How does Velvet handle database credentials?

"How does the Velvet system handle DB credentials?"

Teams often want to understand more about how we handle database connection strings before connecting their production database.

The following guidance includes a mix of how our system works, and general best practices for connecting your database to any third-party tool.

We recommend that you create a readonly database user to to connect with Velvet. This allows you to control which tables we can access. This is optional, but a general best practice.
the database credentials are encrypted using pgsodium's Transparent Column Encryption (TCE) with Postgres. This is how Supabase implements their Vault product. They wrote an article https://supabase.com/blog/transparent-column-encryption-with-postgres on how it works.
Each of our customer’s workspaces are isolated as separate ClickHouse databases. Access to these ClickHouse databases is granular, with specific readonly query users per workspace.
We provide static IPs for our services. This means you can allowlist Velvet through your network restrictions, and know which requests are coming from us.