REST API Reference

The DB9 REST API lets you manage databases, execute SQL, and interact with the platform programmatically. All customer endpoints live under https://api.db9.ai/customer.

For most use cases, the CLI or TypeScript SDK provide a more ergonomic interface. The REST API is ideal for custom integrations, CI/CD pipelines, or languages without an SDK.

Authentication

All requests require a Bearer token in the Authorization header:

Terminal

curl -H "Authorization: Bearer $DB9_API_KEY" https://api.db9.ai/customer/databases

Obtain tokens via:

• db9 token create (CLI)
• db9 login --api-key <KEY> (sets DB9_API_KEY)
• Anonymous bootstrap (/customer/anonymous-register)

Account & Sessions

Method	Path	Description
GET	/customer/me	Current customer identity and profile
POST	/customer/anonymous-register	Create anonymous account and session
POST	/customer/anonymous-refresh	Refresh anonymous session tokens
POST	/customer/claim	Upgrade anonymous account with Auth0 id_token
POST	/customer/adopt-anonymous-databases/preflight	Pre-check database adoption eligibility and quotas
POST	/customer/adopt-anonymous-databases	Transfer databases from anonymous account

Anonymous Refresh

Field	Type	Required	Description
anonymous_id	string	yes	Anonymous customer ID

Adopt Request Fields

Preflight (POST /customer/adopt-anonymous-databases/preflight):

Field	Type	Required	Description
anonymous_customer_id	string	yes	Customer ID of the anonymous account
anonymous_secret	string	yes	Secret for the anonymous account

Execute (POST /customer/adopt-anonymous-databases):

Field	Type	Required	Description
anonymous_customer_id	string	yes	Customer ID of the anonymous account
anonymous_secret	string	yes	Secret for the anonymous account
database_ids	string[]	yes	List of database IDs to adopt (max 100)
idempotency_key	string	yes	Unique key for idempotent retries

Databases

Method	Path	Description
POST	/customer/databases	Create a database
GET	/customer/databases	List all databases
GET	/customer/databases/{database_id}	Get database details and connection info
DELETE	/customer/databases/{database_id}	Delete a database
POST	/customer/databases/{database_id}/reset-password	Reset admin password
GET	/customer/databases/{database_id}/credentials	Get stored admin credentials
GET	/customer/databases/{database_id}/schema	Get database schema (tables, columns, types)
GET	/customer/databases/{database_id}/observability	Get metrics and query samples

Create Database

JSON

{
  "name": "myapp",
  "region": "us-east-1"
}

Field	Type	Required	Description
name	string	yes	Database name
region	string	no	Deployment region
admin_password	string	no	Admin password (auto-generated if omitted)

SQL Execution

Method	Path	Description
POST	/customer/databases/{database_id}/sql	Execute SQL query
POST	/customer/databases/{database_id}/dump	Export schema and data as SQL ({"ddl_only": true} for schema only)

Execute SQL

JSON

{
  "query": "SELECT * FROM users"
}

Field	Type	Required	Description
query	string	no	Inline SQL query
file_content	string	no	SQL content (alternative to query)

Provide either query or file_content, not both.

Connect Tokens & Keys

Method	Path	Description
POST	/customer/databases/{database_id}/connect-token	Mint short-lived connect token JWT ({"role": "admin"})
POST	/customer/databases/{database_id}/connect-keys	Create long-lived DB Connect Key ({"role": "admin", "scopes": [...]})
GET	/customer/databases/{database_id}/connect-keys	List DB Connect Keys (metadata only)
DELETE	/customer/databases/{database_id}/connect-keys/{key_id}	Revoke a DB Connect Key

Auth Configuration

Method	Path	Description
GET	/customer/databases/{database_id}/auth-config	Get browser data-plane auth config
PUT	/customer/databases/{database_id}/auth-config	Upsert browser data-plane auth config

Upsert Auth Config

JSON

{
  "auth_mode": "byo_jwt",
  "byo_jwt": {
    "jwks_url": "https://example.com/.well-known/jwks.json",
    "audience": "my-app",
    "issuer": "https://example.com"
  }
}

Field	Type	Required	Description
auth_mode	string	no	Authentication mode (e.g. byo_jwt)
byo_jwt	object	no	Bring-your-own JWT configuration

Publishable Keys

Method	Path	Description
POST	/customer/databases/{database_id}/publishable-keys	Create publishable browser key
GET	/customer/databases/{database_id}/publishable-keys	List publishable keys (metadata only)
DELETE	/customer/databases/{database_id}/publishable-keys/{key_id}	Revoke a publishable key

Create Publishable Key

JSON

{
  "name": "web-app",
  "allowed_origins": ["https://example.com"],
  "exposed_schemas": ["public"],
  "exposed_tables": ["posts", "comments"],
  "rate_limit": { "rps": 100, "burst": 200 },
  "expires_in_days": 90
}

Field	Type	Required	Description
name	string	no	Key name
allowed_origins	string[]	no	CORS allowed origins
exposed_schemas	string[]	no	Schemas accessible via this key
exposed_tables	string[]	no	Tables accessible via this key
rate_limit	object	no	Rate limiting (rps, burst)
expires_in_days	number	no	Key expiration in days

Service Keys

Method	Path	Description
POST	/customer/databases/{database_id}/service-keys	Create service key for server-side access
GET	/customer/databases/{database_id}/service-keys	List service keys (metadata only)
DELETE	/customer/databases/{database_id}/service-keys/{key_id}	Revoke a service key

Database Users

Method	Path	Description
GET	/customer/databases/{database_id}/users	List database users
POST	/customer/databases/{database_id}/users	Create a database user
DELETE	/customer/databases/{database_id}/users/{username}	Delete a database user

Migrations

Method	Path	Description
GET	/customer/databases/{database_id}/migrations	List applied migrations
POST	/customer/databases/{database_id}/migrations	Apply a migration ({"name": "...", "sql": "...", "checksum": "..."})

Branching

Method	Path	Description
POST	/customer/databases/{database_id}/branch	Create a branch (schema copy)

Create Branch

JSON

{
  "name": "feature-branch",
  "snapshot_at": "2026-03-22T06:00:00Z"
}

Field	Type	Required	Description
name	string	yes	Branch name
snapshot_at	string	no	RFC 3339 UTC timestamp for point-in-time branching (omit to branch from current state)

Filesystem

Method	Path	Description
POST	/customer/databases/{database_id}/fs-connect	Obtain filesystem WebSocket connection details

Functions

Method	Path	Description
POST	/customer/databases/{database_id}/functions	Deploy a function (see fields below)
GET	/customer/databases/{database_id}/functions	List deployed functions
POST	/customer/databases/{database_id}/functions/{function_id}/invoke	Invoke a function ({"input": {...}})
GET	/customer/databases/{database_id}/functions/{function_id}/runs	List function runs
GET	/customer/databases/{database_id}/functions/{function_id}/runs/{run_id}	Get function run details
GET	/customer/databases/{database_id}/functions/{function_id}/runs/{run_id}/logs	Get function run logs

Create Function

JSON

{
  "name": "my-function",
  "entrypoint": "index.handler",
  "bundle_ref": "s3://bucket/bundle.zip",
  "bundle_digest": "sha256:abc123",
  "run_as": "app_user",
  "bypass_rls": false,
  "limits": { "timeout_ms": 30000 },
  "network_allowlist": ["https://api.example.com"],
  "fs9_scope": { "read": ["/data"], "write": [] },
  "secret_bindings": ["API_KEY"],
  "cron_schedule": "*/5 * * * *"
}

Field	Type	Required	Description
name	string	yes	Function name
entrypoint	string	yes	Function entrypoint (e.g. index.handler)
bundle_ref	string	yes	Bundle storage reference
bundle_digest	string	no	Bundle content digest for integrity
run_as	string	no	Database role to execute as
bypass_rls	boolean	no	Bypass Row-Level Security
limits	object	no	Execution limits
network_allowlist	string[]	no	Allowed outbound network destinations
fs9_scope	object	no	Filesystem access scope
secret_bindings	string[]	no	Secrets to bind to the function
cron_schedule	string	no	Cron expression for scheduled execution

Invoke Function

Field	Type	Required	Description
input	object	no	Function input payload
idempotency_key	string	no	Unique key for idempotent invocations

API Tokens

Method	Path	Description
POST	/customer/tokens	Create API token
GET	/customer/tokens	List API tokens
DELETE	/customer/tokens/{token_id}	Revoke a token

Related Docs

• CLI Reference — command-line interface
• TypeScript SDK — server-side SDK wrapping this API
• Browser SDK — client-side data access
• Connect — connection strings and drivers