Access & Credentials
Every managed database comes with managed credentials that Miabi generates, stores encrypted, and makes available to your apps. You rarely need to copy a password by hand — apps consume the credentials automatically.
Managed credentials
When a database is provisioned, Miabi generates the default user, a strong password, and a connection string, then stores them in the workspace's secret vault — encrypted at rest and never logged in plaintext. See Encryption.
You can view the credentials in the database's detail view (with appropriate permissions) and rotate the password when needed.
How apps consume them
Attach a database to an application, and Miabi injects the connection details as environment variables / secrets at runtime. Typical injected values include host, port, database name, username, password, and a full connection URL.
Because the values come from the secret vault as environment variables, your app reads them like any other config — and if you rotate the password, attached apps pick up the new value on their next deploy.
Reference the injected connection URL (for example DATABASE_URL) instead of hardcoding
credentials. Rotating the password then requires no code change.
libSQL token auth
libSQL instances don't use a username/password. Instead, Miabi generates a per-instance
Ed25519 keypair at provision time and starts the sqld server with the public key; clients
authenticate with a JWT auth token minted from the private key (stored encrypted at rest,
like every other credential).
- Endpoint — clients connect over HTTP to the instance host on its libSQL port
(
8080) on the workspace's internal network; there is no separate wire protocol or CLI. - Auth — pass the injected auth token as a bearer token. Use a libSQL/Turso client
library (the token maps to the client's
authToken). - One database — the instance hosts a single database (named
default); you don't create logical databases on it.
The token is injected into attached apps as a secret alongside the host and URL, exactly like the other engines' passwords — so your app reads it from the environment and picks up a rotated token on its next deploy.
Connecting from your machine
Databases are not exposed to the host by default — they're only reachable on the workspace's internal network. When you need to connect directly from your laptop (a one-off migration, a manual query, an ad-hoc export), use port forwarding to open a temporary external port, then close it when you're done.
Don't bake database credentials into images, commit them to Git, or paste them into chat. Let Miabi inject them as secrets so they stay encrypted and rotatable.
Viewing database credentials is limited to Owners and Admins. Developers can create and operate databases but cannot reveal secret values; Viewers cannot either.