A lightweight, self-hosted gRPC server providing a unified interface for PostgreSQL, MongoDB, and Redis. It keeps database credentials out of your application code and routes traffic efficiently and securely.

• Startups: Avoid DevOps headaches with automated deployment.
• Security Teams: Enforce mTLS and centralize credentials.
• Backend Engineers: Reduce boilerplate code with typed gRPC clients.
• DevOps Teams: Automate infrastructure and reduce manual setup.

We provide two tiers of client libraries across 7 languages:

Direct access to all gRPC service stubs. You manage certificate loading and database targeting yourself.

One-line setup with automatic Vault mTLS auth and database-per-service isolation via app_namespace. This is what most developers should use.

The Core libraries are high-level, opinionated wrappers built directly on top of the raw SDK libraries.

from xeze_core import XezeCoreClient

db = XezeCoreClient(app_namespace="myapp")
db.init_workspace()

# Postgres — native Python dicts
db.pg_insert("users", {"name": "Ayush", "role": "admin"})
rows = db.pg_query("SELECT * FROM users")

# MongoDB
db.mongo_insert("logs", {"action": "user_created"})

# Redis
db.redis_set("session:abc", "user_123", ttl=300)
val = db.redis_get("session:abc")  # "user_123"

Our SDKs provide native dual-support for establishing secure mTLS connections:

1. Dynamic Secrets Management (Recommended): Fetch certificates dynamically from HashiCorp Vault at runtime. Private keys remain strictly in memory — never written to disk.
2. Static Certificate Files: Standard support for loading .crt and .key files from your application's file system.

Before deploying the Database Router to production, ensure you have the following prerequisites ready:

• Docker & Docker Compose: Must be installed on your local system or deployment server.
• Domain Name: You must have a registered domain name (e.g., example.com).
• Cloud Provider Name Servers: The name servers for your domain must be managed by your cloud provider (e.g., DigitalOcean, Cloudflare). This is required for automatic DNS management and Let's Encrypt / mTLS certificate generation.
• Provider API Token: You must have a valid API token from your cloud provider to allow Terraform and Ansible to automatically provision and configure your infrastructure.

The fastest way to deploy the entire stack to DigitalOcean is using our automated deployer.

Mac / Linux:

cd deployer
DIGITALOCEAN_TOKEN="your_token_here" docker compose up -d

Windows (PowerShell):

cd deployer
$env:DIGITALOCEAN_TOKEN="your_token_here"; docker compose up -d

graph LR
    client("📱 Your App")
    proxy("🛡️ Caddy Proxy")
    router("🚦 database-router")
  
    subgraph Databases
        pg("🐘 PostgreSQL")
        mongo("🍃 MongoDB")
        redis("⚡ Redis")
    end

    client -->|gRPC + mTLS| proxy
    proxy -->|h2c port 50051| router
    router --> pg
    router --> mongo
    router --> redis

    classDef primary fill:#2563eb,stroke:#1d4ed8,stroke-width:2px,color:#ffffff
    classDef secondary fill:#475569,stroke:#334155,stroke-width:2px,color:#ffffff
    classDef database fill:#059669,stroke:#047857,stroke-width:2px,color:#ffffff
  
    class client secondary
    class proxy primary
    class router primary
    class pg database
    class mongo database
    class redis database
  
    style Databases fill:transparent,stroke:#94a3b8,stroke-width:2px

Database-Router/
├── cmd/              # Go server entrypoint
├── internal/         # Core router logic (Go)
├── proto/            # Protobuf definitions (source of truth)
├── sdk/              # Low-level gRPC client libraries
│   ├── python/       #   pip install xeze-dbr
│   ├── node/         #   npm install @xeze/dbr
│   ├── rust/         #   cargo add xeze-dbr
│   └── go/           #   go get .../sdk/go
├── core/             # High-level Vault-integrated wrappers
│   ├── python/       #   pip install xeze-dbr-core
│   ├── node/         #   npm install @xeze/dbr-core
│   ├── rust/         #   cargo add xeze-dbr-core
│   └── go/           #   go get .../core/go
├── examples/         # Demo apps and playground
├── deployer/         # One-command cloud deployer
├── terraform/        # Infrastructure provisioning
├── ansible/          # Server configuration automation
├── certs/            # TLS certificate generation scripts
└── docs/             # API reference and guides

While the core router is lightweight and delegates security to the infrastructure layer, our automated cloud deployment is production-grade out of the box.

The included Terraform and Ansible automation automatically secures your deployment via the provided Caddyfile:

• Caddy Reverse Proxy: Serves exclusively over port 443 and safely proxies gRPC traffic over unencrypted HTTP/2 (h2c://) directly to the isolated db-router container.
• Strict mTLS Enforcement: Uses require_and_verify client authentication. Only applications presenting a valid TLS certificate signed by your trusted Certificate Authority (ca.crt) are permitted to connect.
• Network Isolation: Cloud firewalls are configured to ensure port 50051 is tightly locked down and never exposed directly to the public internet.

Detailed guides and automation playbooks are included in the repository:

• gRPC API Reference — Full RPC definitions for PostgreSQL, MongoDB, and Redis services.
• Configuration — Explanations of all JSON config fields and environment variables.
• mTLS Guide — Instructions on certificate generation and mTLS setup.
• Terraform Infrastructure — One-command cloud infrastructure provisioning.
• Ansible Setup — Automated server configuration, proxy setup, and mTLS enforcement.
• Deployer — A fully automated container to deploy everything with a single docker run command.

Apache 2.0