/CIDR
  4. Connect to port 5433 after the firewall sync interval
# Set DATABASE_URL from Dashboard > Settings > Database
# Host: db.vaultbrix.com, port: 5433, user: tenant_<slug>, schema: tenant_<slug>
npx prisma migrate deploy

Rules expire automatically. Revoke them from the same dashboard section when work is complete.

SSH Tunnel (Direct SQL)
Secure access for migrations and tenant admin operations without public ports

Use SSH to create a local tunnel to your tenant database. This gives you secure, direct SQL access for admin and maintenance tasks while keeping port 5432 closed publicly.

# 1) Open a tunnel to the VPS
ssh -i ~/.ssh/vaultbrix_ed25519 -L 15432:localhost:5433 ubuntu@84.234.19.42

# 2) Connect with psql (schema is required)
PGPASSWORD="<password>" psql -h localhost -p 15432 -U tenant_<slug> -d postgres -c "SET search_path TO tenant_<slug>;"

# 3) Test connection
PGPASSWORD="<password>" psql -h localhost -p 15432 -U tenant_<slug> -d postgres -c "SET search_path TO tenant_<slug>; SELECT 1;"

Use your tenant role and include the schema parameter.

Keep port 5432 closed publicly. SSH is the secure path for direct SQL access.

Use the direct IP allowlist only when a tool cannot run through SSH tunnel.

Need admin APIs? Use the Dashboard or authenticated REST endpoints (see API docs).

MCP Server (AI Tools)
Connect Claude Code, Cursor, or other AI tools to your database

The Model Context Protocol (MCP) allows AI assistants to understand your database schema and help you write queries, without direct database access.

Business Intelligence Tools

For BI tools like Metabase, Tableau, or PowerBI that require direct database connections, we recommend one of the following approaches:

Option 1: REST API Integration

Most modern BI tools support REST API data sources. Configure your tool to fetch data from the Vaultbrix REST API with proper authentication.

Option 2: Data Export

Export your data to CSV or connect to a data warehouse. Use the SQL Editor to create views optimized for analytics, then export regularly.

Option 3: Direct IP Allowlist

Add the BI worker or office egress IP in Dashboard, Settings, Database. Use the shortest practical TTL and rotate credentials separately.

Time-bound

Why API-First?

Complete Audit Trail

Every query is logged with user identity, timestamp, and execution details. Essential for SOC 2 and GDPR compliance.

SQL Approval Workflow

Dangerous operations (DROP, ALTER, TRUNCATE) require admin approval before execution. Prevents accidental data loss.

No Credential Exposure

Database passwords never leave the server. API keys can be rotated instantly without changing database credentials.