Skip to main content

Authentication

All API requests to Helix Enterprise are authenticated with a Bearer token. Tokens are managed through the Helix dashboard. Include the token in the Authorization header of every request: 
Authorization: Bearer <token>
Requests without a valid token are rejected at the gateway before reaching any database node. Token rotation and revocation are performed in the dashboard with immediate effect.

Role-Based Access Control

Scoped API keys with role-based permissions - read-only, read-write, or restricted to specific stored queries - allowing least-privilege credentials for each service or environment. Contact founders@helix-db.com to discuss RBAC requirements for your cluster.

SSO / SAML

SSO and SAML integration for dashboard access, enabling teams to manage Helix users through an existing identity provider (Okta, Azure AD, Google Workspace, etc.) with centralized provisioning and deprovisioning. Contact founders@helix-db.com to discuss SSO requirements for your organization.

Audit Logs

Per-request audit logging covering timestamp, token identity, query name, source IP, and response status. Audit logs support compliance requirements (SOC 2, HIPAA, GDPR) and enable forensic analysis of access patterns. Contact founders@helix-db.com to discuss audit logging requirements for your cluster.

Encryption

All traffic between clients and the gateway is encrypted in transit via TLS. Data at rest in object storage is encrypted using the storage provider’s server-side encryption. For workloads that require traffic to remain entirely within the AWS network, PrivateLink creates a private endpoint in your VPC that routes to Helix Enterprise without traversing the public internet. This eliminates exposure to internet-based threats and satisfies network isolation requirements common in regulated environments. Contact founders@helix-db.com to discuss PrivateLink configuration for your cluster.