Identity and Access
VeloDB Cloud uses separate identities for different access paths: console accounts and organization roles for the control plane, API keys for the management API, and database users and roles for warehouse access. This guide explains which identity governs each path and where to manage it.
Access Layers
| Layer | Identity type | Used for | Where to manage it |
|---|---|---|---|
| Console access | VeloDB Cloud account and organization membership. | Signing in to the console and managing organizations, warehouses, billing, members, and plans. | Account and Organization |
| Management API access | API key with a role assigned at creation time. | Programmatic access to the VeloDB Cloud management API. | API Keys |
| Warehouse/database access | Database user and host identity. | Connecting from applications, BI tools, and MySQL, JDBC, or HTTP clients. | User and Roles |
Console users and database users are separate account systems: a console account signs in to VeloDB Cloud, while a database user connects to a warehouse.
Console and Organization Access
Console accounts sign in to VeloDB Cloud. Each account can change its password and enable multi-factor authentication (MFA), and organization admins can require MFA for the whole organization and assign built-in or custom organization roles. For password and MFA settings and the full organization-role matrix, see Account and Organization.
Database Users and Roles
Warehouse access uses database users and roles, managed per warehouse. Access follows the MySQL-style permission model: role-based access control (RBAC), object-level privileges grouped by scope (global, data, workload group, resource, compute group, and cluster), and fine-grained data controls including row-level security, column-level security, and data masking.
To manage database users, roles, and permissions in the console, see User and Roles. For the privilege list and SQL-level detail, see Built-in Authorization, Built-in Authentication, and Data Access Control.
API Keys
API keys are programmatic credentials for the VeloDB Cloud management API. Each key carries a role and an expiration, follows that role's permissions, and does not include direct database access. To create and manage keys, see API Keys.