Vaultbrix uses an API-first architecture by default, with audited direct PostgreSQL access available through SSH tunnels or time-bound IP allowlist rules.
PostgreSQL is not left open to the internet. Production access goes through authenticated API endpoints, SSH tunnels, or a temporary direct-access allowlist rule tied to your source IP or CIDR.
# Fetch data
export VAULTBRIX_ANON_KEY="<anon-key>"
export VAULTBRIX_JWT="<user-jwt>"
curl -X GET "https://api.vaultbrix.com/rest/v1/users" \
-H "apikey: ${VAULTBRIX_ANON_KEY}" \
-H "Authorization: Bearer ${VAULTBRIX_JWT}"
# Insert data
curl -X POST "https://api.vaultbrix.com/rest/v1/users" \
-H "apikey: ${VAULTBRIX_ANON_KEY}" \
-H "Authorization: Bearer ${VAULTBRIX_JWT}" \
-H "Content-Type: application/json" \
-d '{"name": "John", "email": "john@example.com"}'Full PostgREST query syntax supported including filters, ordering, pagination, and joins.
import { createClient } from '@supabase/supabase-js'
const supabase = createClient(
'https://your-project.vaultbrix.com',
'YOUR_ANON_KEY'
)
// Fetch data
const { data, error } = await supabase
.from('users')
.select('*')
.eq('status', 'active')
// Insert data
const { data, error } = await supabase
.from('users')
.insert({ name: 'John', email: 'john@example.com' })For Prisma migrations, local admin tools, CI jobs, or BI connectors that need direct PostgreSQL, add a time-bound allowlist rule from the dashboard.
# Set DATABASE_URL from Dashboard > Settings > Database # Host: db.vaultbrix.com, port: 5433, user: tenant_<slug>, schema: tenant_<slug> DATABASE_URL="postgresql://tenant_<slug>:<password>@db.vaultbrix.com:5433/postgres?sslmode=require&schema=tenant_<slug>" npx prisma migrate deploy
Rules expire automatically. Direct PostgreSQL requires native TLS and must includesslmode=require&schema=tenant_<slug>in connection strings. For strict hostname verification, usesslmode=verify-full&sslrootcert=system.
Use SSH to create a local tunnel to your tenant database. This gives you secure, direct SQL access for admin and maintenance tasks while keeping internal port 5432 private.
# 1) Open a tunnel to the VPS ssh -i ~/.ssh/vaultbrix_ed25519 -L 15432:localhost:5433 ubuntu@84.234.19.42 # 2) Connect with psql (schema is required) PGPASSWORD="<password>" psql -h localhost -p 15432 -U tenant_<slug> -d postgres -c "SET search_path TO tenant_<slug>;" # 3) Test connection PGPASSWORD="<password>" psql -h localhost -p 15432 -U tenant_<slug> -d postgres -c "SET search_path TO tenant_<slug>; SELECT 1;"
Use your tenant role and include the schema parameter.
Keep port 5432 private. Use SSH for private direct SQL, or port 5433 with the managed IP allowlist and SSL.
Use the direct IP allowlist only when a tool cannot run through an SSH tunnel.
Need admin APIs? Use the Dashboard or authenticated REST endpoints (see API docs).
For BI tools like Metabase, Tableau, or PowerBI that require direct database connections, we recommend one of the following approaches:
Most modern BI tools support REST API data sources. Configure your tool to fetch data from the Vaultbrix REST API with proper authentication.
Export your data to CSV or connect to a data warehouse. Use the SQL Editor to create views optimized for analytics, then export regularly.
Add the BI worker or office egress IP in Dashboard, Settings, Database. Use the shortest practical TTL and rotate credentials separately.
Time-boundEvery query is logged with user identity, timestamp, and execution details. Essential for SOC 2 and GDPR compliance.
Dangerous operations (DROP, ALTER, TRUNCATE) require admin approval before execution. Prevents accidental data loss.
Database passwords never leave the server. API keys can be rotated instantly without changing database credentials.