RosalindDBRosalindDB
HomeDocsBlog
View RosalindDB on GitHub
View RosalindDB on GitHub
RosalindDBRosalindDB

An object-storage-first vector database for cold and bursty workloads. Apache 2.0.

View RosalindDB on GitHub

Project

  • GitHub
  • License (Apache 2.0)
  • Issues

Read

  • Documentation
  • MCP server
  • Blog

© 2026 RosalindDB contributors. Apache License 2.0.

Privacy

    Documentation

    • Quickstart
    • Architecture
    • Datasets
    • Query
    • MCP server
    • Multi-tenant mode
    • Authentication
    • Rate limits & quotas

    Authentication

    When RB_REQUIRE_AUTH=true, every request carries an Authorization: Bearer <token> header. A JWT-authenticated client uses 24-hour JWTs from POST /auth/login; your server code uses API keys of the form rb_live_…. Both resolve to the same tenant.

    OSS default: this page does not apply

    The OSS default is RB_REQUIRE_AUTH=false. In that mode the /auth/* endpoints return 404, no token is needed on /v1/*, and every request is attributed to a single implicit default tenant. If that's your setup, you can skip this chapter.

    Flip RB_REQUIRE_AUTH=true (and set a real JWT_SECRET) to turn on signup, JWTs, API keys, and per-tenant isolation. Multi-tenant self-host runs with both gates on; see Architecture · Two env switches for the full gating story.

    API key lifecycle

    Created with a JWT, revocable any time, raw value returned exactly once.

    Create a key (JWT required):

    curl -s -X POST http://localhost:8080/auth/keys \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"name":"Production server"}'

    Response (HTTP 201):

    {
  "id": "key_01H...",
  "key": "rb_live_xyz789...",
  "name": "Production server",
  "created_at": "2026-05-14T12:34:56Z"
}

    The raw key field is returned once. Subsequent GET /auth/keys calls list metadata only (id, name, created_at, last_used_at, revoked_at).

    Revoke a key:

    curl -s -X DELETE http://localhost:8080/auth/keys/key_01H... \
  -H "Authorization: Bearer $JWT"

    Returns HTTP 204. The row is kept for audit; the key is marked revoked_at and rejected on all subsequent requests.

    Authenticated request

    Any endpoint accepts either a JWT or an API key on the same header.

    curl -s http://localhost:8080/auth/me \
  -H "Authorization: Bearer rb_live_xyz789..."

    Error envelope

    Every 4xx/5xx response uses the same shape.

    {
  "error": {
    "code": "unauthorized",
    "message": "Missing or invalid credentials"
  }
}

    Common codes:

    • unauthorized — missing, invalid, or expired token (HTTP 401)
    • invalid_credentials — login failed; same code for wrong password and unknown email (HTTP 401)
    • rate_limited — per-key token bucket exhausted (HTTP 429)

    On this page

    • API key lifecycle
    • Authenticated request
    • Error envelope