v0.3.6 · 18 backends · 265 RPCs · six SDKs

UDB is the typed control point for app data

Declare once · enforce centrally · call from any SDK

Define entities, storage placement, tenant isolation, security annotations, and native service access in protobuf. UDB turns that descriptor into a gRPC broker, generated SDKs, migrations, policy checks, CDC, and runtime routing across 18 backend kinds.

Try the live playground View on GitHub

01Descriptorannotated proto, security options, backend mapping

02Brokerauth, tenant/project guard, admission, IR compiler

03BackendsSQL, vector, cache, object, graph, document, analytics

04SDKsconsistent facades, metadata, credentials, retries

DataBroker 77 RPCs Native services 188 RPCs Contract 3.0.0 Protocol 1.0.0

Backend kinds

DataBroker RPCs

188

Control-plane RPCs

SDK languages

The product

A data contract that also owns runtime behavior

UDB is useful when the hard part is not a single database query. It is keeping tenant scope, project scope, auth metadata, schema drift, generated clients, native services, and backend-specific execution consistent as the product grows. The descriptor is the source of truth; the broker enforces it on every request.

ModelEntities, table placement, columns, data classes, and storage targets live in annotated protobuf.

EnforceAuth, scopes, tenant/project binding, row-level security, idempotency, and audit metadata are checked before dispatch.

RouteThe broker compiles requests through a neutral IR and executes against SQL, vector, object, cache, graph, document, and analytical stores.

ShipSix SDKs expose the same project facade, credential rules, metadata headers, and generated native-service surface.

What ships

UDB is more than CRUD over gRPC

Data plane

77 broker RPCs

Select, upsert, delete, batch, vector search, object operations, graph traversal, cache, CDC, migrations, transaction control, and backend health through one serving contract.

Inspect the data plane

Control plane

188 native RPCs

Auth, identity federation, tenancy, policy bundles, API keys, notifications, storage, realtime, analytics, audit, and operational services behind the native listener.

Inspect native services

SDK contract

Workflow helpers over raw RPCs

Apps use uploadFile, bound entity/table CRUD, authz helpers, sessions, and event readiness. Raw generated clients stay available for admin and benchmark work.

Review SDK shape

Browser proof

Real parser in WASM

The playground runs UDB's parser bridge in WebAssembly, so users can inspect catalog output, generated DDL, and compiled SQL without a server.

Open the playground

Per-request pipeline

What happens on every call

Authenticate

JWT · session · API key · federated identity · mTLS SAN

Authorize

RBAC + ABAC + ReBAC over Casbin · deterministic decision id

Admit

per-tenant fair channels · bounded-queue backpressure

Compile IR

request → backend-agnostic intermediate representation

Execute

backend executor · RLS via SET LOCAL

Emit & audit

typed response · outbox event · redacted compliance envelope

See the full architecture →

Same contract, every language

Use the workflow client, drop to raw RPCs when needed

invoice.proto

message Invoice {
  option (udb.core.common.v1.pg_table) = {
    table: "invoices"  schema: "billing"
  };
  string invoice_id  = 1 [(...pg_column) = { primary_key: true }];
  string tenant_id   = 2 [(...pg_column) = { tenant_column: true }];
  string customer_id = 3;
  int64  total_cents = 4;
}

PythonGo TypeScriptCLI

import os
from udb_client.project import UdbProject

with UdbProject.connect(
    target="127.0.0.1:50051",
    tenant_id="acme",
    project_id="billing",
    bearer_token=os.environ["UDB_TOKEN"],
) as udb:
    pdf = open("invoice.pdf", "rb").read()
    udb.storage.upload_file("invoice.pdf", pdf, {"content_type": "application/pdf"})
    udb.authz.allow_role("reader", "invoice", "data.select")
    rows = udb.data.table("invoice").select(where={"status": "open"})

import (
    "os"
    udb "github.com/fahara02/udb/sdk/go/udbclient"
)

project, _ := udb.Connect(ctx, udb.Config{
    Target: "127.0.0.1:50051",
    TenantID: "acme", ProjectID: "billing",
    Credentials: udb.Credentials{Bearer: os.Getenv("UDB_TOKEN")},
})
defer project.Close()
pdf, _ := os.ReadFile("invoice.pdf")
_, _ = project.Storage.UploadFile(ctx, "invoice.pdf", pdf, udb.WithContentType("application/pdf"))
invoices := project.Entity("invoice", udb.Key("invoice_id"))
rows, _ := invoices.Select(ctx, map[string]any{"status": "open"})

import { readFile } from "node:fs/promises";
import { UdbProject } from "@udb_plus/sdk";

const udb = await UdbProject.connect({
  target: "127.0.0.1:50051",
  tenantId: "acme",
  projectId: "billing",
  credentials: { bearerToken: process.env.UDB_TOKEN },
});
const pdf = await readFile("invoice.pdf");
await udb.storage.uploadFile("invoice.pdf", pdf, { contentType: "application/pdf" });
await udb.authz.allowRole("reader", { resource: "invoice", action: "data.select" });
const rows = await udb.data.table("Invoice").select({ where: { status: "open" } });

# scaffold a project, generate SDKs, run the broker
$ udb scaffold
$ udb sdk generate
$ udb serve

# inspect the generated contract
$ udb native manifest | jq '.service_count'

Interactive · runs in your browser

Not just docs — UDB itself, in WebAssembly

UDB's real proto parser (the udb-portable crate compiled to WASM) runs entirely client-side. Paste a UDB-annotated .proto and watch UDB produce the exact catalog schema — tables, columns, RLS, per-column data classes — and the same deterministic manifest checksum the server computes. No server, no mock.

Open the playground

18 backend kinds · one neutral IR

Route to the right store

PostgreSQLMySQLSQLiteMS SQL ServerMongoDBCassandraClickHouseRedisMemcachedQdrantWeaviatePineconeElasticsearchNeo4jAmazon S3MinIOAzure BlobGoogle Cloud Storage PostgreSQLMySQLSQLiteMS SQL ServerMongoDBCassandraClickHouseRedisMemcachedQdrantWeaviatePineconeElasticsearchNeo4jAmazon S3MinIOAzure BlobGoogle Cloud Storage

Explore