Skip to main content

Requirements

  • PostgreSQL 12+ (the trigger syntax used for append-only enforcement works on PostgreSQL 12 and later)
  • Vane connects via the pg npm package using DATABASE_URL

Connection string format

Set DATABASE_URL in your environment:
For Railway, Supabase, Neon, or other managed PostgreSQL providers, use the connection string they provide directly.

Schema

Vane creates all tables automatically on startup via CREATE TABLE IF NOT EXISTS. No manual migration is needed. The tables are:

companies

keys

api_keys

agents

records

The records table has append-only enforcement via PostgreSQL triggers installed at startup:
This is a database-level guarantee that the attestation log is append-only — even if the application server is compromised, direct database access cannot silently delete records.

revoked_passports

oauth_clients

OAuth client secrets are stored as SHA-256 hashes. The raw secret is shown once at creation and never stored.

oauth_tokens

Creating the database user

For production, create a dedicated PostgreSQL user with minimal privileges:
Vane does not need UPDATE or DROP on the records table. Restricting these at the PostgreSQL level adds defense-in-depth.

SSL connections

For managed PostgreSQL providers, require SSL:
The pg package respects the sslmode query parameter.

Connection pooling

The Store class creates one pg.Pool at startup. The pool defaults to 10 connections. For high-traffic deployments, consider PgBouncer or your provider’s connection pooler (e.g., Supabase’s Transaction mode pooler).