Skip to main content

REST Server for CyborgDB: The Confidential Vector Database

Project description

CyborgDB

CyborgDB Service

PyPI - Version PyPI - License PyPI - Python Version

CyborgDB Service is the FastAPI-based REST API server for CyborgDB — the vector database that stays encrypted even while it's searching. It serves encrypted vector ingestion, search, and retrieval over HTTP: vectors stay encrypted through search, and only the result of a query is decrypted. Run it yourself in your own VPC or on-prem.

Features

  • Encryption-in-use: Vectors stay encrypted at rest, in transit, and through search — only the query result is decrypted
  • Encrypted ANN: Disk-backed encrypted DiskIVF index with recall within 2% of a plaintext baseline (read the benchmarks)
  • Filters on encrypted metadata: Combine vector similarity with equality and range predicates in a single request
  • BYOK / HYOK: Per-index key wrapping via AWS KMS or AWS Secrets Manager, including cross-account BYOK (see BYOK.md)
  • Per-tenant key isolation: Per-index, per-user keys with cryptographic RBAC; revoke a user and their keys are erased
  • Multiple backing stores: Embedded RocksDB disk, AWS S3 / S3-compatible object storage (MinIO etc.), or in-memory

Getting Started

To get started in minutes, check out our Quickstart Guide.

Installation

  1. Install cyborgdb-service
pip install cyborgdb-service
# GPU (CUDA 12): pip install cyborgdb-service-cu12
  1. [Optional] Set an API key for unlimited usage — without one the service runs in free-tier mode (per-index cap of 1M items)
export CYBORGDB_API_KEY=your_api_key_here   # optional; unset runs free tier
  1. [Optional] Choose a storage backend (default: disk at ~/.cyborgdb/data)
export CYBORGDB_DB_TYPE='memory|disk|s3'   # default: disk
export CYBORGDB_DISK_PATH=/path/to/data    # disk only; default ~/.cyborgdb/data
export CYBORGDB_S3_BUCKET=my-bucket        # s3 only (required)

Tip: Run cyborgdb-service --help for a detailed list of all configuration options.

  1. Run the server
cyborgdb-service

Storage Backends

Backend Select with Notes
Disk (default) CYBORGDB_DB_TYPE=disk Embedded RocksDB. CYBORGDB_DISK_PATH sets the data directory (default ~/.cyborgdb/data).
In-memory CYBORGDB_DB_TYPE=memory No persistence across restarts.
S3 CYBORGDB_DB_TYPE=s3 Requires CYBORGDB_S3_BUCKET. Optional: CYBORGDB_S3_REGION, CYBORGDB_S3_PREFIX, CYBORGDB_S3_ENDPOINT.

S3 credentials

Each AWS-touching client (S3 storage, KMS) resolves credentials independently:

  • On AWS (ECS/EC2/EKS) — set nothing; the AWS default credential provider chain picks up the instance/task role.
  • Off AWS, real S3 — provide AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY env vars or a mounted AWS profile; the default chain picks them up.
  • S3-compatible endpoint (MinIO etc.) — set CYBORGDB_S3_ENDPOINT plus explicit CYBORGDB_S3_ACCESS_KEY / CYBORGDB_S3_SECRET_KEY (and optionally CYBORGDB_S3_SESSION_TOKEN). A custom endpoint is not AWS: the AWS chain is never used against it, and startup fails fast if the explicit keys are missing. The CYBORGDB_S3_* namespace is kept separate from AWS_* so storage credentials can't collide with KMS credentials.

YAML Configuration File (optional)

Everything settable by environment variable can also live in a YAML file — see cyborgdb.example.yaml. The file is resolved from CYBORGDB_CONFIG_FILE, then ./cyborgdb.yaml, ./cyborgdb.yml, /etc/cyborgdb/cyborgdb.yaml. Environment variables override the file on conflict. The YAML file is also where the per-index KMS registry (kms.registry:) is configured.

API Key Configuration

The CYBORGDB_API_KEY is the cyborgdb-core license key (not a service-auth credential). It is optional — when unset, the service runs in free-tier mode (per-index cap of 1M items). To unlock unlimited usage, provide your key using any of these methods:

Method 1: Environment Variable (Easiest)

export CYBORGDB_API_KEY=your_api_key_here
cyborgdb-service

Method 2: .env File

Create a .env file in the project root:

CYBORGDB_API_KEY=your_api_key_here

Then run:

cyborgdb-service

Method 3: Inline with Launch

CYBORGDB_API_KEY=your_api_key_here cyborgdb-service

Service Authentication

Request authentication is controlled by CYBORGDB_SERVICE_ROOT_KEY — separate from the CYBORGDB_API_KEY license key above:

  • Unset (default): authentication is disabled and the service accepts every request. Do not run a network-exposed deployment this way.
  • Set: authentication is enabled. Clients must send the key in the X-API-Key header. Routes accept the root key or a cdbk_ user token minted under it, and the root key can mint per-user API keys.
export CYBORGDB_SERVICE_ROOT_KEY=your_root_key_here
# then call the API with:  -H "X-API-Key: your_root_key_here"

Documentation

For more information on CyborgDB, see the Cyborg Docs.

License

CyborgDB Service is licensed under the MIT License. The underlying library, CyborgDB Core, is licensed under Cyborg's Terms of Service.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cyborgdb_service-0.17.0.tar.gz (2.0 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cyborgdb_service-0.17.0-py3-none-any.whl (84.1 kB view details)

Uploaded Python 3

File details

Details for the file cyborgdb_service-0.17.0.tar.gz.

File metadata

  • Download URL: cyborgdb_service-0.17.0.tar.gz
  • Upload date:
  • Size: 2.0 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for cyborgdb_service-0.17.0.tar.gz
Algorithm Hash digest
SHA256 e52ea76610b30cb6c1b6ee8bab9940ec700430cc01c3541dff5f8bb56f97c5af
MD5 bf0478de5fda3e83383886cdbcecd354
BLAKE2b-256 2eebd20800b0f638810ea8d0db750c0866cbef99a45d3db5bc6e5791cdeb82b9

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyborgdb_service-0.17.0.tar.gz:

Publisher: build_and_package_wheels.yml on cyborginc/cyborgdb-service

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cyborgdb_service-0.17.0-py3-none-any.whl.

File metadata

File hashes

Hashes for cyborgdb_service-0.17.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ba62a6a15ec3218534847f86d63ff1e2c1b522fe3333d34ec21ccceae0eb085c
MD5 80c941d606eddfc34d46603a21a33d48
BLAKE2b-256 0b126839b309ddc68a6da6a68b3c583661486b8beea359a6f8db76d88634cd92

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyborgdb_service-0.17.0-py3-none-any.whl:

Publisher: build_and_package_wheels.yml on cyborginc/cyborgdb-service

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page