Relpin app code should not receive raw tenant database credentials. Data access runs through server-side SDK paths that keep secrets outside browser surfaces and outside user-authored client code.
The invariant
App-visible runtime surfaces must not expose tenant database connection strings, connector tokens, or secret references.
The app can ask for governed data operations. The platform resolves credentials server-side and enforces the runtime boundary.
Preview data access
In container preview, the app talks to a local sidecar for database queries. The sidecar holds the tenant connection string in memory and executes the query on behalf of the app.
FastAPI or TypeScript app -> governed query transport -> tenant databaseThe app gets rows or an error. It does not get the database URL.
Published data access
Published apps use the runtime service path instead of the preview sidecar. The API surface stays aligned: app code uses the SDK, while Relpin owns credential resolution and runtime isolation.
Failure behavior
Missing credentials, missing bindings, invalid tenant scope, or missing permission should fail closed. A docs example should never instruct users to bypass these checks in browser code.