Authentication | Geode Database

<h2 id="authentication" class="position-relative d-flex align-items-center group"> Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authentication" aria-haspopup="dialog" aria-label="Share link: Authentication"> Share link </button> </h2><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script>Authentication (AuthN) verifies user identity before granting access to Geode. This page reflects the current tagged Geode authentication surface in <code>v0.2.18</code> plus the known auth gaps documented on <code>main</code> as of 2026-03-30. <blockquote> Current state <ul> <li>Implemented today: username/password, session tokens, API keys, MFA (TOTP), and mTLS</li> <li>Planned, not implemented: LDAP/Active Directory (<code>GAP-0246</code>) and OAuth2/OIDC (<code>GAP-0247</code>)</li> <li>Known limitation on <code>main</code>: CLI auth management commands still operate on the local auth store instead of delegating to a running server (<code>GAP-0270</code>)</li> </ul> </blockquote> <h3 id="feature-status" class="position-relative d-flex align-items-center group"> Feature Status <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="feature-status" aria-haspopup="dialog" aria-label="Share link: Feature Status"> Share link </button> </h3><table> <thead> <tr> <th>Method</th> <th>Status</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>Username/Password</td> <td>Implemented</td> <td>Authentication is enabled by default</td> </tr> <tr> <td>Session tokens</td> <td>Implemented</td> <td>Stored in <code>~/.geode/credentials.json</code> when saved</td> </tr> <tr> <td>API keys</td> <td>Implemented</td> <td>Managed with <code>geode apikey ...</code></td> </tr> <tr> <td>MFA (TOTP)</td> <td>Implemented</td> <td>Core MFA support exists; some CLI end-to-end flows are affected by <code>GAP-0270</code></td> </tr> <tr> <td>mTLS</td> <td>Implemented</td> <td>Certificate-based client identity</td> </tr> <tr> <td>LDAP / Active Directory</td> <td>Planned</td> <td>Not implemented in <code>src/security/</code> as of 2026-03-30</td> </tr> <tr> <td>OAuth2 / OIDC</td> <td>Planned</td> <td>Not implemented in <code>src/security/</code> as of 2026-03-30</td> </tr> </tbody> </table> <h3 id="default-bootstrap" class="position-relative d-flex align-items-center group"> Default Bootstrap <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="default-bootstrap" aria-haspopup="dialog" aria-label="Share link: Default Bootstrap"> Share link </button> </h3>Authentication is enabled by default in modern Geode builds. On first startup, Geode creates the bootstrap admin user from environment variables. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Defaults to username "geode" if not overridden export GEODE_ADMIN_USERNAME="geode" export GEODE_DEFAULT_PASSWORD="change-me-immediately" ./geode serve --listen 0.0.0.0:3141 </code></pre></div>If <code>GEODE_ADMIN_USERNAME</code> is omitted, the default bootstrap username is <code>geode</code>. The docs site previously used <code>admin</code> in examples; that is no longer the correct default. <h3 id="current-cli-surface" class="position-relative d-flex align-items-center group"> Current CLI Surface <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="current-cli-surface" aria-haspopup="dialog" aria-label="Share link: Current CLI Surface"> Share link </button> </h3> <h4 id="login-and-session-management" class="position-relative d-flex align-items-center group"> Login and Session Management <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="login-and-session-management" aria-haspopup="dialog" aria-label="Share link: Login and Session Management"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Login and save a session geode auth login -U geode --save-session # Reuse saved credentials automatically geode query "RETURN 1 AS x" # Inspect or clear saved credentials geode auth token geode auth logout </code></pre></div><code>geode auth --help</code> currently exposes: <ul> <li><code>login</code></li> <li><code>logout</code></li> <li><code>token</code></li> <li><code>init</code></li> <li><code>reseal</code></li> <li><code>verify</code></li> </ul> <h4 id="query-and-shell-authentication" class="position-relative d-flex align-items-center group"> Query and Shell Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="query-and-shell-authentication" aria-haspopup="dialog" aria-label="Share link: Query and Shell Authentication"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Explicit credentials geode query -U geode -P "RETURN 1 AS x" geode shell --server localhost:3141 -U geode -P secret # DSN-based credentials geode query --dsn quic://geode:secret@localhost:3141 "RETURN 1 AS x" geode shell --dsn quic://geode:secret@localhost:3141/social </code></pre></div> <h4 id="offline-auth-integrity-workflows" class="position-relative d-flex align-items-center group"> Offline Auth Integrity Workflows <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="offline-auth-integrity-workflows" aria-haspopup="dialog" aria-label="Share link: Offline Auth Integrity Workflows"> Share link </button> </h4>Auth storage now uses a graph-backed internal store with HMAC integrity support. The offline maintenance commands are: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">geode auth init --data-dir /var/lib/geode geode auth reseal --data-dir /var/lib/geode geode auth verify --data-dir /var/lib/geode </code></pre></div>Use these on-host against a stopped or explicitly managed data directory, not as a substitute for live server-side user administration. <h3 id="important-limitation-local-vs-server-side-auth-commands" class="position-relative d-flex align-items-center group"> Important Limitation: Local vs Server-Side Auth Commands <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="important-limitation-local-vs-server-side-auth-commands" aria-haspopup="dialog" aria-label="Share link: Important Limitation: Local vs Server-Side Auth Commands"> Share link </button> </h3>As of the 2026-03-30 audit, these commands still manage the local auth store and do not yet delegate to the running server over QUIC: <ul> <li><code>geode user ...</code></li> <li><code>geode role ...</code></li> <li><code>geode policy ...</code></li> <li><code>geode grant ...</code></li> <li><code>geode revoke ...</code></li> <li><code>geode apikey ...</code></li> <li>CLI MFA enrollment and verification flows</li> </ul> That is the root of <code>GAP-0270</code>, which currently accounts for most of the remaining geodetestlab failures on <code>main</code>. Practical guidance: <ul> <li>Use these commands for offline/on-host administration where local data-dir access is intended.</li> <li>Do not assume they operate against a live remote server yet.</li> <li>Track the next auth patch if you need server-delegated CLI user and API-key administration.</li> </ul> <h3 id="password-security" class="position-relative d-flex align-items-center group"> Password Security <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="password-security" aria-haspopup="dialog" aria-label="Share link: Password Security"> Share link </button> </h3>Geode documents and uses Argon2id-style password handling and enforces password policy at login/update time. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: password_policy: min_length: 16 require_uppercase: true require_lowercase: true require_digits: true require_special: true expiration_days: 90 history_count: 5 </code></pre></div>The CLI help and current auth docs also assume: <ul> <li>the default bootstrap user is <code>geode</code></li> <li>password prompts are preferred over inline plaintext arguments</li> <li>saved sessions live at <code>~/.geode/credentials.json</code></li> </ul> <h3 id="api-keys" class="position-relative d-flex align-items-center group"> API Keys <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="api-keys" aria-haspopup="dialog" aria-label="Share link: API Keys"> Share link </button> </h3>API keys are managed through the <code>apikey</code> subcommand family: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">geode apikey create --user alice --name prod-app --scope query:execute geode apikey list --user alice geode apikey revoke --user alice --name prod-app geode apikey revoke-all --user alice --yes </code></pre></div>Current caveat: CLI API key management still falls under the local-store limitation described above. <h3 id="multi-factor-authentication-mfa" class="position-relative d-flex align-items-center group"> Multi-Factor Authentication (MFA) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="multi-factor-authentication-mfa" aria-haspopup="dialog" aria-label="Share link: Multi-Factor Authentication (MFA)"> Share link </button> </h3>Geode includes TOTP-based MFA support and recent March hardening fixes addressed deterministic secret generation. Core MFA support exists, but some CLI-driven MFA workflows are still constrained by <code>GAP-0270</code> because they do not yet delegate to the running server. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: mfa: enabled: true totp: issuer: "Geode" digits: 6 period: 30 </code></pre></div>Use MFA for: <ul> <li>administrative users</li> <li>privileged automation accounts with interactive fallback</li> <li>regulated environments requiring step-up authentication</li> </ul> <h3 id="mutual-tls-mtls" class="position-relative d-flex align-items-center group"> Mutual TLS (mTLS) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="mutual-tls-mtls" aria-haspopup="dialog" aria-label="Share link: Mutual TLS (mTLS)"> Share link </button> </h3>Certificate-based client identity is available for zero-trust or service-mesh deployments. <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: mtls: enabled: true client_ca: "/etc/geode/certs/client-ca.pem" verify_client: "require" </code></pre></div>Client usage: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">geode query \ --ca-cert /etc/ssl/ca.crt \ --client-cert /etc/ssl/client.crt \ --client-key /etc/ssl/client.key \ --server secure.example.com:3141 \ "RETURN 1 AS x" </code></pre></div> <h3 id="planned-integrations" class="position-relative d-flex align-items-center group"> Planned Integrations <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="planned-integrations" aria-haspopup="dialog" aria-label="Share link: Planned Integrations"> Share link </button> </h3> <h4 id="ldap--active-directory" class="position-relative d-flex align-items-center group"> LDAP / Active Directory <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="ldap--active-directory" aria-haspopup="dialog" aria-label="Share link: LDAP / Active Directory"> Share link </button> </h4>LDAP/AD remains planned and is still tracked as <code>GAP-0246</code>. The March 2026 audits explicitly confirmed there is no LDAP/AD implementation in <code>src/security/</code>. For enterprise identity requirements today, use one of: <ul> <li>mTLS with your existing PKI</li> <li>username/password plus MFA</li> <li>API keys for scoped automation</li> </ul> <h4 id="oauth2--oidc" class="position-relative d-flex align-items-center group"> OAuth2 / OIDC <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="oauth2--oidc" aria-haspopup="dialog" aria-label="Share link: OAuth2 / OIDC"> Share link </button> </h4>OAuth2/OIDC remains planned and is still tracked as <code>GAP-0247</code>. The March 2026 audits explicitly confirmed there is no OAuth/OIDC implementation in <code>src/security/</code>. Do not treat old draft configuration examples as deployable current-state guidance. <h3 id="best-practices" class="position-relative d-flex align-items-center group"> Best Practices <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="best-practices" aria-haspopup="dialog" aria-label="Share link: Best Practices"> Share link </button> </h3><ol> <li>Use <code>GEODE_DEFAULT_PASSWORD</code> only for bootstrap, then rotate immediately.</li> <li>Prefer <code>geode auth login --save-session</code> over repeated inline passwords.</li> <li>Use <code>--ca-cert</code> instead of <code>--insecure-tls-skip-verify</code> outside development.</li> <li>Treat <code>geode user|role|policy|grant|revoke|apikey</code> as local/offline tools until <code>GAP-0270</code> is closed.</li> <li>Reject semicolons in any caller-controlled FLE role input until the <code>GAP-0271</code> patch lands.</li> </ol> <h3 id="related-documentation" class="position-relative d-flex align-items-center group"> Related Documentation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="related-documentation" aria-haspopup="dialog" aria-label="Share link: Related Documentation"> Share link </button> </h3><ul> <li><a href="/docs/security/overview/" >Security Overview</a> </li> <li><a href="/docs/security/field-level-encryption/" >Field-Level Encryption</a> </li> <li><a href="/docs/reference/dsn/" >DSN Specification</a> </li> <li><a href="/docs/reference/cli-and-api/" >CLI and API</a> </li> </ul>