Security & Authentication

PgArachne relies entirely on the PostgreSQL permission system. It does not reinvent Access Control Lists (ACLs). All queries are executed under the specific database role of the authenticated user using SET LOCAL ROLE.

1. Interactive Login (JWT)

Users authenticate using their real PostgreSQL username and password via the login function. If successful, they receive a generic JWT. When this token is used, PgArachne switches the active role to that user for the duration of the request.

2. Service Accounts (API Tokens)

For automated systems or scripts, you can use long-lived API keys.

Tokens are stored in the pgarachne.api_tokens table.
Each token is mapped to a specific database user/role.
Send the token via the Authorization: Bearer <token> header.

Minting API tokens requires pgarachne_admin. Use pgarachne.add_api_token(...) with a role that is a member of pgarachne_admin.

Critical Configuration: Proxy Privileges

Since PgArachne connects as the user defined in DB_USER (e.g., pgarachne) and switches identity to other users, the proxy user must be a member of those target roles.

Run this SQL for every user/role that needs to log in:

-- Allow 'pgarachne' to switch to 'demo_user'
GRANT demo_user TO pgarachne;

← Metrics (Prometheus) Deployment & HTTPS →