Authentication

The public Control Plane API uses Bearer authentication.

Header

Authorization: Bearer <token>

An API key is required for:

• Console;
• CLI;
• REST automation;
• profile and usage checks.

Scope and permissions

A key has a scope:

• global
• account
• tenant

And a set of permissions, among which the following are usually the most important:

• can_create_tenant
• can_create_db
• can_scale
• can_delete

The practical rule is simple:

• scope determines what you can see;
• permissions determine what you can do.

What is important not to confuse

• an API key is access to the Control Plane;
• pg_user / pg_password are access to PostgreSQL through Gateway.

These secrets are not interchangeable.

Console and email login

For Console, the token is additionally linked to the email from the account profile. That means a token may be formally valid, but Console may still fail to complete login if the account does not have an email set.

Security recommendations

• use separate keys for people and for CI;
• grant the minimum permissions required;
• rotate tokens when employees change or when compromise is suspected;
• do not store the API key next to the PostgreSQL DSN in open configurations.