Security & Enterprise

GreyCat ships enterprise security in the same binary as the database — no bolt-on IAM, no external services.

Authentication

User identities authenticate with tokens, passed either via cookie or an Authorization header, and each token carries a time-to-live (TTL).

On first run, the server generates its own key — no manual secret provisioning required to get started securely.

Role-based access control is declared in code with @permission and @role. Every @expose endpoint is permission-gated.

Ships with built-in permissions — public, api, admin and debug — and built-in roles, plus per-user file read/write grants.

Enterprise OpenID Connect via the openid library, using the Authorization Code flow with PKCE.

JWTs are verified against the provider's JWKS (RS/ES/PS), and identity-provider group claims are mapped to GreyCat roles.

SHA-1 / SHA-256, HMAC-SHA256, RSA PKCS#1 signing, base64 / base64url / hex encoding, and secure UUID v4 / v7 generation.

Cryptography is backed by mbedTLS 3.6, and TLS protects data in transport.

Built-in task history and file-upload hooks provide the foundation for audit trails.

A single binary running on your own hardware.

Embeddings and inference run in-process via llama.cpp, so data never leaves your infrastructure.

Built in Luxembourg (EU).

Deployable as a FROM scratch container (~3.5 MB) with no OS package manager to patch.

Full and incremental (delta) backups with verified restore.

Defragmentation runs online, without taking the database offline.

Talk to our team Read the docs