SOC 2 Compliant

Database Access

Vaultbrix uses an API-first architecture for maximum security. All database operations go through authenticated, audited API endpoints.

Security Model

No Public Database Ports

For security reasons, Vaultbrix does not expose PostgreSQL ports to the public internet. All production access goes through authenticated API endpoints, or via a secure SSH tunnel when you need direct SQL for migrations and admin operations.

What's Protected

PostgreSQL port 5432 - blocked publicly

Connection pooler port 6543 - blocked publicly

All DDL operations require approval

Full audit trail on all queries

How to Access

REST API (PostgREST compatible)

Supabase JavaScript/Python SDK

SQL Editor in Dashboard

SSH Tunnel for direct SQL (admin/migrations)

MCP Server for AI tools

Access Methods

REST API

Recommended

PostgREST-compatible REST API for all CRUD operations

# Fetch data
curl -X GET "https://api.vaultbrix.com/rest/v1/users" \
  -H "apikey: YOUR_ANON_KEY" \
  -H "Authorization: Bearer YOUR_JWT"

# Insert data
curl -X POST "https://api.vaultbrix.com/rest/v1/users" \
  -H "apikey: YOUR_ANON_KEY" \
  -H "Authorization: Bearer YOUR_JWT" \
  -H "Content-Type: application/json" \
  -d '{"name": "John", "email": "john@example.com"}'

Full PostgREST query syntax supported including filters, ordering, pagination, and joins.

Supabase SDK

Official Supabase client libraries for JavaScript, Python, and more

import { createClient } from '@supabase/supabase-js'

const supabase = createClient(
  'https://your-project.vaultbrix.com',
  'YOUR_ANON_KEY'
)

// Fetch data
const { data, error } = await supabase
  .from('users')
  .select('*')
  .eq('status', 'active')

// Insert data
const { data, error } = await supabase
  .from('users')
  .insert({ name: 'John', email: 'john@example.com' })

SQL Editor

Execute SQL queries directly from the Vaultbrix dashboard

The built-in SQL Editor provides a secure way to run queries with:

Real-time query classification and risk assessment
Automatic approval workflow for DDL operations
Complete audit trail for compliance
Syntax highlighting and auto-completion

SSH Tunnel (Direct SQL)

Secure access for migrations and tenant admin operations without public ports

Use SSH to create a local tunnel to your tenant database. This gives you secure, direct SQL access for admin and maintenance tasks while keeping port 5432 closed publicly.

# 1) Open a tunnel to the VPS
ssh -i ~/.ssh/vaultbrix_ed25519 -L 15432:localhost:5433 ubuntu@84.234.19.42

# 2) Connect with psql (schema is required)
PGPASSWORD="<password>" psql -h localhost -p 15432 -U tenant_<slug> -d postgres -c "SET search_path TO tenant_<slug>;"

# 3) Test connection
PGPASSWORD="<password>" psql -h localhost -p 15432 -U tenant_<slug> -d postgres -c "SET search_path TO tenant_<slug>; SELECT 1;"

Use your tenant role and include the schema parameter.

Keep port 5432 closed publicly. SSH is the secure path for direct SQL access.

Need admin APIs? Use the Dashboard or authenticated REST endpoints (see API docs).

MCP Server (AI Tools)

Connect Claude Code, Cursor, or other AI tools to your database

The Model Context Protocol (MCP) allows AI assistants to understand your database schema and help you write queries, without direct database access.

Business Intelligence Tools

For BI tools like Metabase, Tableau, or PowerBI that require direct database connections, we recommend one of the following approaches:

Option 1: REST API Integration

Most modern BI tools support REST API data sources. Configure your tool to fetch data from the Vaultbrix REST API with proper authentication.

Option 2: Data Export

Export your data to CSV or connect to a data warehouse. Use the SQL Editor to create views optimized for analytics, then export regularly.

Option 3: Enterprise Direct Access

Enterprise customers can request secure direct database access via VPN or IP whitelisting. Contact support for configuration.

Enterprise Only

Why API-First?

Complete Audit Trail

Every query is logged with user identity, timestamp, and execution details. Essential for SOC 2 and GDPR compliance.

SQL Approval Workflow

Dangerous operations (DROP, ALTER, TRUNCATE) require admin approval before execution. Prevents accidental data loss.

No Credential Exposure

Database passwords never leave the server. API keys can be rotated instantly without changing database credentials.