TL;DR
Xata is a serverless database with a developer-friendly API. Keep your API key server-side only, use the type-safe SDK to prevent injection attacks, and implement authorization logic in your application layer. Xata handles infrastructure security, encryption, and backups, but you're responsible for access control in your code.
How Xata Security Works
Xata provides several security features out of the box:
- API-first: All access goes through authenticated API endpoints
- Encryption: Data encrypted in transit (TLS) and at rest
- API keys: Fine-grained permissions for different use cases
- Type-safe SDK: Generated client helps prevent injection
API Key Security
Xata API keys are the primary authentication mechanism:
Key Types
- Personal API keys: Full access, for development only
- Workspace API keys: Scoped to specific workspaces
- Database API keys: Limited to specific databases
Best Practices
- Use the most restrictive key type for each use case
- Rotate keys periodically
- Never commit API keys to version control
- Store keys in environment variables
Server-side only: Never expose Xata API keys to the client. Create API routes in Next.js, Express, or your backend framework to proxy requests.
Authorization Patterns
Xata doesn't have built-in row-level security like Supabase. Implement authorization in your application:
Option 1: Application-Level Checks
- Verify user ownership before returning data
- Filter queries by user ID in your API routes
- Check permissions before write operations
Option 2: Separate Databases
- Use different databases for different tenants
- Each tenant has their own API key
- More isolation but more complexity
Type-Safe SDK Benefits
Xata's generated SDK provides security benefits:
- Queries are built programmatically, reducing injection risk
- Type checking catches invalid query structures
- Less room for manual query string construction errors
Use the SDK: The Xata TypeScript SDK provides type safety that helps prevent common mistakes. Avoid raw API calls when the SDK covers your use case.
Data Protection
What Xata Handles
- Encryption at rest and in transit
- Automatic backups
- Infrastructure security
- DDoS protection
Your Responsibilities
- API key protection
- Authorization logic
- Input validation before database operations
- Not storing secrets in the database unencrypted
Configuration Checklist
- Use environment variables for API keys
- Create separate keys for development and production
- Implement user authorization in API routes
- Validate and sanitize input before database operations
- Use the type-safe SDK rather than raw API calls
- Set up monitoring for unusual query patterns
Is Xata secure for production use?
Yes. Xata provides secure infrastructure with encryption in transit and at rest, SOC 2 compliance, and fine-grained API key permissions. As with any database, security also depends on how you configure and use it in your application.
Should I expose my Xata API key to the client?
No. Keep your Xata API key on the server side only. Create API routes in your application that proxy requests to Xata. Never include the API key in client-side JavaScript or environment variables prefixed with NEXT_PUBLIC_.
Does Xata support row-level security?
Xata works differently from traditional databases. It uses API keys with configurable permissions. For multi-tenant isolation, implement authorization checks in your application layer or use separate databases per tenant.
How do I handle sensitive data in Xata?
Don't store plaintext passwords or highly sensitive data without application-level encryption. Hash passwords before storing, and consider encrypting PII with a key you control.