UDB logoUDB
Data plane · DataBroker · 77 RPCs

Every backend behind one typed API

The DataBroker contract covers relational, vector, object, cache, document, graph, time-series, and analytical operations — plus transactions, CDC, catalog, migration, DLQ, saga, policy, project, health, and admin/audit surfaces.

🗄️

Relational + batch

Select / BatchSelect / Upsert / BatchUpsert / Delete over Postgres, MySQL, SQLite, MSSQL.

🧭

Vector & hybrid

Similarity, hybrid search, and upsert over Qdrant, Weaviate, Pinecone, and Elasticsearch kNN.

📦

Object / blob

Put/get, presigned URLs, and multipart over S3, MinIO, Azure Blob, and GCS.

Cache

Get/set/delete/scan over Redis and Memcached with TTL semantics.

🌐

Document · graph · analytical

MongoDB documents, Neo4j graph edges, ClickHouse analytics, Cassandra time-series.

🪞

Projections & views

Materialized views and projections as first-class, typed read/write targets.

Consistency

Transactions, 2PC/XA, and sagas

🔁

Per-request transactionality

Reads/writes within a request commit or roll back together; RLS context is tx-scoped (SET LOCAL), so transaction pooling is safe.

🧩

Real 2PC / XA

Postgres two-phase commit and MySQL XA behind UDB_2PC_ENABLED, with a durable in-doubt participant ledger and idempotent commit/rollback.

↩️

Sagas with recovery

Durable saga state transitions, idempotent compensations, and lease-protected recovery that resumes after a broker restart.

Change data capture

CDC to Kafka, exactly where it matters

  • Transactional outbox relay — events commit with the mutation, never lost or double-sent.
  • Durable delivery proof — a CDC journal gates ack/delete; no evidence ⇒ re-publish (at-least-once), Kafka transactions for exactly-once.
  • DLQ & topic policy — malformed events route to a dead-letter queue; topics are validated before publish.
  • Tenant-scoped, fail-closed — tenant-scoped topics refuse to emit or stream without tenant scope.
  • Versioned dot topics — e.g. udb.storage.file.finalized.v1, reconciled against proto event contracts.

Non-Postgres sources too. External CDC sources route through the same pipeline as the Postgres outbox: validation, redaction, topic policy, DLQ, a durable delivery journal, deterministic source event ids, and transactional publish where configured.

Schema lifecycle

Catalog, migrations, and review gates

  • Staged catalogs — stage → activate → rollback, with deterministic checksums.
  • Proto-driven migrations — plan/apply derived from annotations, with an audited op ledger.
  • Review-required DDL — raw SQL, materialized views, triggers, unsafe enum changes, and RLS changes are review-gated; they can’t be applied unattended in production.
  • Security-aware drift — table/column security changes produce visible migration/drift items and CI drift checks.

Route to the right store, per tenant and project

Data-plane routing uses tenant_id/project_id as the primary key, with explicit scatter-gather fallback and observable cross-shard metrics.

Try the SDKs Auth & control plane