REST Server for CyborgDB: The Confidential Vector Database
Project description
CyborgDB Service
CyborgDB Service is the FastAPI-based REST API server for CyborgDB — the vector database that stays encrypted even while it's searching. It serves encrypted vector ingestion, search, and retrieval over HTTP: vectors stay encrypted through search, and only the result of a query is decrypted. Run it yourself in your own VPC or on-prem.
Features
- Encryption-in-use: Vectors stay encrypted at rest, in transit, and through search — only the query result is decrypted
- Encrypted ANN: Disk-backed encrypted DiskIVF index with recall within 2% of a plaintext baseline (read the benchmarks)
- Filters on encrypted metadata: Combine vector similarity with equality and range predicates in a single request
- BYOK / HYOK: Per-index key wrapping via AWS KMS or AWS Secrets Manager, including cross-account BYOK (see
BYOK.md) - Per-tenant key isolation: Per-index, per-user keys with cryptographic RBAC; revoke a user and their keys are erased
- Multiple backing stores: Embedded RocksDB disk, AWS S3 / S3-compatible object storage (MinIO etc.), or in-memory
Getting Started
To get started in minutes, check out our Quickstart Guide.
Installation
- Install
cyborgdb-service
pip install cyborgdb-service
# GPU (CUDA 12): pip install cyborgdb-service-cu12
- [Optional] Set an API key for unlimited usage — without one the service runs in free-tier mode (per-index cap of 1M items)
export CYBORGDB_API_KEY=your_api_key_here # optional; unset runs free tier
- [Optional] Choose a storage backend (default:
diskat~/.cyborgdb/data)
export CYBORGDB_DB_TYPE='memory|disk|s3' # default: disk
export CYBORGDB_DISK_PATH=/path/to/data # disk only; default ~/.cyborgdb/data
export CYBORGDB_S3_BUCKET=my-bucket # s3 only (required)
Tip: Run cyborgdb-service --help for a detailed list of all configuration options.
- Run the server
cyborgdb-service
Storage Backends
| Backend | Select with | Notes |
|---|---|---|
| Disk (default) | CYBORGDB_DB_TYPE=disk |
Embedded RocksDB. CYBORGDB_DISK_PATH sets the data directory (default ~/.cyborgdb/data). |
| In-memory | CYBORGDB_DB_TYPE=memory |
No persistence across restarts. |
| S3 | CYBORGDB_DB_TYPE=s3 |
Requires CYBORGDB_S3_BUCKET. Optional: CYBORGDB_S3_REGION, CYBORGDB_S3_PREFIX, CYBORGDB_S3_ENDPOINT. |
S3 credentials
Each AWS-touching client (S3 storage, KMS) resolves credentials independently:
- On AWS (ECS/EC2/EKS) — set nothing; the AWS default credential provider chain picks up the instance/task role.
- Off AWS, real S3 — provide
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYenv vars or a mounted AWS profile; the default chain picks them up. - S3-compatible endpoint (MinIO etc.) — set
CYBORGDB_S3_ENDPOINTplus explicitCYBORGDB_S3_ACCESS_KEY/CYBORGDB_S3_SECRET_KEY(and optionallyCYBORGDB_S3_SESSION_TOKEN). A custom endpoint is not AWS: the AWS chain is never used against it, and startup fails fast if the explicit keys are missing. TheCYBORGDB_S3_*namespace is kept separate fromAWS_*so storage credentials can't collide with KMS credentials.
YAML Configuration File (optional)
Everything settable by environment variable can also live in a YAML file —
see cyborgdb.example.yaml. The file is resolved
from CYBORGDB_CONFIG_FILE, then ./cyborgdb.yaml, ./cyborgdb.yml,
/etc/cyborgdb/cyborgdb.yaml. Environment variables override the file on
conflict. The YAML file is also where the per-index KMS registry
(kms.registry:) is configured.
API Key Configuration
The CYBORGDB_API_KEY is the cyborgdb-core license key (not a service-auth credential).
It is optional — when unset, the service runs in free-tier mode (per-index cap of 1M
items). To unlock unlimited usage, provide your key using any of these methods:
Method 1: Environment Variable (Easiest)
export CYBORGDB_API_KEY=your_api_key_here
cyborgdb-service
Method 2: .env File
Create a .env file in the project root:
CYBORGDB_API_KEY=your_api_key_here
Then run:
cyborgdb-service
Method 3: Inline with Launch
CYBORGDB_API_KEY=your_api_key_here cyborgdb-service
Service Authentication
Request authentication is controlled by CYBORGDB_SERVICE_ROOT_KEY — separate from the
CYBORGDB_API_KEY license key above:
- Unset (default): authentication is disabled and the service accepts every request. Do not run a network-exposed deployment this way.
- Set: authentication is enabled. Clients must send the key in the
X-API-Keyheader. Routes accept the root key or acdbk_user token minted under it, and the root key can mint per-user API keys.
export CYBORGDB_SERVICE_ROOT_KEY=your_root_key_here
# then call the API with: -H "X-API-Key: your_root_key_here"
Documentation
For more information on CyborgDB, see the Cyborg Docs.
License
CyborgDB Service is licensed under the MIT License. The underlying library, CyborgDB Core, is licensed under Cyborg's Terms of Service.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cyborgdb_service-0.17.0.tar.gz.
File metadata
- Download URL: cyborgdb_service-0.17.0.tar.gz
- Upload date:
- Size: 2.0 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e52ea76610b30cb6c1b6ee8bab9940ec700430cc01c3541dff5f8bb56f97c5af
|
|
| MD5 |
bf0478de5fda3e83383886cdbcecd354
|
|
| BLAKE2b-256 |
2eebd20800b0f638810ea8d0db750c0866cbef99a45d3db5bc6e5791cdeb82b9
|
Provenance
The following attestation bundles were made for cyborgdb_service-0.17.0.tar.gz:
Publisher:
build_and_package_wheels.yml on cyborginc/cyborgdb-service
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cyborgdb_service-0.17.0.tar.gz -
Subject digest:
e52ea76610b30cb6c1b6ee8bab9940ec700430cc01c3541dff5f8bb56f97c5af - Sigstore transparency entry: 1956306629
- Sigstore integration time:
-
Permalink:
cyborginc/cyborgdb-service@e719ea8d9bf892d12502091818c7c2103188e628 -
Branch / Tag:
refs/tags/v0.17.0 - Owner: https://github.com/cyborginc
-
Access:
internal
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
build_and_package_wheels.yml@e719ea8d9bf892d12502091818c7c2103188e628 -
Trigger Event:
push
-
Statement type:
File details
Details for the file cyborgdb_service-0.17.0-py3-none-any.whl.
File metadata
- Download URL: cyborgdb_service-0.17.0-py3-none-any.whl
- Upload date:
- Size: 84.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ba62a6a15ec3218534847f86d63ff1e2c1b522fe3333d34ec21ccceae0eb085c
|
|
| MD5 |
80c941d606eddfc34d46603a21a33d48
|
|
| BLAKE2b-256 |
0b126839b309ddc68a6da6a68b3c583661486b8beea359a6f8db76d88634cd92
|
Provenance
The following attestation bundles were made for cyborgdb_service-0.17.0-py3-none-any.whl:
Publisher:
build_and_package_wheels.yml on cyborginc/cyborgdb-service
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cyborgdb_service-0.17.0-py3-none-any.whl -
Subject digest:
ba62a6a15ec3218534847f86d63ff1e2c1b522fe3333d34ec21ccceae0eb085c - Sigstore transparency entry: 1955144344
- Sigstore integration time:
-
Permalink:
cyborginc/cyborgdb-service@e719ea8d9bf892d12502091818c7c2103188e628 -
Branch / Tag:
refs/tags/v0.17.0 - Owner: https://github.com/cyborginc
-
Access:
internal
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
build_and_package_wheels.yml@e719ea8d9bf892d12502091818c7c2103188e628 -
Trigger Event:
push
-
Statement type: