Identity and Access
VeloDB Cloud uses separate identities for different access paths: console accounts and organization roles for the control plane, API keys for the management API, and warehouse users and roles for SQL access. This guide explains which identity governs each path and where to manage it.
Access Layers
| Layer | Identity type | Used for | Where to manage it |
|---|---|---|---|
| Console access | VeloDB Cloud account and organization membership. | Signing in to the console and managing organizations, warehouses, billing, members, and plans. | Members |
| Management API access | API key with a role assigned at creation time. | Programmatic access to the VeloDB Cloud management API. | API Keys |
| Warehouse access | Warehouse user and host identity. | Connecting from applications, BI tools, and MySQL, JDBC, or HTTP clients. | Warehouse Users and Roles |
Console users and warehouse users are separate account systems: a console account signs in to VeloDB Cloud, while a warehouse user connects to a warehouse over SQL.
Console and Organization Access
Console accounts sign in to VeloDB Cloud. Each account can change its password and enable multi-factor authentication (MFA), and organization admins can require MFA for the whole organization and assign built-in or custom organization roles. For the full organization-role matrix, see Members; for MFA setup and enforcement, see Multi-Factor Authentication.
Warehouse Users and Roles
This layer uses warehouse users and roles, managed per warehouse. Access follows the MySQL-style permission model: role-based access control (RBAC), object-level privileges grouped by scope (global, data, workload group, resource, compute group, and cluster), and fine-grained data controls including row-level security, column-level security, and data masking.
To manage warehouse users, roles, and permissions in the console, see Warehouse Users and Roles. For the privilege list and SQL-level detail, see Built-in Authorization, Built-in Authentication, and Data Access Control.
API Keys
API keys are programmatic credentials for the VeloDB Cloud management API. Each key carries a role and an expiration, follows that role's permissions, and does not include direct warehouse access. To create and manage keys, see API Keys.