[{"data":1,"prerenderedAt":345},["ShallowReactive",2],{"blog-guides/xata":3},{"id":4,"title":5,"body":6,"category":320,"date":321,"dateModified":321,"description":322,"draft":323,"extension":324,"faq":325,"featured":323,"headerVariant":329,"image":330,"keywords":330,"meta":331,"navigation":332,"ogDescription":333,"ogTitle":334,"path":335,"readTime":336,"schemaOrg":337,"schemaType":338,"seo":339,"sitemap":340,"stem":341,"tags":342,"twitterCard":343,"__hash__":344},"blog/blog/guides/xata.md","Xata Security Guide: Serverless Database Protection",{"type":7,"value":8,"toc":299},"minimark",[9,16,21,24,53,57,60,65,85,89,103,112,116,119,123,134,138,149,153,156,167,176,180,184,198,202,216,220,240,268,287],[10,11,12],"tldr",{},[13,14,15],"p",{},"Xata is a serverless database with a developer-friendly API. Keep your API key server-side only, use the type-safe SDK to prevent injection attacks, and implement authorization logic in your application layer. Xata handles infrastructure security, encryption, and backups, but you're responsible for access control in your code.",[17,18,20],"h2",{"id":19},"how-xata-security-works","How Xata Security Works",[13,22,23],{},"Xata provides several security features out of the box:",[25,26,27,35,41,47],"ul",{},[28,29,30,34],"li",{},[31,32,33],"strong",{},"API-first:"," All access goes through authenticated API endpoints",[28,36,37,40],{},[31,38,39],{},"Encryption:"," Data encrypted in transit (TLS) and at rest",[28,42,43,46],{},[31,44,45],{},"API keys:"," Fine-grained permissions for different use cases",[28,48,49,52],{},[31,50,51],{},"Type-safe SDK:"," Generated client helps prevent injection",[17,54,56],{"id":55},"api-key-security","API Key Security",[13,58,59],{},"Xata API keys are the primary authentication mechanism:",[61,62,64],"h3",{"id":63},"key-types","Key Types",[25,66,67,73,79],{},[28,68,69,72],{},[31,70,71],{},"Personal API keys:"," Full access, for development only",[28,74,75,78],{},[31,76,77],{},"Workspace API keys:"," Scoped to specific workspaces",[28,80,81,84],{},[31,82,83],{},"Database API keys:"," Limited to specific databases",[61,86,88],{"id":87},"best-practices","Best Practices",[25,90,91,94,97,100],{},[28,92,93],{},"Use the most restrictive key type for each use case",[28,95,96],{},"Rotate keys periodically",[28,98,99],{},"Never commit API keys to version control",[28,101,102],{},"Store keys in environment variables",[104,105,106],"warning-box",{},[13,107,108,111],{},[31,109,110],{},"Server-side only:"," Never expose Xata API keys to the client. Create API routes in Next.js, Express, or your backend framework to proxy requests.",[17,113,115],{"id":114},"authorization-patterns","Authorization Patterns",[13,117,118],{},"Xata doesn't have built-in row-level security like Supabase. Implement authorization in your application:",[61,120,122],{"id":121},"option-1-application-level-checks","Option 1: Application-Level Checks",[25,124,125,128,131],{},[28,126,127],{},"Verify user ownership before returning data",[28,129,130],{},"Filter queries by user ID in your API routes",[28,132,133],{},"Check permissions before write operations",[61,135,137],{"id":136},"option-2-separate-databases","Option 2: Separate Databases",[25,139,140,143,146],{},[28,141,142],{},"Use different databases for different tenants",[28,144,145],{},"Each tenant has their own API key",[28,147,148],{},"More isolation but more complexity",[17,150,152],{"id":151},"type-safe-sdk-benefits","Type-Safe SDK Benefits",[13,154,155],{},"Xata's generated SDK provides security benefits:",[25,157,158,161,164],{},[28,159,160],{},"Queries are built programmatically, reducing injection risk",[28,162,163],{},"Type checking catches invalid query structures",[28,165,166],{},"Less room for manual query string construction errors",[168,169,170],"tip-box",{},[13,171,172,175],{},[31,173,174],{},"Use the SDK:"," The Xata TypeScript SDK provides type safety that helps prevent common mistakes. Avoid raw API calls when the SDK covers your use case.",[17,177,179],{"id":178},"data-protection","Data Protection",[61,181,183],{"id":182},"what-xata-handles","What Xata Handles",[25,185,186,189,192,195],{},[28,187,188],{},"Encryption at rest and in transit",[28,190,191],{},"Automatic backups",[28,193,194],{},"Infrastructure security",[28,196,197],{},"DDoS protection",[61,199,201],{"id":200},"your-responsibilities","Your Responsibilities",[25,203,204,207,210,213],{},[28,205,206],{},"API key protection",[28,208,209],{},"Authorization logic",[28,211,212],{},"Input validation before database operations",[28,214,215],{},"Not storing secrets in the database unencrypted",[17,217,219],{"id":218},"configuration-checklist","Configuration Checklist",[25,221,222,225,228,231,234,237],{},[28,223,224],{},"Use environment variables for API keys",[28,226,227],{},"Create separate keys for development and production",[28,229,230],{},"Implement user authorization in API routes",[28,232,233],{},"Validate and sanitize input before database operations",[28,235,236],{},"Use the type-safe SDK rather than raw API calls",[28,238,239],{},"Set up monitoring for unusual query patterns",[241,242,243,250,256,262],"faq-section",{},[244,245,247],"faq-item",{"question":246},"Is Xata secure for production use?",[13,248,249],{},"Yes. Xata provides secure infrastructure with encryption in transit and at rest, SOC 2 compliance, and fine-grained API key permissions. As with any database, security also depends on how you configure and use it in your application.",[244,251,253],{"question":252},"Should I expose my Xata API key to the client?",[13,254,255],{},"No. Keep your Xata API key on the server side only. Create API routes in your application that proxy requests to Xata. Never include the API key in client-side JavaScript or environment variables prefixed with NEXT_PUBLIC_.",[244,257,259],{"question":258},"Does Xata support row-level security?",[13,260,261],{},"Xata works differently from traditional databases. It uses API keys with configurable permissions. For multi-tenant isolation, implement authorization checks in your application layer or use separate databases per tenant.",[244,263,265],{"question":264},"How do I handle sensitive data in Xata?",[13,266,267],{},"Don't store plaintext passwords or highly sensitive data without application-level encryption. Hash passwords before storing, and consider encrypting PII with a key you control.",[269,270,271,277,282],"related-articles",{},[272,273],"related-card",{"description":274,"href":275,"title":276},"Alternative with built-in RLS","/blog/guides/supabase","Supabase Security Guide",[272,278],{"description":279,"href":280,"title":281},"Another serverless database","/blog/guides/planetscale","PlanetScale Security",[272,283],{"description":284,"href":285,"title":286},"Protecting credentials","/blog/how-to/secure-api-keys","Secure API Keys",[288,289,292,296],"cta-box",{"href":290,"label":291},"/","Start Free Scan",[17,293,295],{"id":294},"using-xata","Using Xata?",[13,297,298],{},"Scan your application for security issues.",{"title":300,"searchDepth":301,"depth":301,"links":302},"",2,[303,304,309,313,314,318,319],{"id":19,"depth":301,"text":20},{"id":55,"depth":301,"text":56,"children":305},[306,308],{"id":63,"depth":307,"text":64},3,{"id":87,"depth":307,"text":88},{"id":114,"depth":301,"text":115,"children":310},[311,312],{"id":121,"depth":307,"text":122},{"id":136,"depth":307,"text":137},{"id":151,"depth":301,"text":152},{"id":178,"depth":301,"text":179,"children":315},[316,317],{"id":182,"depth":307,"text":183},{"id":200,"depth":307,"text":201},{"id":218,"depth":301,"text":219},{"id":294,"depth":301,"text":295},"guides","2026-02-03","Security guide for Xata users. Learn about API key protection, access control, and secure development with Xata's serverless database platform.",false,"md",[326,327,328],{"question":246,"answer":249},{"question":252,"answer":255},{"question":258,"answer":261},"blue",null,{},true,"How to secure your Xata serverless database with proper API keys and access controls.","Xata Security Guide","/blog/guides/xata","6 min read","[object Object]","BlogPosting",{"title":5,"description":322},{"loc":335},"blog/guides/xata",[],"summary_large_image","qDHKnxEqZgS5ZAp7PvYboOS4RQfI5Xy55bs_f5wKu7Q",1775843929060]