Skip to main content

Identity and Access

VeloDB Cloud uses separate identities for different access paths: console accounts and organization roles for the control plane, API keys for the management API, and warehouse users and roles for SQL access. This guide explains which identity governs each path and where to manage it.

Access Layers

LayerIdentity typeUsed forWhere to manage it
Console accessVeloDB Cloud account and organization membership.Signing in to the console and managing organizations, warehouses, billing, members, and plans.Members
Management API accessAPI key with a role assigned at creation time.Programmatic access to the VeloDB Cloud management API.API Keys
Warehouse accessWarehouse user and host identity.Connecting from applications, BI tools, and MySQL, JDBC, or HTTP clients.Warehouse Users and Roles

Console users and warehouse users are separate account systems: a console account signs in to VeloDB Cloud, while a warehouse user connects to a warehouse over SQL.

Console and Organization Access

Console accounts sign in to VeloDB Cloud. Each account can change its password and enable multi-factor authentication (MFA), and organization admins can require MFA for the whole organization and assign built-in or custom organization roles. For the full organization-role matrix, see Members; for MFA setup and enforcement, see Multi-Factor Authentication.

Warehouse Users and Roles

This layer uses warehouse users and roles, managed per warehouse. Access follows the MySQL-style permission model: role-based access control (RBAC), object-level privileges grouped by scope (global, data, workload group, resource, compute group, and cluster), and fine-grained data controls including row-level security, column-level security, and data masking.

To manage warehouse users, roles, and permissions in the console, see Warehouse Users and Roles. For the privilege list and SQL-level detail, see Built-in Authorization, Built-in Authentication, and Data Access Control.

API Keys

API keys are programmatic credentials for the VeloDB Cloud management API. Each key carries a role and an expiration, follows that role's permissions, and does not include direct warehouse access. To create and manage keys, see API Keys.