Relpin app code should not receive raw tenant database credentials. Data access runs through server-side SDK paths that keep secrets outside browser surfaces and outside user-authored client code.

The invariant

App-visible runtime surfaces must not expose tenant database connection strings, connector tokens, or secret references.

The app can ask for governed data operations. The platform resolves credentials server-side and enforces the runtime boundary.

Preview data access

In container preview, the app talks to a local sidecar for database queries. The sidecar holds the tenant connection string in memory and executes the query on behalf of the app.

FastAPI or TypeScript app -> governed query transport -> tenant database

The app gets rows or an error. It does not get the database URL.

Published data access

Published apps use the runtime service path instead of the preview sidecar. The API surface stays aligned: app code uses the SDK, while Relpin owns credential resolution and runtime isolation.

Failure behavior

Missing credentials, missing bindings, invalid tenant scope, or missing permission should fail closed. A docs example should never instruct users to bypass these checks in browser code.

Governed data access

The invariant

Preview data access

Published data access

Failure behavior

Related SDKs