The Modern, AI-Powered Open-Source SQL IDE for Cloud-Native Teams.
Try Live Test • Documentation • Deploy Your Own
Try LibreDB Studio instantly without installation!
| Test | URL | Credentials |
|---|---|---|
| Public Test | app.libredb.org | SSO |
The test instance comes with a pre-configured PostgreSQL database via Seed Connections. No setup required!
LibreDB Studio is a lightweight, high-performance, and secure web-based SQL editor designed to bridge the gap between heavy desktop applications (like DataGrip/DBeaver) and minimal CLI tools. Built with a "Mobile-First, Professional-Always" philosophy, it empowers engineering teams to manage databases anywhere—from a 4K monitor to a mobile screen.
- Zero Install: Run a professional SQL IDE in your browser or private network.
- Multi-Platform: Native-like experience on both Web and Mobile browsers.
- AI-Native: Multi-model support (Gemini, OpenAI, or Local LLMs) for NL2SQL.
- DevOps Ready: Optimized for Kubernetes orchestration and Docker environments.
- Enterprise Grade: Built-in RBAC, SSO (OIDC), query auditing, and live health monitoring.
Connect to PostgreSQL, MySQL, Oracle, SQL Server, MongoDB, Redis, or SQLite with SSL/TLS and SSH Tunnel support.
- Monaco Engine: Powered by the same core as VS Code.
- Smart Autocomplete: Schema-aware suggestions for tables, columns, and SQL keywords.
- Multi-Tab Workspace: Handle parallel tasks with independent execution states.
- Visual EXPLAIN: Graphical execution plans to identify performance bottlenecks.
- Interactive ER Diagrams: Visual schema graph with real foreign key edges, cardinality labels, MiniMap navigation, table search/filter, compact mode, and PNG/SVG export. Automatic hierarchical layout powered by ELK.js.
- Schema Diff & Migration: Compare schema snapshots or cross-connection schemas side-by-side. Color-coded diff view (added/removed/modified) with automatic migration SQL generation for PostgreSQL, MySQL, SQLite, Oracle, and SQL Server.
- Snapshot Timeline: Visual horizontal timeline of schema snapshots. Click any two points to instantly compare and track schema evolution over time.
Visual schema explorer with interactive ER diagrams powered by ReactFlow.
- Universal LLM Support: Defaults to Gemini 2.5 Flash, but ready for OpenAI, Claude, or Local LLMs (Ollama/LM Studio).
- NL2SQL: Generate complex queries from natural language with schema-aware context.
- Query Safety Analysis: AI-powered pre-execution risk assessment for destructive queries (DELETE, DROP, TRUNCATE).
- AI Query Explainer: EXPLAIN plans translated into plain language with optimization suggestions.
- AI Query Autopilot: Automated slow query analysis with actionable index and rewrite recommendations.
- Schema Awareness: AI understands your specific database structure for pinpoint accuracy.
- Plug & Play: Works out of the box with zero complex configuration.
Ask questions in plain English and get executable SQL queries instantly.
- Universal Data Grid: Virtualized rendering (TanStack) for millions of rows.
- Inline Editing: Double-click to update values directly in the grid.
- Column Filtering: Per-column text filters on query results for instant data exploration.
- Interactive Pivot Table: Client-side pivoting with 5 aggregation functions (COUNT, SUM, AVG, MIN, MAX) and SQL generation.
- Expert Exporter: Instant CSV and JSON exports for reporting.
- 8 Chart Types: Bar, Line, Pie, Area, Scatter, Histogram, Stacked Bar, and Stacked Area charts powered by Recharts.
- Data Aggregation: Group-by with SUM, AVG, COUNT, MIN, MAX aggregation functions. Date grouping by hour, day, week, month, or year.
- Chart Persistence: Save chart configurations and reload them instantly. Manage a library of saved charts.
- Chart Dashboard: Grid view of all saved charts for at-a-glance data overview directly in the bottom panel.
- Client-Side Display Layer: Masks sensitive values in the browser UI — useful for screen sharing, demos, and reducing accidental on-screen exposure. Not server-enforced; query API responses still contain full values for authenticated users.
- Column-Name Pattern Matching: 10 built-in patterns (email, phone, credit card, SSN, password, IP, date, financial, and more) match result column headers by regex. Works when the output name matches (e.g.
SELECT salary). Aliases (salary AS x) and aggregates (SUM(salary)) are not masked today. - Configurable Rules: Admin panel to add, edit, enable/disable masking patterns. Custom patterns with regex support. Settings stored per-browser in localStorage.
- RBAC UI Controls: User role cannot toggle or reveal masked cells in the UI. Admin role can toggle masking and temporarily reveal individual cells (10s auto-hide).
- Export & Clipboard: CSV, JSON, and SQL INSERT exports use masked display values when masking is active in the UI. This does not prevent access to raw data via the API, browser DevTools, or admin reveal.
- UI Coverage: Grid, mobile card/table views, row detail sheet, and clipboard copy respect the active display mask.
- AI Data Profiler: One-click table profiling with column statistics (null %, cardinality, min/max, sample values) and AI-powered narrative summaries.
- ORM Code Generator: Generate TypeScript interfaces, Zod schemas, Prisma models, Go structs, Python dataclasses, and Java POJOs from live table schemas.
- Test Data Generator: Schema-aware fake data generation with 30+ semantic column inferences (email, phone, name, address, etc.). Produces INSERT statements or MongoDB insertMany JSON.
- Database Documentation: Auto-generated searchable data dictionary from live schema with AI-powered documentation and Markdown export.
One-click column profiling: null %, cardinality, min/max, and sample values for 300K+ rows.
Generate TypeScript interfaces, Prisma models, Go structs, and more from live schemas.
- Dual Auth Modes: Local email/password login or OpenID Connect (OIDC) Single Sign-On — switchable via environment variable.
- Vendor-Agnostic OIDC: Works with any OIDC-compliant provider — Auth0, Keycloak, Okta, Azure AD, Zitadel, Google, and more.
- PKCE Security: Authorization Code Flow with Proof Key for Code Exchange (S256) for secure authentication.
- Auto Role Mapping: Configurable claim-based role mapping with dot-notation for nested claims (e.g.,
realm_access.roles). - Provider Logout: Logout clears both local JWT session and identity provider session.
- Live Monitoring Dashboard: 7-tab monitoring with Overview, Performance, Queries, Sessions, Tables, Storage, and Connection Pool views.
- Time-Series Trend Charts: Real-time metric trends (connections, cache hit ratio, buffer pool, deadlocks) with auto-refreshing ring buffer history.
- Configurable Auto-Refresh: Polling intervals from 5s to 60s with play/pause control.
- Threshold Alerting: Color-coded health indicators (healthy/warning/critical) for cache hit ratio, connection usage, deadlocks, and buffer pool utilization.
- Connection Pool Stats: Live total/active/idle/waiting pool metrics with utilization progress bars.
- One-Click Maintenance: Trigger
VACUUM,ANALYZE,REINDEX,UPDATE STATISTICS,DBCC CHECKDB, andALTER INDEX REBUILDper database engine. - Audit Trail: Full history of every query executed across the organization.
| Database | Driver | Features |
|---|---|---|
| PostgreSQL | pg |
Full SQL IDE, EXPLAIN plans, transactions, query cancellation (pg_cancel_backend), SSL/TLS, SSH tunnel |
| MySQL | mysql2 |
Full SQL IDE, EXPLAIN plans, transactions, query cancellation (KILL QUERY), SSL/TLS, SSH tunnel |
| Oracle | oracledb (Thin mode) |
Full SQL IDE, FETCH FIRST N ROWS pagination, V$ monitoring views, ANALYZE TABLE, ALTER INDEX REBUILD, transactions |
| SQL Server | mssql (tedious) |
Full SQL IDE, TOP N / OFFSET FETCH pagination, sys.dm_* DMVs, UPDATE STATISTICS, DBCC CHECKDB, transactions, Azure SQL auto-detect |
| SQLite | bun:sqlite / node:sqlite (runtime-selected) |
Full SQL IDE, file-based or in-memory databases (server-local file) |
| MongoDB | mongodb |
JSON query editor, collection operations (find, aggregate, insert, update, delete) |
| Redis | ioredis |
Command editor, key browser, INFO-based monitoring |
All SQL databases share: schema explorer, ER diagrams, schema diff & migration, display masking (preview), monitoring dashboard, and connection string import.
Provider reference docs: each database has an in-depth reference (design, connection, query format, monitoring, limitations) under
docs/providers/. For the provider architecture and a guide to adding a new database, seedocs/DATABASE_PROVIDERS.md.
| Component | Technology | Target |
|---|---|---|
| Framework | Next.js 16 (App Router), React 19 | Web, Mobile |
| UI Engine | Tailwind CSS 4, Radix UI, shadcn/ui | Web, Mobile |
| Theming | CSS Variables + @theme inline (Guide) |
Web, Mobile |
| Editor | Monaco Editor (VS Code Engine) | Web |
| AI | Multi-Model (Gemini, OpenAI, Ollama, Custom) | Web, Mobile |
| Auth | JWT (jose) + OIDC (openid-client), PKCE, Role Mapping |
Web, Mobile |
| Database | PostgreSQL, MySQL, Oracle, SQL Server, SQLite, MongoDB, Redis | Web, Mobile |
| Charts | Recharts (Bar, Line, Pie, Area, Scatter, Histogram, Stacked) | Web, Mobile |
| ERD | React Flow, ELK.js (auto-layout) | Web |
| State/Grid | TanStack Table & Virtual | Web, Mobile |
| Deployment | Docker, Kubernetes | Web |
| Channel | Command | Notes |
|---|---|---|
| Docker | docker run -d -p 3000:3000 ghcr.io/libredb/libredb-studio:latest |
Zero-config: the admin password is printed to the log on first run |
| Helm (Kubernetes) | helm install libredb oci://ghcr.io/libredb/charts/libredb-studio |
Zero-config: first-run admin credentials are printed to the pod log |
| npx | npx @libredb/studio |
Linux/macOS, Node 20.9+ (Node 24 LTS recommended); downloads the release server tarball |
| Homebrew | brew trust libredb/tap && brew install libredb/tap/libredb-studio |
brew trust is required once (Homebrew 6+; run brew update if unknown) |
| deb / rpm | sudo dpkg -i libredb-studio_<version>_amd64.deb |
Attached to each GitHub release; systemd service included |
| Snap | sudo snap install libredb-studio |
From the next release, once Snap Store publishing goes live |
Homebrew, deb/rpm, Snap, and the npx launcher consume standalone artifacts attached to each GitHub release. Full per-channel guide — commands, configuration, systemd usage, and the Docker image tag model — in
docs/DISTRIBUTION.md.
Run LibreDB Studio with a single command — no clone, no install, no build:
docker run -d \
--name libredb-studio \
-p 3000:3000 \
-e ADMIN_EMAIL=admin@libredb.org \
-e ADMIN_PASSWORD=LibreDB.2026 \
-e USER_EMAIL=user@libredb.org \
-e USER_PASSWORD=LibreDB.2026 \
-e JWT_SECRET=change-me-to-a-random-32-char-string \
ghcr.io/libredb/libredb-studio:latestRegistry:
ghcr.io/libredb/libredb-studiois the primary image (no pull rate limits — preferred for Kubernetes/CI). The same image is also mirrored to Docker Hub aslibredb/libredb-studiofor convenience.
Open http://localhost:3000 and login with admin@libredb.org / LibreDB.2026.
Auth env vars (local provider):
ADMIN_PASSWORDandJWT_SECRETare only required whenAUTH_BOOTSTRAP=off; otherwise both are generated on first start (see Zero-config first run below).USER_EMAIL/USER_PASSWORDare optional; omit them to run admin-only (no default user password is ever assumed).ADMIN_EMAILdefaults toadmin@libredb.org. Using OIDC (NEXT_PUBLIC_AUTH_PROVIDER=oidc)? None of these are needed.
Tip: Add
-e LLM_PROVIDER=gemini -e LLM_API_KEY=your_key -e LLM_MODEL=gemini-2.5-flashto enable AI features.
Starting the server without JWT_SECRET / ADMIN_PASSWORD works out of the box:
the missing values are generated on first start, stored in <data dir>/auth-bootstrap.json
(file mode 0600), and the admin password is printed once to the server log. Explicitly
set environment variables always take precedence. Set AUTH_BOOTSTRAP=off to require
explicit configuration instead (recommended for production deployments).
Native packages for Debian/Ubuntu and RHEL/Fedora (amd64 and arm64) are attached to every GitHub release. They bundle the standalone server together with a private Node.js runtime (nothing else to install) and register a systemd service:
# Debian / Ubuntu
sudo dpkg -i libredb-studio_<version>_amd64.deb
# RHEL / Fedora / Rocky
sudo rpm -i libredb-studio-<version>.x86_64.rpm
# Start the service (first run prints the generated admin password to the journal)
sudo systemctl enable --now libredb-studio
journalctl -u libredb-studioConfiguration lives in /etc/libredb-studio/env (loaded by the unit; see the commented template
installed there), state (SQLite storage and generated credentials) in /var/lib/libredb-studio.
The libredb-studio command can also be run directly without systemd. Full details for this and
every other channel: docs/DISTRIBUTION.md.
- Bun (Recommended) or Node.js 24+
- A target database to query (PostgreSQL, MySQL, Oracle, SQL Server, SQLite, MongoDB, or Redis)
- Clone & Install
git clone https://github.com/libredb/libredb-studio.git cd libredb-studio bun install
2. **Configure Environment**
Create a `.env.local` file:
```env
# Authentication (email/password)
ADMIN_EMAIL=admin@libredb.org
ADMIN_PASSWORD=your_admin_password
USER_EMAIL=user@libredb.org
USER_PASSWORD=your_user_password
JWT_SECRET=your_32_character_random_string
# Optional: OIDC Single Sign-On (Auth0, Keycloak, Okta, Azure AD, etc.)
# NEXT_PUBLIC_AUTH_PROVIDER=oidc
# OIDC_ISSUER=https://your-provider.com
# OIDC_CLIENT_ID=your_client_id
# OIDC_CLIENT_SECRET=your_client_secret
# LLM Configuration
LLM_PROVIDER=gemini # options: gemini, openai, ollama, custom
LLM_API_KEY=your_api_key
LLM_MODEL=gemini-2.5-flash
LLM_API_URL=http://localhost:11434/v1 # optional for local LLMs (Ollama)
```
- Launch
Open http://localhost:3000
bun dev
Need databases to test with? We provide ready-to-use containers for all supported engines:
# Start all development databases (PostgreSQL, MySQL, MongoDB, SQL Server, Oracle)
docker compose -f database-compose.yml up -d
# Or start a specific database
docker compose -f database-compose.yml up -d postgres
docker compose -f database-compose.yml up -d mssql
docker compose -f database-compose.yml up -d oracle
# Start PostgreSQL with sample e-commerce data
docker compose -f docker/postgres.yml up -d
# Stop (keeps data)
docker compose -f database-compose.yml down
# Stop and remove all data
docker compose -f database-compose.yml down -v| Database | Host | Port | User | Password | Database/Service |
|---|---|---|---|---|---|
| PostgreSQL | localhost | 5432 | postgres | postgres | postgres |
| MySQL | localhost | 3306 | root | root | mysql |
| SQL Server | localhost | 1433 | sa | Password123! | master |
| Oracle | localhost | 1521 | system | Password123! | freepdb1 |
| MongoDB | localhost | 27017 | admin | admin | — |
The docker/postgres.yml setup includes a pre-loaded e-commerce schema:
| Feature | Description |
|---|---|
| PostgreSQL 18 | Official image with pg_stat_statements |
| pg_stat_statements | Pre-enabled for query monitoring |
| Sample Schema | E-commerce database (app schema) |
| Sample Data | 25 customers, 30 products, 100 orders |
| Views | Order summary, product sales, customer LTV |
Sample tables: app.customers, app.products, app.orders, app.order_items, app.product_reviews, app.categories, app.coupons, app.audit_log
This setup is ideal for testing the Monitoring Dashboard features with real
pg_stat_statementsdata.
LibreDB Studio has a comprehensive test suite with 3,000+ unit/integration tests and 32 E2E tests across 6 layers, with 90%+ line coverage measured on SonarCloud.
# Run all tests (unit + API + integration + hooks + components)
bun run test
# Run by layer
bun run test:unit # Pure function tests (1,600+ cases)
bun run test:api # API route handler tests (270+ cases)
bun run test:integration # Database provider tests (340+ cases)
bun run test:hooks # React hook tests (250+ cases)
bun run test:components # Component tests with mock isolation (570+ cases)
# E2E tests (requires build)
bun run test:e2e # Playwright browser tests (32 cases)
# Coverage report (lcov)
bun run test:coverage| Layer | Directory | Runner | Tests | What it covers |
|---|---|---|---|---|
| Unit | tests/unit/ |
bun:test |
~1,609 | Pure functions: SQL parser, connection strings, data masking, query limiter, schema diff, error classes, DB icons, showcase queries |
| API | tests/api/ |
bun:test |
~279 | Route handlers: auth, query, transaction, maintenance, AI endpoints, middleware |
| Integration | tests/integration/ |
bun:test |
~346 | Database providers: PG, MySQL, SQLite, MongoDB, Redis, Oracle, MSSQL |
| Hooks | tests/hooks/ |
bun:test |
~251 | React hooks: auth, connections, tabs, query execution, transactions, inline editing, AI chat, monitoring |
| Components | tests/components/ |
bun:test + happy-dom |
~570 | UI components: Studio, Sidebar, QueryEditor, ResultsGrid, Admin Dashboard, Charts, ERD |
| E2E | e2e/ |
Playwright | ~32 | Full browser flows: login, connections, query execution, tabs, export, admin |
- Test runner:
bun:test(built-in, Jest-compatible API) withhappy-domfor DOM environment - Component isolation: Component tests run in 6 isolated groups via
tests/run-components.shto preventmock.module()cross-contamination - E2E: Playwright with Chromium, runs against a production build (
bun run build && bun start) - CI: GitHub Actions runs lint + typecheck + build, unit/integration tests with coverage, E2E tests, and SonarCloud analysis
- Coverage:
bun test --coveragegenerates lcov reports for SonarCloud integration
Important: Always use
bun run testinstead of barebun test. The test script handles proper isolation between test groups.
Deploy your own instance of LibreDB Studio with a single click on Koyeb, Render, Railway, or CapRover:
CapRover: open your CapRover dashboard → Apps → One-Click Apps/Databases, search for LibreDB Studio, and deploy.
Koyeb: set a strong
JWT_SECRETand credentials before deploying (Koyeb cannot auto-generate secrets). The button usesSTORAGE_PROVIDER=local— connection metadata lives in the browser, which suits Koyeb's ephemeral filesystem. For persistence across redeploys, switch toSTORAGE_PROVIDER=postgresand pointSTORAGE_POSTGRES_URLat a Koyeb managed Postgres or Neon database. Seedeploy/koyeb/.Cosmos: install in one click from the Cosmos Marketplace — search for LibreDB Studio. Cosmos auto-generates secrets, provisions a persistent SQLite volume, and serves the app behind its SmartShield reverse proxy. See
deploy/cosmos/.
| Variable | Required | Description |
|---|---|---|
ADMIN_EMAIL |
❌ | Admin email (default: admin@libredb.org) |
ADMIN_PASSWORD |
❌ | Admin password; auto-generated on first run unless AUTH_BOOTSTRAP=off |
USER_EMAIL |
❌ | Optional user account email (default: user@libredb.org) |
USER_PASSWORD |
❌ | Optional; the lower-privilege user account exists only when set |
JWT_SECRET |
❌ | JWT secret (min 32 chars); auto-generated on first run unless AUTH_BOOTSTRAP=off |
AUTH_BOOTSTRAP |
❌ | off disables zero-config generation (strict mode; recommended for production) |
NEXT_PUBLIC_AUTH_PROVIDER |
❌ | local (default) or oidc for SSO |
OIDC_ISSUER |
❌ | OIDC issuer URL (required when oidc) |
OIDC_CLIENT_ID |
❌ | OIDC client ID (required when oidc) |
OIDC_CLIENT_SECRET |
❌ | OIDC client secret (required when oidc) |
OIDC_ADMIN_ROLES |
❌ | Comma-separated admin role values (default: admin) |
OIDC_ROLE_CLAIM |
❌ | Claim path for role (e.g. realm_access.roles) |
OIDC_SCOPE |
❌ | OIDC scope (default: openid profile email) |
LLM_PROVIDER |
❌ | AI provider: gemini, openai, ollama |
LLM_API_KEY |
❌ | API key for AI features |
LLM_MODEL |
❌ | Model name (e.g., gemini-2.5-flash) |
STORAGE_PROVIDER |
❌ | Storage provider: local (default), sqlite, or postgres |
STORAGE_POSTGRES_URL |
❌ | PostgreSQL connection URL (required when STORAGE_PROVIDER=postgres) |
SEED_CONFIG_PATH |
❌ | Path to seed connections YAML config (see Seed Connections) |
SEED_CACHE_TTL_MS |
❌ | Seed config cache TTL in ms (default: 60000) |
Tip: Copy
.env.exampleto.env.localfor local development.
- Fork this repository
- Connect to Koyeb: app.koyeb.com → New → Blueprint
- Select your forked repo and Koyeb will auto-detect
koyeb.yaml - Set Environment Variables in Koyeb Dashboard:
- Deploy!
LibreDB Studio is available as a one-click Railway template.
See deploy/railway/ for the template definition, install
instructions, and the publish checklist. The template runs the prebuilt
ghcr.io/libredb/libredb-studio image with SQLite persistence on a Railway
volume. Note: Docker-image templates require a manual version bump on each
release (same as CapRover).
LibreDB Studio is published in the official CapRover One-Click Apps catalog:
- Open your CapRover dashboard → Apps → One-Click Apps/Databases
- Search for LibreDB Studio
- Fill in the variables (admin/user credentials,
JWT_SECRET, optional AI/storage settings) - Deploy!
The app runs the prebuilt ghcr.io/libredb/libredb-studio image. As with Railway, Docker-image templates require a manual version bump on each release.
LibreDB Studio is listed in the official
Kubero template catalog (a self-hosted
"Heroku alternative for Kubernetes"). From your Kubero dashboard, browse
Templates, search LibreDB Studio, fill in the credentials / JWT_SECRET,
and deploy. The template runs the prebuilt ghcr.io/libredb/libredb-studio image
with SQLite persistence on a 5Gi volume at /app/data. See
deploy/kubero/ for install and post-install details. As with
Railway and CapRover, Docker-image templates require a manual version bump on
each release.
LibreDB Studio is listed in the official
Cosmos servapp marketplace
(Cosmos is a self-hosted server manager and secure
reverse proxy). From your Cosmos dashboard, open Marketplace, search
LibreDB Studio, and install. Cosmos auto-generates the credentials and
JWT_SECRET, provisions a persistent SQLite volume at /app/data, and serves
the app behind a SmartShield-protected route. See
deploy/cosmos/ for install and post-install details. As with
Railway, CapRover, and Kubero, Docker-image templates require a manual version
bump on each release.
LibreDB Studio includes a render.yaml Blueprint for one-click deployment:
- Fork this repository
- Connect to Render: dashboard.render.com → New → Blueprint
- Select your forked repo and Render will auto-detect
render.yaml - Set Environment Variables in Render Dashboard:
- Deploy!
Use the ready-to-use docker-compose.example.yml — it pulls the published image (ghcr.io/libredb/libredb-studio:latest), so no source build is needed. It documents every supported environment variable (auth, OIDC, storage, LLM, seed connections), with the less-common ones commented out.
# 1. Copy the ready-to-use compose file
cp docker-compose.example.yml docker-compose.yml
# 2. Create your .env (set at least JWT_SECRET / ADMIN_PASSWORD / USER_PASSWORD)
cp .env.example .env
# 3. Start
docker compose up -d # → http://localhost:3000This file is platform-neutral and works with PaaS tools that consume a plain docker-compose.yml (Dokploy, Coolify, Portainer, etc.) — point them at the file and set the secrets as environment variables.
The repository's default
docker-compose.ymlbuilds the image from source (build: .) and is intended for local development.
helm repo add libredb https://libredb.org/libredb-studio/
helm install libredb libredb/libredb-studio
# Retrieve the generated admin credentials from the pod log
kubectl logs deployment/libredb-libredb-studio | grep -A 4 "generated admin credentials"Or via OCI registry:
helm install libredb oci://ghcr.io/libredb/charts/libredb-studioFor production, provide your own secrets instead of relying on generated ones:
helm install libredb libredb/libredb-studio \
--set secrets.jwtSecret=$(openssl rand -base64 32) \
--set secrets.adminPassword=MyAdmin123Features: PostgreSQL subchart, Ingress/TLS, HPA, PDB, NetworkPolicy, ExternalSecrets support. See charts/libredb-studio/README.md for full documentation.
Pre-configure database connections via a YAML config file so users see them immediately after login. Ideal for Platform/SaaS deployments where admins provision databases for teams.
Features:
- Role-based access control (
admin,user,*wildcard) - Hybrid model:
managed: true(read-only, admin-controlled) ormanaged: false(editable copy for user) - Credentials injected via
${ENV_VAR}syntax — never stored in config file - Hot-reload: config changes apply within 60s without restart
- Works with Docker, docker-compose, and Kubernetes (Helm)
1. Create a config file (seed-connections.yaml):
version: "1"
defaults:
managed: true
environment: production
connections:
- id: "prod-analytics"
name: "Production Analytics"
type: postgres
host: analytics-db.internal
port: 5432
database: analytics
user: "readonly_user"
password: "${ANALYTICS_DB_PASSWORD}"
roles: ["admin"]
color: "#10B981"
- id: "dev-sandbox"
name: "Dev Sandbox"
type: mysql
host: dev-mysql.internal
port: 3306
database: sandbox
user: "dev_user"
password: "${DEV_DB_PASSWORD}"
roles: ["*"]
managed: false2. Mount and configure:
Docker
docker run -v ./seed-connections.yaml:/app/config/seed-connections.yaml:ro \
-e SEED_CONFIG_PATH=/app/config/seed-connections.yaml \
-e ANALYTICS_DB_PASSWORD=secret \
-e DEV_DB_PASSWORD=devsecret \
ghcr.io/libredb/libredb-studio:latestDocker Compose
services:
app:
image: ghcr.io/libredb/libredb-studio:latest
volumes:
- ./seed-connections.yaml:/app/config/seed-connections.yaml:ro
environment:
SEED_CONFIG_PATH: /app/config/seed-connections.yaml
ANALYTICS_DB_PASSWORD: ${ANALYTICS_DB_PASSWORD}
DEV_DB_PASSWORD: ${DEV_DB_PASSWORD}Kubernetes (Helm)
# values.yaml
seedConnections:
enabled: true
config:
version: "1"
connections:
- id: "prod-analytics"
name: "Production Analytics"
type: postgres
host: analytics-db.internal
password: "${ANALYTICS_DB_PASSWORD}"
roles: ["admin"]
# Credentials via K8s Secret:
extraEnvFrom:
- secretRef:
name: seed-db-credentialsConfig Reference:
| Field | Required | Description |
|---|---|---|
version |
Yes | Must be "1" |
defaults |
No | Default values merged into all connections |
connections[].id |
Yes | Unique slug ([a-z0-9-]+, max 64 chars) |
connections[].name |
Yes | Display name in UI |
connections[].type |
Yes | postgres, mysql, sqlite, mongodb, redis, oracle, mssql |
connections[].roles |
Yes | ["*"] (everyone), ["admin"], ["user"], or ["admin", "user"] |
connections[].managed |
No | true = read-only (default), false = editable copy for user |
connections[].password |
No | Use ${ENV_VAR} syntax for secrets |
connections[].environment |
No | production, staging, development, local, other |
connections[].group |
No | Group label in sidebar |
connections[].color |
No | Hex color for badge (e.g., #10B981) |
Environment Variables:
| Variable | Default | Description |
|---|---|---|
SEED_CONFIG_PATH |
/app/config/seed-connections.yaml |
Path to config file |
SEED_CACHE_TTL_MS |
60000 |
Cache TTL in ms (hot-reload interval) |
- Phase 1: Monaco SQL IDE & Multi-Tab Support.
- Phase 2: Multi-Model AI (Gemini, OpenAI, Ollama, Custom) Integration.
- Phase 3: Pro Data Grid & Virtualization.
- Phase 4: Multi-Database Support (PostgreSQL, MySQL, SQLite, MongoDB, Redis).
- Phase 5: Interactive ER Diagrams (Visual Schema Graph).
- Phase 6: Enterprise Foundation (Connection Testing, SSL/TLS, SSH Tunnel, Transaction Control, Query Cancellation).
- Phase 7: AI Intelligence (NL2SQL, Query Safety Analysis, AI Index Advisor, Multi-Turn Chat, Query Autopilot).
- Phase 8: Analyst & Developer Tools (Data Profiler, Code Generator, Test Data Generator, Pivot Table, Column Filtering, Database Docs).
- Phase 9: Display Masking — Preview (column-name pattern matching, configurable rules, RBAC UI controls, client-side export/clipboard masking).
- Phase 10: Advanced ERD (Real FK Edges, ELK.js Auto-Layout, MiniMap, PNG/SVG Export, Compact Mode, Table Search).
- Phase 11: Schema Diff & Migration (Snapshot Timeline, Cross-Connection Diff, Migration SQL Generation for PostgreSQL, MySQL, SQLite, Oracle, and SQL Server).
- Phase 12: Advanced Charting (Scatter, Histogram, Stacked Charts, Aggregation, Date Grouping, Chart Save/Load, Chart Dashboard).
- Phase 13: Monitoring Enhancement (Time-Series Trends, Threshold Alerting, Connection Pool Stats, Configurable Polling).
- Phase 14: Enterprise Database Support (Oracle Database via oracledb Thin mode, Microsoft SQL Server via mssql/tedious).
- Phase 15: SSO Integration — Vendor-agnostic OIDC authentication (Auth0, Keycloak, Okta, Azure AD, Zitadel) with PKCE, role mapping, and provider logout.
- Phase 16: DBA & Monitoring (Lock Dependency Graph, Vacuum Scheduler, Prometheus Export).
- Phase 17: Enterprise Collaboration (User Identity, Shared Workspaces, SAML 2.0).
- Phase 18: Server-Enforced Data Masking (SQL output-lineage, deployment-global policy, fail-closed API masking, alias/aggregate coverage).
| Resource | Description |
|---|---|
| DeepWiki | AI-powered documentation — always up-to-date with the codebase |
| SonarCloud | Code quality, security analysis, and technical debt tracking |
| API Docs | Complete REST API reference |
| OIDC SSO | SSO setup (Auth0, Keycloak, Okta, Azure AD, Zitadel, Google) + subsystem internals & security model |
| Theming Guide | CSS theming, dark mode, and styling customization |
| Login Page | Login page layout, OIDC/local modes, and design system |
| Editor Docs | SQL editor internals — completion, performance, query optimization |
| Architecture | System architecture and design patterns |
libredb-studio is free and open source. If it helps you or your team, consider sponsoring the project — your support funds maintenance, bug fixes, new database providers, and the ongoing development of the open-source edition.
Be the first to sponsor libredb-studio!
We welcome contributions from the community! Whether it's a bug fix, a new feature, or documentation improvements:
- Fork the Project.
- Create your Feature Branch (
git checkout -b feature/AmazingFeature). - Commit your Changes (
git commit -m 'Add some AmazingFeature'). - Push to the Branch (
git push origin feature/AmazingFeature). - Open a Pull Request.
Distributed under the MIT License. See LICENSE for more information.
Built for DBAs and Developers.
