---
title: Governed data access
description: The server-side data path that keeps tenant database credentials out of app code.
section: Concepts
sidebarLabel: Governed data access
order: 30
updated: "2026-06-11"
status: beta
llms: true
keywords:
  - database
  - tenant isolation
  - sidecar
  - server-side SQL
---

Relpin app code should not receive raw tenant database credentials. Data access runs through server-side SDK paths that keep secrets outside browser surfaces and outside user-authored client code.

## The invariant

App-visible runtime surfaces must not expose tenant database connection strings, connector tokens, or secret references.

The app can ask for governed data operations. The platform resolves credentials server-side and enforces the runtime boundary.

## Preview data access

In container preview, the app talks to a local sidecar for database queries. The sidecar holds the tenant connection string in memory and executes the query on behalf of the app.

```text
FastAPI or TypeScript app -> governed query transport -> tenant database
```

The app gets rows or an error. It does not get the database URL.

## Published data access

Published apps use the runtime service path instead of the preview sidecar. The API surface stays aligned: app code uses the SDK, while Relpin owns credential resolution and runtime isolation.

## Failure behavior

Missing credentials, missing bindings, invalid tenant scope, or missing permission should fail closed. A docs example should never instruct users to bypass these checks in browser code.

## Related SDKs

- [TypeScript database access](/docs/sdk/typescript/db-access)
- [Python SDK overview](/docs/sdk/python/overview)
- [Python table helpers](/docs/sdk/python/table-helpers)