Governed database & API access,
built for engineers.
AccessFlow is an open-source access proxy for SQL and NoSQL databases — and outbound
REST, SOAP, GraphQL, and gRPC APIs — that sits between your team and your data. Every query
and every API call is checked, sorted by type, optionally AI-reviewed, and routed through a
configurable human-approval workflow before it touches production — with a tamper-evident
metadata audit trail of every decision.
→Openhttp://localhost:5173— the setup wizard creates the first admin
$
Architecture
One proxy. Every query and API call. Zero shared credentials.
Nobody gets the database password or the API credentials — not even your own team.
AccessFlow sits in the middle and is the only thing that ever connects to the real database
or upstream API, and only after a request is approved. Users sign in to AccessFlow, never to
the target; behind the scenes the proxy holds the real database connection pools and the
connectors' encrypted credentials, and reaches out on their behalf.
CLIENTReact SPA · /ws · REST
API GATEWAYREST + WebSocket gateway · JWT · modular service
ObservabilityHTTP health and readiness probes. OpenTelemetry OTLP trace export of the full proxy pipeline (Tempo / Jaeger / Honeycomb), Prometheus metrics, and pre-built Grafana dashboards (query volume, approval SLAs, AI usage, rejection rates, pool stats). HMAC-SHA256 chained, append-only metadata audit log of every action. Optional one-line-JSON console logs (logstash / ECS / GELF) for ELK / OpenSearch.
Capabilities
The middle ground between blanket access and a DBA ticket queue.
Turn each capability on where you need it, tune it per database, and see everything that happens. Runs entirely inside your own infrastructure — nothing leaves the box.
Full query proxy — SQL and NoSQL
Every query is inspected before it ever reaches the database — parsed, sorted by type (read, write, or schema change), checked against the tables a user is allowed to touch, and routed through your review policy. The same governance covers NoSQL too: MongoDB, Couchbase, Redis, Cassandra, Elasticsearch, DynamoDB, and Neo4j all flow through identical checks, with dangerous or server-side commands blocked up front. Layer on row-level security so users only see the rows they're cleared for, dynamic masking that hides sensitive columns per person, and data-classification tags (PII, PCI, PHI, GDPR) that auto-apply masking and raise a query's risk score. A dry-run preview shows a query's impact before review without changing any data, and every executed query is saved as an exact snapshot you can replay in a test environment.
An AI assistant reads each query first and flags anything risky — like a senior reviewer who never sleeps. Every query gets a 0–100 risk score, missing-index detection, and anti-pattern flags before a human sees it, plus concrete fixes you can apply as a draft. Pick your provider per organization (Anthropic, OpenAI, Ollama, any OpenAI-compatible backend, or Hugging Face) and tune the analyzer with an editable prompt and a RAG knowledge base of your house rules. Run several models at once and combine their verdicts by weighted, highest-risk, or majority voting — say a fast local model alongside a deep cloud one — with per-model cost and latency charted on the dashboard. Add guardrails that block configured prompt patterns before a model is ever called. Opt in to text-to-query — describe what you want in plain language and the AI drafts it in the database's own language, still routed through review. Beyond single queries, behavioral anomaly detection learns each user's normal pattern and escalates anything out of the ordinary, and an admin dashboard charts risk trends over time.
Decide who must sign off before a query runs, and route each request automatically. Build per-datasource approval chains with multi-stage reviewers, auto-approve reads, timeouts, and bulk decisions — and scope each queue to the right team by user or group. Add policy-as-code routing to auto-approve, escalate, or require extra approvals based on query type, AI risk, who's asking, time of day, and where the request came from. Users can request just-in-time temporary access, and for genuine emergencies break-glass runs a query immediately — still through every guard — while paging all admins and opening a mandatory follow-up review. Reviewers are notified by Email, Slack, Discord, Telegram, Teams, PagerDuty, or webhook, and can approve right from Slack or one tap on a mobile push (with a step-up check). While a query waits, reviewers and the submitter can even co-author it live — any edit re-enters review, so approvals are never skipped.
Sign in with the accounts your company already uses — SAML 2.0 SSO and OAuth 2.0 / OIDC, with built-in templates for Google, GitHub, Microsoft, GitLab, and a generic provider for any other IdP (Keycloak, Auth0, Okta, …). Roles and group memberships sync automatically from your identity provider on every login, with optional TOTP two-factor. One deployment hosts multiple fully-isolated organizations, and a super-admin manages tenants across the cluster — with per-org quotas and a kill-switch that disables an org instantly.
Every decision is recorded in a log that can't be quietly edited after the fact — append-only, cryptographically chained, and searchable, with CSV export and no row data ever stored. Pre-built compliance reports — classified-data access (PII/PCI/PHI/GDPR) and a DDL/DELETE trail with approver names — export as digitally signed PDF/CSV that verify offline, surfaced to a dedicated read-only Auditor role.
HMAC-SHA256 chain · signed exports
Personalized dashboard
A self-scoped home that answers "what's waiting on me?" the moment you sign in: pending approvals, your recent queries with status and risk trends, an actionable AI optimization backlog you can open straight in the editor, and your own behavioral-anomaly alerts. Drag-and-drop the widgets into the layout you want — show, hide, collapse, reorder — and it sticks. Export the week as a digitally signed PDF/CSV on demand, or opt in to a weekly email digest.
Customizable widgets · weekly digest · signed export
Cloud-native deploy
Run it on a laptop with one command, or on Kubernetes for production. One docker compose up covers local and small environments; a Helm 3 chart covers Kubernetes, with HPA, PDB, and Bitnami Postgres/Redis subcharts. Redis-backed distributed locks keep scheduled jobs safe across replicas.
Docker · Helm · Kubernetes
Infrastructure as Code
Manage AccessFlow the way you manage the rest of your stack. An official Terraform / OpenTofu provider declares datasources, review plans, routing / row-level-security / masking policies, AI configs, and notification channels as code — applied idempotently with the same authoritative-upsert semantics as the env-driven GitOps bootstrap. Reusable GitHub Actions and a GitLab CI template wrap provisioning a datasource and submitting a governed query from a pipeline. Everything authenticates with a bootstrap-provisioned service-account API key.
Terraform · OpenTofu · GitHub Actions · GitLab CI · GitOps · Service-account API keys
API Access Governance
Govern outbound API calls — not just databases. Register an API connector (REST, SOAP, GraphQL, or gRPC) with a base URL, admin-defined default headers, and an auth method (API key, bearer, basic, OAuth2 with automatic token fetch/cache/refresh — client-credentials, refresh-token, or resource-owner password — custom header, or mTLS) — secrets are AES-256-GCM encrypted and never returned. Upload its schema (OpenAPI / WSDL / GraphQL SDL / gRPC proto — paste, file upload, or fetch from a URL) and AccessFlow parses a normalized operation catalog with read/write classification, then share governed connectivity with the team via per-user permissions. Compose calls like Postman — query params, custom headers, raw / form-data / x-www-form-urlencoded / binary file bodies — so every API call can flow through the same review, approval, and audit machinery as a database query: AI risk scoring, attribute-based routing, multi-stage approval, connector-level response masking (target a field by schema field, JSON path, XML/XPath, or regex — with a masking strategy and role / group / user reveal scoping) and data-classification tags (PII/PCI/PHI/GDPR/FINANCIAL/SENSITIVE that auto-derive masking and raise the AI risk), break-glass, scheduled execution, W3C trace-context propagation, full-response download, and natural-language text-to-API included.
Govern not just who reads data, but when it should be retired. Define retention/erasure rules per datasource — target a table, column set, or classification tag with a retention window plus arbitrary conditions (a structured, parameter-bound predicate builder and a JSqlParser-validated raw-WHERE escape hatch) and an action (hard-delete, soft-delete, or pseudonymize) — with an optional cron schedule, a clustered scan job, a dry-run preview, and automatic execution through the proxy. File a GDPR/CCPA right-to-erasure request with the same rich configuration and route it through AI-assisted scope detection plus review-plan-based peer review (REVIEWER-eligible, multi-stage, no self-approval, auto-reject on timeout). The proxy enforces it transparently: soft-deleted rows vanish from reads, DELETEs become marker updates, and aged PII resolves to an irreversible salted hash at read time — so aggregates survive while the PII does not — all with tamper-evident proof-of-deletion audit records.
Bundle several steps into one grouped request reviewed and approved as a single element, then executed as an ordered sequence. Members can mix queries across different datasources and API calls against governed connectors — a builder lets you add steps, drag-reorder them, and see a per-step AI risk preview plus an aggregate risk badge. Bundling never weakens a member's policy: each member is validated against your permission for its target (break-glass groups require can_break_glass on every target), the required approvers are the union across all member plans, and the group is approved only when every member plan is satisfied — you can never approve your own group. On execute, members run in order; on the first failure the run stops and the rest are skipped (continue-on-error runs them all instead). There is no distributed rollback — an approved group is not atomic, already-applied members stay, and that's surfaced clearly. Each member records its own snapshot + audit row alongside group-level audit and live WebSocket progress.
Grouped requests · queries + API calls · ordered execution · no distributed rollback
Connectors
A growing catalog of SQL and NoSQL connectors.
A connector is simply how AccessFlow talks to one kind of database. AccessFlow ships with a built-in list — find the database your team uses, click Install, and it's ready to govern; AccessFlow fetches the right driver for you and verifies it's genuine before it's ever used. The list is grouped into SQL (table-based databases like PostgreSQL) and NoSQL (document databases like MongoDB). Using something that isn't on the list? Upload its driver and AccessFlow adds it. Under the hood this is a versioned connector catalog: every driver download is SHA-256-verified and cached, and the MongoDB, Couchbase, Redis, Cassandra, ScyllaDB, Elasticsearch, OpenSearch, Amazon DynamoDB, and Neo4j native engines are resolved on demand the same way. Read the connector docs →
SQL
PostgreSQLBuilt in
MySQL1-click install
MariaDB1-click install
Oracle1-click install
SQL Server1-click install
ClickHouse1-click install
+Custom driverUpload any driver
NoSQL
MongoDB1-click install
Couchbase1-click install
Redis1-click install
Cassandra1-click install
ScyllaDB1-click install
Elasticsearch1-click install
OpenSearch1-click install
DynamoDB1-click install
Neo4j1-click install
Request flow
From keystroke to commit, observable at every step.
Every query follows the same predictable path — submitted, reviewed, run — and each step is recorded. Outbound API calls travel the same path, and grouped requests can bundle both. A single state machine drives that flow through classification, review, and execution, and every transition is auditable, cancellable, and replayable.
01
Submit a query
Analyst writes SQL in the built-in CodeMirror editor. The frontend posts to /queries; the proxy parses and classifies it.
02
AI reviews it
Risk score, anti-pattern flags, missing indexes. The status moves PENDING_AI → PENDING_REVIEW.
03
Humans approve
Reviewers get paged by Email, Slack, Discord, Telegram, Microsoft Teams, PagerDuty, or webhook. Multi-stage approval chains run as a state machine.
04
Proxy executes
AccessFlow opens a connection from the per-datasource connection pool, executes, captures metadata.
05
Audit forever
Append-only metadata audit row. WebSocket pushes result to the submitter. Status becomes EXECUTED.
SQL EditorHistorySaveddatasource: prod-orders ⌄
1-- backfill missing region codes
2UPDATEorders
3SET region_code =UPPER(substr(country, 1, 2))
4WHERE region_code IS NULL
5AND created_at >'2026-01-01';
5 lines · DML detected · review requiredSubmit for review
analyzingreq_a8c91f · ai_analyzer
1.4s
RISK
62 · MEDIUM
!
Unbounded UPDATE scan
WHERE clause has no index on (region_code, created_at). Estimated 4.2M rows scanned. Suggest composite index before run.
i
Idempotency
Repeat execution will not modify already-backfilled rows (region_code IS NULL filter is self-limiting). Safe to re-run.
✓
No DDL, no destructive ops
UPPER(substr(...)) is deterministic. Statement parses cleanly against the orders schema.
Review queueAll queriesAudit log5 results
q_42081UPDATE orders SET region_code = UPPER(substr(...))alice@co · ANALYSTPENDINGapprove·reject
q_42080SELECT user_id, count(*) FROM events GROUP BY 1 LIMIT 100bob@co · ANALYSTAI REVIEW
q_42079DELETE FROM sessions WHERE expires_at < now() - interval '30 days'eve@co · REVIEWERAPPROVED
q_42078SELECT * FROM payments WHERE amount > 10000mark@co · ANALYSTEXECUTED
Six problems that show up in every enterprise security review.
Different teams reach for AccessFlow for different reasons — but underneath it is the same governed checkpoint: one approval pipeline, one audit trail, one place where access policy actually runs.
For platform & infrastructure teams
Production access without shared credentials
Shared logins and standing admin access are how breaches — and audit findings — happen. AccessFlow holds the database credentials, encrypted, and brokers every query through one checkpoint. Engineers sign in as themselves; nobody copies a password out of a vault again.
Every query attributable to a person, a reason, and an approval
Credentials AES-256 encrypted, decrypted only inside the proxy — never shown to users
SQL or NoSQL, the same flow — PostgreSQL and MongoDB governed identically
Datasource · prod-ordersconnection brokered
useralice@co · ANALYST · SSO
databasepostgresql://prod-orders.internal:5432
password●●●●●●●●●● held by proxy — never disclosed
Standing privileges shrink to zero. Engineers request access for the window they need — minutes to days — and the grant revokes itself when the clock runs out. When production is down at 3 a.m., break-glass lets on-call act immediately: every admin is alerted the moment it happens, and a mandatory retro-review closes the loop.
Time-boxed grants, auto-revoked on expiry — no cleanup tickets
Break-glass skips the queue, never the guardrails — masking, row security, and row caps still apply
Every emergency run gets an after-the-fact review by an admin, never the submitter
A governance process that takes days gets bypassed. AccessFlow's AI reads every query and API call first — risk score, anti-patterns, affected tables — so routing policies can auto-approve safe reads in seconds and send risky changes to the right approvers with the analysis already attached.
Low-risk requests auto-approve — reviewers see only what deserves attention
Approvers decide from Slack, email, or one-tap push, with AI findings inline
Multi-stage approval chains for the changes that really matter
AI triagerouting policies active
SELECT … FROM events LIMIT 100risk 8AUTO-APPROVED
UPDATE orders SET region_code …risk 62→ DBA REVIEW
DROP TABLE legacy_usersrisk 97AUTO-REJECTED
reviewed by a human: only the one that needs it
For compliance & security teams
Audit evidence as a download, not a project
When the auditor asks who accessed customer data last quarter — and who approved it — the answer shouldn't be a two-week log archaeology project. Every request, decision, and execution lands in a tamper-evident, HMAC-chained audit trail, with scheduled access recertification campaigns and signed compliance exports on top.
Append-only, tamper-evident record of every decision — built for SOC 2, ISO 27001 & GDPR evidence
Recertification campaigns certify or revoke standing access on a schedule, with CSV evidence
Signed PDF/CSV compliance reports and a dedicated read-only auditor role
Audit logHMAC-SHA256 chained
14:02:51QUERY_SUBMITTED · alice@co#a81f→
14:04:11QUERY_APPROVED · eve@co#c290→
14:04:12QUERY_EXECUTED · system#f11d→
export → compliance-report-2026-Q2.pdf · signed ✓
For data protection & privacy teams
Privacy obligations as running processes
Classify sensitive fields once — PII, PCI, PHI, GDPR — and let policy do the rest. Masking redacts tagged columns in every result, retention policies age data out on schedule, and right-to-erasure requests run through a governed, approved, audited workflow instead of a spreadsheet.
Field-level masking applied to results across SQL and NoSQL engines alike
Retention and pseudonymization policies executed through the same governed proxy
Right-to-erasure with an approval trail you can show a regulator
Sensitive data doesn't only live in databases — it flows through payment processors, CRMs, and internal services. AccessFlow puts outbound REST, SOAP, GraphQL, and gRPC calls through the same submit → AI review → approve → execute pipeline, with response masking and classification-aware risk scoring.
One connector catalog for third-party and internal APIs, with schema ingestion
Response masking policies and data-classification tags on API payloads
Break-glass, scheduling, and audit — identical to the database flow
response masked per connector policy · full body in audit snapshot
Quick start
Up and governing queries and API calls in under five minutes.
Pick your platform. The backend initializes its database schema on first boot; the first admin is created through the in-app setup wizard the moment you open the SPA.
docker-compose.yml
# Zero-config demo — open http://localhost:5173 and follow the setup wizard.# Demo-only JWT / encryption keys are embedded in the file; generate your own# for anything beyond evaluation (see docs/09-deployment.md).services:
postgres:
image: postgres:18environment:
POSTGRES_DB: accessflow
POSTGRES_USER: accessflow
POSTGRES_PASSWORD: accessflowredis:
image: redis:8-alpinebackend:
image: ghcr.io/bablsoft/accessflow-backend:latestdepends_on: [postgres, redis]
environment:
DB_URL: jdbc:postgresql://postgres:5432/accessflow
REDIS_URL: redis://redis:6379
ENCRYPTION_KEY: # 64-char hex, demo default embedded
JWT_PRIVATE_KEY: # PKCS#8 PEM, demo default embeddedports: ["8080:8080"]
frontend:
image: ghcr.io/bablsoft/accessflow-frontend:latestdepends_on: [backend]
ports: ["5173:80"]
values.yaml
# helm repo add accessflow https://bablsoft.github.io/accessflow# helm install accessflow accessflow/accessflow -n accessflow --create-namespace# Encryption key, JWT key, and Postgres password are auto-generated on first install# and preserved across upgrades — no Secrets need to be pre-created.## Ready-made starting points for common shapes live under# charts/accessflow/examples/ (minimal, production, external-services, bootstrap, airgapped)replicaCount:
backend: 2
frontend: 2
# Postgres + Redis ship as Bitnami subcharts — toggle off for managed servicespostgresql:
enabled: trueredis:
enabled: true# HPA + PDB are off by default — turn on for productionautoscaling:
backend:
enabled: falseminReplicas: 2
maxReplicas: 10
# Override only if you want to manage secrets externally# (sealed-secrets, External Secrets, Vault, …):# config:# encryptionKey: { existingSecret: my-secret, key: value }# jwtPrivateKey: { existingSecret: my-secret, key: jwt }ingress:
enabled: trueclassName: nginxhosts:
- host: accessflow.company.com# TLS is off by default — turn on and supply a Secret to terminate HTTPStls:
enabled: false
shell
# clonegit clone https://github.com/bablsoft/accessflow.git
cd accessflow
# 1. infrastructure — Postgres 18 + Redis 8 + Mailcrab (dev-only compose)docker compose -f backend/docker-compose-dev.yml up -d
# 2. backend — Java 25 · Spring Boot 4 · Mavencd backend
./mvnw spring-boot:run
# 3. frontend — Node 24 · Vite 8 · React 19cd ../frontend
npm install
npm run dev
# open http://localhost:5173 — the in-app setup wizard creates the first admin
Compliance reports & signed exports · Auditor role
Data lifecycle — retention, right-to-erasure & pseudonymization
Access recertification campaigns
Automation & IaC
Terraform / OpenTofu provider
Reusable GitHub Actions & GitLab CI template
upcoming
Planned
Connectors & access
Native wire-protocol gateway
Column-level permissions
AI
Custom analyzer plugins (SPI / HTTP)
Automatic query suggestions
Documentation
Thirteen chapters. Read them in any order.
Every subsystem is documented — architecture diagrams, schemas, payload examples, deployment recipes, and security model. Open source in the same repo. New here? The run & configure guide walks you through installing AccessFlow and setting it up step by step.