Collections
Per-collection real SQL tables — not JSON blobs. Fast queries, native indexes, ALTER TABLE diffs on schema edit.
Vaultbase
A self-hosted backend in a single binary. Collections, REST API, auth, realtime, files, server-side hooks — TypeScript on Bun.
Why Vaultbase
Section titled “Why Vaultbase”A backend you can ./vaultbase and forget about. No database to provision, no
auth service to wire up, no file storage to configure. One binary does it all,
with a built-in admin UI.
Auth
Email/password, OAuth2 (Google, GitHub, GitLab, +10 more), OTP / magic link, MFA / TOTP, anonymous sessions, admin impersonation.
Realtime
WebSocket with topic-based subscriptions — subscribe to a collection, a
specific record, or * for everything.
Files
Local FS / S3, MIME + size validation, multi-file fields, on-the-fly image thumbnails, rule-based protection (per-field rule, one-time tokens, IP-bound, audit).
Hooks
Server-side JS hooks (before/after × CRUD), custom HTTP routes under
/api/v1/custom/*, cron jobs — all editable from the admin UI.
Single binary
bun build --compile produces a self-contained binary per platform —
Linux, macOS, Windows. No native deps to ship alongside.
What’s in the box
Section titled “What’s in the box”- REST API — list/get/create/update/delete with filter, sort, expand (nested), field projection, skipTotal, batch
- Per-collection tables —
vb_<name>SQL tables with native indexes - Three collection types —
base,auth,view(read-only, SQL-backed) - Rule expression language — typed autocomplete in the admin UI
- OAuth2 — Google, GitHub, GitLab, Facebook, Microsoft, Discord, Twitch, Spotify, LinkedIn, Slack, Bitbucket, Notion, Patreon
- Email — SMTP config + verify/reset/OTP templates with
{{var}}interpolation - Encrypted fields — AES-GCM at rest via
VAULTBASE_ENCRYPTION_KEY - Logs — JSONL files per UTC day, never deleted, JSONPath search
- Rate limiting — per-IP token bucket, configurable per-route
- Backup / migrations — SQLite snapshot + JSON schema snapshot for
cross-environment sync; CLI ships
vaultbase backup --to s3://…for direct-to-object-store snapshots - Webhooks — outbound HMAC-signed HTTP delivery on record events
(
posts.create,users.update,*, …) and custom dispatches from hooks. Retry budget, dead-letter trail, SSRF egress guard - Feature flags — boolean / string / number / JSON flags with targeting rules (eq, in, contains, regex, gt/lt, between, exists), percentage rollout with sticky bucketing, multivariate variations, admin UI + public eval API
- Audit log — append-only record of state-changing admin actions (who / what / target / when) with admin UI + REST query API
- Active admin sessions — list, revoke per-jti, or force-logout-all from Settings → Security
- Brute-force lockout — per-email + per-IP failed-login throttle
- CORS — per-origin allow-list edited from Settings
- Password policy — configurable length + char classes + optional HIBP k-anonymity check
- Prometheus metrics —
/api/v1/metricsexposition with optional bearer auth; same data available to admins as JSON at/_/metrics - Update checker — periodic GitHub release poll with admin banner
- Hook egress filter (SSRF guard) — outbound
helpers.httpcalls run through a CIDR deny-list; internal/RFC1918 ranges blocked by default - Signed releases + SBOM — every binary keyless-signed via Sigstore
cosign with a CycloneDX SBOM;
install.sh --verify-sigruns the check before installing - Cron jobs — UTC, Monaco editor, run-now button, last-run status
- Rule-based file protection — per-field download rule (AND-combined
with collection rule),
requireAuth, single-use tokens, IP-bound tokens,files.downloadaudit row per fetch
At a glance
Section titled “At a glance”| Feature | Vaultbase |
|---|---|
| Single binary distribution | ✅ |
| Embedded DB (SQLite, no server) | ✅ |
| Built-in admin UI | ✅ |
| Realtime (WebSocket) | ✅ |
| TypeScript stack (Bun + Elysia) | ✅ |
| Server-side JS hooks + custom routes + cron jobs | ✅ |
| OAuth2 providers (Google, GitHub, Apple, Twitter/X, generic OIDC) | ✅ |
| File storage (local + S3 / Cloudflare R2) | ✅ |
| Rule-based file protection (per-field, one-time, IP-bound, audited) | ✅ |
| Encrypted fields (AES-GCM) | ✅ |
| MFA / TOTP + recovery codes | ✅ |
| Outbound webhooks (HMAC, retry, dead-letter) | ✅ |
| Feature flags + targeting + rollout (built-in) | ✅ |
| Audit log of admin actions | ✅ |
| Brute-force lockout (per-email + IP) | ✅ |
Prometheus /api/v1/metrics exposition | ✅ |
| Configurable CORS + password policy + HIBP check | ✅ |
| Signed releases (cosign) + SBOM (CycloneDX) | ✅ |
| SSRF egress guard for hooks | ✅ |
| Self-hosted, open source | ✅ |
Get started
Section titled “Get started”bun installbun run build # → ./vaultbase./vaultbase # starts on :8091# open http://localhost:8091/_/ → setup wizardThat’s it. Walk through the Quick start for your first collection.