Protocol Documentation

v1/annotation.proto
- EAuthMethod
- XFile-level Extensions
- XFile-level Extensions
- XFile-level Extensions
- XFile-level Extensions
v1/access_grant_service.proto
- MAccessGrant
- MActivateAccessGrantRequest
- MCreateAccessGrantRequest
- MGetAccessGrantRequest
- MListAccessGrantsRequest
- MListAccessGrantsResponse
- MRevokeAccessGrantRequest
- MSearchMyAccessGrantsRequest
- MSearchMyAccessGrantsResponse
- EAccessGrant.Status
- SAccessGrantService
v1/common.proto
- MPermissionDeniedDetail
- MPosition
- MRange
- EEngine
- EExportFormat
- ERiskLevel
- EState
- EStatementType
- EVCSType
- EWebhookType
v1/issue_service.proto
- MApprovalFlow
- MApprovalTemplate
- MApproveIssueRequest
- MBatchUpdateIssuesStatusRequest
- MBatchUpdateIssuesStatusResponse
- MCreateIssueCommentRequest
- MCreateIssueRequest
- MGetIssueRequest
- MIssue
- MIssue.Approver
- MIssueComment
- MIssueComment.Approval
- MIssueComment.IssueUpdate
- MIssueComment.PlanSpecUpdate
- MListIssueCommentsRequest
- MListIssueCommentsResponse
- MListIssuesRequest
- MListIssuesResponse
- MRejectIssueRequest
- MRequestIssueRequest
- MRoleGrant
- MSearchIssuesRequest
- MSearchIssuesResponse
- MUpdateIssueCommentRequest
- MUpdateIssueRequest
- EIssue.ApprovalStatus
- EIssue.Approver.Status
- EIssue.Type
- EIssueComment.Approval.Status
- EIssueStatus
- SIssueService
v1/setting_service.proto
- MAISetting
- MAlgorithm
- MAlgorithm.FullMask
- MAlgorithm.InnerOuterMask
- MAlgorithm.MD5Mask
- MAlgorithm.RangeMask
- MAlgorithm.RangeMask.Slice
- MAnnouncement
- MAppIMSetting
- MAppIMSetting.DingTalk
- MAppIMSetting.Feishu
- MAppIMSetting.IMSetting
- MAppIMSetting.Lark
- MAppIMSetting.Slack
- MAppIMSetting.Teams
- MAppIMSetting.Wecom
- MDataClassificationSetting
- MDataClassificationSetting.DataClassificationConfig
- MDataClassificationSetting.DataClassificationConfig.ClassificationEntry
- MDataClassificationSetting.DataClassificationConfig.DataClassification
- MDataClassificationSetting.DataClassificationConfig.Level
- MEmailSetting
- MEmailSetting.SMTPConfig
- MEnvironmentSetting
- MEnvironmentSetting.Environment
- MEnvironmentSetting.Environment.TagsEntry
- MGetSettingRequest
- MGetSettingResponse
- MListSettingsRequest
- MListSettingsResponse
- MSemanticTypeSetting
- MSemanticTypeSetting.SemanticType
- MSetting
- MSettingValue
- MTestEmailSettingRequest
- MTestEmailSettingResponse
- MUpdateSettingRequest
- MWorkspaceApprovalSetting
- MWorkspaceApprovalSetting.Rule
- MWorkspaceProfileSetting
- MWorkspaceProfileSetting.PasswordRestriction
- EAISetting.Provider
- EAlgorithm.InnerOuterMask.MaskType
- EAnnouncement.AlertLevel
- EDatabaseChangeMode
- EEmailSetting.SMTPConfig.Authentication
- EEmailSetting.SMTPConfig.Encryption
- EEmailSetting.Type
- ESetting.SettingName
- EWorkspaceApprovalSetting.Rule.Source
- SSettingService
v1/actuator_service.proto
- MActuatorInfo
- MDeleteCacheRequest
- MGetActuatorInfoRequest
- MRestriction
- MSetupSampleRequest
- SActuatorService
v1/ai_service.proto
- MAIChatMessage
- MAIChatRequest
- MAIChatResponse
- MAIChatToolCall
- MAIChatToolDefinition
- MAIChatUsage
- EAIChatMessageRole
- SAIService
v1/iam_policy.proto
- MBinding
- MBindingDelta
- MGetIamPolicyRequest
- MIamPolicy
- MPolicyDelta
- MSetIamPolicyRequest
- EBindingDelta.Action
v1/audit_log_service.proto
- MAuditData
- MAuditLog
- MExportAuditLogsRequest
- MExportAuditLogsResponse
- MRequestMetadata
- MSearchAuditLogsRequest
- MSearchAuditLogsResponse
- EAuditLog.Severity
- SAuditLogService
v1/user_service.proto
- MBatchGetUsersRequest
- MBatchGetUsersResponse
- MCreateUserRequest
- MDeleteUserRequest
- MGetUserRequest
- MListUsersRequest
- MListUsersResponse
- MUndeleteUserRequest
- MUpdateEmailRequest
- MUpdateUserRequest
- MUser
- MUser.Profile
- SUserService
v1/auth_service.proto
- MExchangeTokenRequest
- MExchangeTokenResponse
- MIdentityProviderContext
- MLoginRequest
- MLoginResponse
- MLogoutRequest
- MOAuth2IdentityProviderContext
- MOIDCIdentityProviderContext
- MRefreshRequest
- MRefreshResponse
- MSignupRequest
- MSwitchWorkspaceRequest
- SAuthService
v1/cel_service.proto
- MBatchDeparseRequest
- MBatchDeparseResponse
- MBatchParseRequest
- MBatchParseResponse
- SCelService
v1/database_catalog_service.proto
- MColumnCatalog
- MColumnCatalog.LabelsEntry
- MDatabaseCatalog
- MGetDatabaseCatalogRequest
- MObjectSchema
- MObjectSchema.ArrayKind
- MObjectSchema.StructKind
- MObjectSchema.StructKind.PropertiesEntry
- MSchemaCatalog
- MTableCatalog
- MTableCatalog.Columns
- MUpdateDatabaseCatalogRequest
- EObjectSchema.Type
- SDatabaseCatalogService
v1/database_group_service.proto
- MCreateDatabaseGroupRequest
- MDatabaseGroup
- MDatabaseGroup.Database
- MDeleteDatabaseGroupRequest
- MGetDatabaseGroupRequest
- MListDatabaseGroupsRequest
- MListDatabaseGroupsResponse
- MUpdateDatabaseGroupRequest
- EDatabaseGroupView
- SDatabaseGroupService
v1/instance_role_service.proto
- MInstanceRole
- MListInstanceRolesRequest
- MListInstanceRolesResponse
- SInstanceRoleService
v1/instance_service.proto
- MAddDataSourceRequest
- MBatchSyncInstancesRequest
- MBatchSyncInstancesResponse
- MBatchUpdateInstancesRequest
- MBatchUpdateInstancesResponse
- MCreateInstanceRequest
- MDataSource
- MDataSource.AWSCredential
- MDataSource.Address
- MDataSource.AzureCredential
- MDataSource.ExtraConnectionParametersEntry
- MDataSource.GCPCredential
- MDataSourceExternalSecret
- MDataSourceExternalSecret.AppRoleAuthOption
- MDeleteInstanceRequest
- MGetInstanceRequest
- MInstance
- MInstance.LabelsEntry
- MInstanceResource
- MKerberosConfig
- MListInstanceDatabaseRequest
- MListInstanceDatabaseResponse
- MListInstancesRequest
- MListInstancesResponse
- MRemoveDataSourceRequest
- MSASLConfig
- MSyncInstanceRequest
- MSyncInstanceResponse
- MUndeleteInstanceRequest
- MUpdateDataSourceRequest
- MUpdateInstanceRequest
- EDataSource.AuthenticationType
- EDataSource.RedisType
- EDataSourceExternalSecret.AppRoleAuthOption.SecretType
- EDataSourceExternalSecret.AuthType
- EDataSourceExternalSecret.SecretType
- EDataSourceType
- SInstanceService
v1/database_service.proto
- MBatchGetDatabasesRequest
- MBatchGetDatabasesResponse
- MBatchSyncDatabasesRequest
- MBatchSyncDatabasesResponse
- MBatchUpdateDatabasesRequest
- MBatchUpdateDatabasesResponse
- MBoundingBox
- MChangelog
- MCheckConstraintMetadata
- MColumnMetadata
- MDatabase
- MDatabase.LabelsEntry
- MDatabaseMetadata
- MDatabaseSDLSchema
- MDatabaseSchema
- MDependencyColumn
- MDependencyTable
- MDiffSchemaRequest
- MDiffSchemaResponse
- MDimensionConstraint
- MDimensionalConfig
- MEnumTypeMetadata
- MEventMetadata
- MExtensionMetadata
- MExternalTableMetadata
- MForeignKeyMetadata
- MFunctionMetadata
- MGenerationMetadata
- MGetChangelogRequest
- MGetDatabaseMetadataRequest
- MGetDatabaseRequest
- MGetDatabaseSDLSchemaRequest
- MGetDatabaseSchemaRequest
- MGetSchemaStringRequest
- MGetSchemaStringResponse
- MGridLevel
- MIndexMetadata
- MListChangelogsRequest
- MListChangelogsResponse
- MListDatabasesRequest
- MListDatabasesResponse
- MMaterializedViewMetadata
- MPackageMetadata
- MProcedureMetadata
- MSchemaMetadata
- MSequenceMetadata
- MSpatialIndexConfig
- MStorageConfig
- MStreamMetadata
- MSyncDatabaseRequest
- MSyncDatabaseResponse
- MTableMetadata
- MTablePartitionMetadata
- MTaskMetadata
- MTessellationConfig
- MTriggerMetadata
- MUpdateDatabaseRequest
- MViewMetadata
- EChangelog.Status
- EChangelogView
- EColumnMetadata.IdentityGeneration
- EGenerationMetadata.Type
- EGetDatabaseSDLSchemaRequest.SDLFormat
- EGetSchemaStringRequest.ObjectType
- EStreamMetadata.Mode
- EStreamMetadata.Type
- ESyncStatus
- ETablePartitionMetadata.Type
- ETaskMetadata.State
- SDatabaseService
v1/group_service.proto
- MBatchGetGroupsRequest
- MBatchGetGroupsResponse
- MCreateGroupRequest
- MDeleteGroupRequest
- MGetGroupRequest
- MGroup
- MGroupMember
- MListGroupsRequest
- MListGroupsResponse
- MUpdateGroupRequest
- EGroupMember.Role
- SGroupService
v1/idp_service.proto
- MCreateIdentityProviderRequest
- MDeleteIdentityProviderRequest
- MFieldMapping
- MGetIdentityProviderRequest
- MIdentityProvider
- MIdentityProviderConfig
- MLDAPIdentityProviderConfig
- MListIdentityProvidersRequest
- MListIdentityProvidersResponse
- MOAuth2IdentityProviderConfig
- MOAuth2IdentityProviderTestRequestContext
- MOIDCIdentityProviderConfig
- MOIDCIdentityProviderTestRequestContext
- MTestIdentityProviderRequest
- MTestIdentityProviderResponse
- MTestIdentityProviderResponse.ClaimsEntry
- MTestIdentityProviderResponse.UserInfoEntry
- MUpdateIdentityProviderRequest
- EIdentityProviderType
- ELDAPIdentityProviderConfig.SecurityProtocol
- EOAuth2AuthStyle
- SIdentityProviderService
v1/org_policy_service.proto
- MCreatePolicyRequest
- MDeletePolicyRequest
- MGetPolicyRequest
- MListPoliciesRequest
- MListPoliciesResponse
- MMaskingExemptionPolicy
- MMaskingExemptionPolicy.Exemption
- MMaskingRulePolicy
- MMaskingRulePolicy.MaskingRule
- MPolicy
- MQueryDataPolicy
- MRolloutPolicy
- MTagPolicy
- MTagPolicy.TagsEntry
- MUpdatePolicyRequest
- EPolicyResourceType
- EPolicyType
- SOrgPolicyService
v1/rollout_service.proto
- MBatchCancelTaskRunsRequest
- MBatchCancelTaskRunsResponse
- MBatchRunTasksRequest
- MBatchRunTasksResponse
- MBatchSkipTasksRequest
- MBatchSkipTasksResponse
- MCreateRolloutRequest
- MGetRolloutRequest
- MGetTaskRunLogRequest
- MGetTaskRunRequest
- MGetTaskRunSessionRequest
- MListRolloutsRequest
- MListRolloutsResponse
- MListTaskRunsRequest
- MListTaskRunsResponse
- MPreviewTaskRunRollbackRequest
- MPreviewTaskRunRollbackResponse
- MRollout
- MStage
- MTask
- MTask.DatabaseCreate
- MTask.DatabaseDataExport
- MTask.DatabaseUpdate
- MTaskRun
- MTaskRun.SchedulerInfo
- MTaskRun.SchedulerInfo.WaitingCause
- MTaskRunLog
- MTaskRunLogEntry
- MTaskRunLogEntry.CommandExecute
- MTaskRunLogEntry.CommandExecute.CommandResponse
- MTaskRunLogEntry.ComputeDiff
- MTaskRunLogEntry.DatabaseSync
- MTaskRunLogEntry.PriorBackup
- MTaskRunLogEntry.PriorBackup.PriorBackupDetail
- MTaskRunLogEntry.PriorBackup.PriorBackupDetail.Item
- MTaskRunLogEntry.PriorBackup.PriorBackupDetail.Item.Table
- MTaskRunLogEntry.ReleaseFileExecute
- MTaskRunLogEntry.RetryInfo
- MTaskRunLogEntry.SchemaDump
- MTaskRunLogEntry.TransactionControl
- MTaskRunSession
- MTaskRunSession.Postgres
- MTaskRunSession.Postgres.Session
- ETask.Status
- ETask.Type
- ETaskRun.ExportArchiveStatus
- ETaskRun.Status
- ETaskRunLogEntry.TransactionControl.Type
- ETaskRunLogEntry.Type
- SRolloutService
v1/sql_service.proto
- MAICompletionRequest
- MAICompletionRequest.Message
- MAICompletionResponse
- MAICompletionResponse.Candidate
- MAICompletionResponse.Candidate.Content
- MAICompletionResponse.Candidate.Content.Part
- MAdminExecuteRequest
- MAdminExecuteResponse
- MAdvice
- MDiffMetadataRequest
- MDiffMetadataResponse
- MExportRequest
- MExportResponse
- MMaskingReason
- MQueryHistory
- MQueryOption
- MQueryRequest
- MQueryResponse
- MQueryResult
- MQueryResult.CommandError
- MQueryResult.Message
- MQueryResult.PostgresError
- MQueryResult.SyntaxError
- MQueryRow
- MRowValue
- MRowValue.Timestamp
- MRowValue.TimestampTZ
- MSearchQueryHistoriesRequest
- MSearchQueryHistoriesResponse
- EAdvice.Level
- EAdvice.RuleType
- EQueryHistory.Type
- EQueryOption.MSSQLExplainFormat
- EQueryOption.RedisRunCommandsOn
- EQueryResult.CommandError.Type
- EQueryResult.Message.Level
- SSQLService
v1/plan_service.proto
- MCancelPlanCheckRunRequest
- MCancelPlanCheckRunResponse
- MCreatePlanRequest
- MGetPlanCheckRunRequest
- MGetPlanRequest
- MListPlansRequest
- MListPlansResponse
- MPlan
- MPlan.ChangeDatabaseConfig
- MPlan.CreateDatabaseConfig
- MPlan.ExportDataConfig
- MPlan.PlanCheckRunStatusCountEntry
- MPlan.RolloutStageSummary
- MPlan.Spec
- MPlan.TaskStatusCount
- MPlanCheckRun
- MPlanCheckRun.Result
- MPlanCheckRun.Result.SqlReviewReport
- MPlanCheckRun.Result.SqlSummaryReport
- MRunPlanChecksRequest
- MRunPlanChecksResponse
- MUpdatePlanRequest
- EPlanCheckRun.Result.Type
- EPlanCheckRun.Status
- SPlanService
v1/project_service.proto
- MActivity
- MAddWebhookRequest
- MBatchDeleteProjectsRequest
- MBatchGetProjectsRequest
- MBatchGetProjectsResponse
- MCreateProjectRequest
- MDeleteProjectRequest
- MGetProjectRequest
- MLabel
- MListProjectsRequest
- MListProjectsResponse
- MProject
- MProject.ExecutionRetryPolicy
- MProject.LabelsEntry
- MRemoveWebhookRequest
- MSearchProjectsRequest
- MSearchProjectsResponse
- MTestWebhookRequest
- MTestWebhookResponse
- MUndeleteProjectRequest
- MUpdateProjectRequest
- MUpdateWebhookRequest
- MWebhook
- EActivity.Type
- SProjectService
v1/release_service.proto
- MCheckReleaseRequest
- MCheckReleaseResponse
- MCheckReleaseResponse.CheckResult
- MCreateReleaseRequest
- MDeleteReleaseRequest
- MGetReleaseRequest
- MListReleaseCategoriesRequest
- MListReleaseCategoriesResponse
- MListReleasesRequest
- MListReleasesResponse
- MRelease
- MRelease.File
- MRelease.VCSSource
- MUndeleteReleaseRequest
- MUpdateReleaseRequest
- ERelease.Type
- SReleaseService
v1/review_config_service.proto
- MCreateReviewConfigRequest
- MDeleteReviewConfigRequest
- MGetReviewConfigRequest
- MListReviewConfigsRequest
- MListReviewConfigsResponse
- MReviewConfig
- MSQLReviewRule
- MSQLReviewRule.CommentConventionRulePayload
- MSQLReviewRule.NamingCaseRulePayload
- MSQLReviewRule.NamingRulePayload
- MSQLReviewRule.NumberRulePayload
- MSQLReviewRule.StringArrayRulePayload
- MSQLReviewRule.StringRulePayload
- MUpdateReviewConfigRequest
- ESQLReviewRule.Level
- ESQLReviewRule.Type
- SReviewConfigService
v1/revision_service.proto
- MBatchCreateRevisionsRequest
- MBatchCreateRevisionsResponse
- MCreateRevisionRequest
- MDeleteRevisionRequest
- MGetRevisionRequest
- MListRevisionsRequest
- MListRevisionsResponse
- MRevision
- ERevision.Type
- SRevisionService
v1/role_service.proto
- MCreateRoleRequest
- MDeleteRoleRequest
- MGetRoleRequest
- MListRolesRequest
- MListRolesResponse
- MRole
- MUpdateRoleRequest
- ERole.Type
- SRoleService
v1/service_account_service.proto
- MCreateServiceAccountRequest
- MDeleteServiceAccountRequest
- MGetServiceAccountRequest
- MListServiceAccountsRequest
- MListServiceAccountsResponse
- MServiceAccount
- MUndeleteServiceAccountRequest
- MUpdateServiceAccountRequest
- SServiceAccountService
v1/sheet_service.proto
- MBatchCreateSheetsRequest
- MBatchCreateSheetsResponse
- MCreateSheetRequest
- MGetSheetRequest
- MSheet
- SSheetService
v1/subscription_service.proto
- MCancelPurchaseRequest
- MCreatePurchaseRequest
- MGetPaymentInfoRequest
- MGetSubscriptionRequest
- MListPurchasePlansRequest
- MListPurchasePlansResponse
- MPaymentInfo
- MPlanConfig
- MPlanLimitConfig
- MPurchaseBillingMethod
- MPurchaseDiscount
- MPurchasePlan
- MPurchasePlanAdditional
- MPurchaseResponse
- MSubscription
- MUpdatePurchaseRequest
- MUploadLicenseRequest
- MVerifyCheckoutSessionRequest
- MVerifyCheckoutSessionResponse
- EBillingInterval
- EPlanFeature
- EPlanType
- EPurchaseDiscount.Type
- EPurchasePlanAdditional.Type
- SSubscriptionService
v1/workload_identity_service.proto
- MCreateWorkloadIdentityRequest
- MDeleteWorkloadIdentityRequest
- MGetWorkloadIdentityRequest
- MListWorkloadIdentitiesRequest
- MListWorkloadIdentitiesResponse
- MUndeleteWorkloadIdentityRequest
- MUpdateWorkloadIdentityRequest
- MWorkloadIdentity
- MWorkloadIdentityConfig
- EWorkloadIdentityConfig.ProviderType
- SWorkloadIdentityService
v1/worksheet_service.proto
- MBatchUpdateWorksheetOrganizerRequest
- MBatchUpdateWorksheetOrganizerResponse
- MCreateWorksheetRequest
- MDeleteWorksheetRequest
- MGetWorksheetRequest
- MSearchWorksheetsRequest
- MSearchWorksheetsResponse
- MUpdateWorksheetOrganizerRequest
- MUpdateWorksheetRequest
- MWorksheet
- MWorksheetOrganizer
- EWorksheet.Visibility
- SWorksheetService
v1/workspace_service.proto
- MGetWorkspaceRequest
- MListWorkspacesRequest
- MListWorkspacesResponse
- MUpdateWorkspaceRequest
- MWorkspace
- SWorkspaceService
Scalar Value Types

v1/annotation.proto

Top

AuthMethod

Authorization method for RPC calls.

Unspecified authorization method.

| | IAM | 1 |

Standard IAM authorization check on organizational resources.

| | CUSTOM | 2 |

Custom authorization logic.

File-level Extensions

Whether the method allows access without authentication credentials.

Whether to audit calls to this method.

The authorization method to use for this RPC.

The permission required to call this method.

v1/access_grant_service.proto

Top

AccessGrant

The name of the access grant, generated by the server. Format: projects/{project}/accessGrants/{access_grant} The {access_grant} segment is a server-generated unique ID.

The creator of the access grant. Format: users/{email}

The status of the access grant. An ACTIVE grant with expire_time in the past is effectively expired and no longer authorizes access. Use expire_time to determine whether an ACTIVE grant has expired.

The expiration time of the access grant.

| | ttl | google.protobuf.Duration | |

Input only. The time-to-live duration for the access grant. The server computes expire_time from this value at activation time.

The issue associated with the access grant. Can be empty. Format: projects/{project}/issues/{issue}

The target databases for this access grant. Format: instances/{instance}/databases/{database}

The query permission granted.

Whether the grant allows unmasking sensitive data.

ActivateAccessGrantRequest

The name of the access grant to activate. Format: projects/{project}/accessGrants/{access_grant}

CreateAccessGrantRequest

The parent project for the access grant. Format: projects/{project}

The access grant to create.

GetAccessGrantRequest

The name of the access grant to retrieve. Format: projects/{project}/accessGrants/{access_grant}

ListAccessGrantsRequest

The parent project of the access grants. Format: projects/{project}

| | page_size | int32 | |

The maximum number of access grants to return.

A page token from a previous ListAccessGrants call.

Filter expression using AIP-160 syntax. Supported fields: - name: the fullname in "projects/{project}/accessGrants/{access_grant}" format, support "==" operator. - creator: the creator name in "users/{email}" format, support "==" operator. - status: the access status, support "==" and "in" operator. - issue: the access issue fullname, support "==" operator. - expire_time: the access expire time in "2006-01-02T15:04:05Z07:00" format, support ">=", ">", "<=" and "<" operator. - create_time: the access creation time in "2006-01-02T15:04:05Z07:00" format, support ">=", ">", "<=" and "<" operator. - query: the access query, support "==" and ".contains(xx)" operator - target: the target database fullname, support "==" operator. Examples: - creator == "users/[email protected]" - status == "ACTIVE" - status in ["ACTIVE", "PENDING"] - creator == "users/[email protected]" && status == "ACTIVE" - issue == "projects/x/issues/123" - status == "ACTIVE" && expire_time > "2024-02-01T00:00:00Z" - target == "instances/sample/databases/employee"

The order by of access grants. Support creator, expire_time, create_time. The default sorting order is ascending. For example: - order_by = "creator" - order_by = "expire_time desc" - order_by = "expire_time asc, create_time desc"

ListAccessGrantsResponse

The access grants from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

RevokeAccessGrantRequest

The name of the access grant to revoke. Format: projects/{project}/accessGrants/{access_grant}

SearchMyAccessGrantsRequest

The parent project to search in. Format: projects/{project}

| | page_size | int32 | |

The maximum number of access grants to return.

A page token from a previous SearchMyAccessGrants call.

Check the filter field in the ListAccessGrantsRequest message.

Check the order_by field in the ListAccessGrantsRequest message.

SearchMyAccessGrantsResponse

The access grants from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

AccessGrant.Status

The status of the access grant.

| | PENDING | 1 |

The access grant is pending approval.

| | ACTIVE | 2 |

The access grant is active. Check expire_time to determine whether the grant is still valid or has expired.

| | REVOKED | 3 |

The access grant has been revoked.

AccessGrantService

AccessGrantService manages temporary access grants within projects.

Gets an access grant by name.

Lists access grants in a project.

Creates an access grant.

Activates a pending access grant.

Revokes an active access grant.

Searches access grants created by the caller.

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetAccessGrant | GET | /v1/{name=projects/*/accessGrants/*} | | | ListAccessGrants | GET | /v1/{parent=projects/*}/accessGrants | | | CreateAccessGrant | POST | /v1/{parent=projects/*}/accessGrants | access_grant | | ActivateAccessGrant | POST | /v1/{name=projects/*/accessGrants/*}:activate | * | | RevokeAccessGrant | POST | /v1/{name=projects/*/accessGrants/*}:revoke | * | | SearchMyAccessGrants | POST | /v1/{parent=projects/*}/accessGrants:searchMy | * |

v1/common.proto

Top

PermissionDeniedDetail

PermissionDeniedDetail provides structured information about permission failures.

Used as error detail when returning CodePermissionDenied errors.

The API method that was called.

The permissions required but not granted to the user.

The resources the user was trying to access.

Position

Position in a text expressed as one-based line and one-based column.

We use 1-based numbering to match the majority of industry standards:

Monaco Editor uses 1-based (https://microsoft.github.io/monaco-editor/typedoc/interfaces/IPosition.html)
GitHub Actions uses 1-based (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)
Most text editors display 1-based positions to users

Note: LSP uses 0-based (https://microsoft.github.io/language-server-protocol/specifications/lsp/3.17/specification/#position),

but we follow the canonical user-facing standards.

Handling unknown positions:

If the entire position is unknown, leave this field as nil/undefined
If only line is known, set line and leave column as 0 (e.g., line=5, column=0)
If only column is known (rare), set column and leave line as 0

Frontends should check for nil/undefined/zero values and handle them appropriately.

Line position in a text (one-based). First line of the text is line 1. A value of 0 indicates the line information is unknown.

| | column | int32 | |

Column position in a text (one-based). Column is measured in Unicode code points (characters/runes), not bytes or grapheme clusters. First character of the line is column 1. A value of 0 indicates the column information is unknown. Examples: - "SELECT * FROM t" - column 8 is '*' - "SELECT 你好 FROM t" - column 8 is '你' (even though it's at byte offset 7) - "SELECT 😀 FROM t" - column 8 is '😀' (even though it's 4 bytes in UTF-8)

Range

Range represents a span within a text or sequence.

Whether the indices are byte offsets or character indices depends on the context.

Check the documentation of the field using Range for specific semantics.

Start index (inclusive).

| | end | int32 | |

End index (exclusive).

Engine

Database engine type.

Unspecified database engine.

| | CLICKHOUSE | 1 |

ClickHouse columnar database.

| | MYSQL | 2 |

MySQL relational database.

| | POSTGRES | 3 |

PostgreSQL relational database.

| | SNOWFLAKE | 4 |

Snowflake cloud data warehouse.

| | SQLITE | 5 |

SQLite embedded database.

| | TIDB | 6 |

TiDB distributed SQL database.

| | MONGODB | 7 |

MongoDB document database.

| | REDIS | 8 |

Redis key-value store.

| | ORACLE | 9 |

Oracle relational database.

| | SPANNER | 10 |

Google Cloud Spanner distributed database.

| | MSSQL | 11 |

Microsoft SQL Server relational database.

| | REDSHIFT | 12 |

Amazon Redshift data warehouse.

| | MARIADB | 13 |

MariaDB relational database.

| | OCEANBASE | 14 |

OceanBase distributed database.

| | STARROCKS | 15 |

StarRocks analytics database.

| | DORIS | 16 |

Apache Doris analytics database.

| | HIVE | 17 |

Apache Hive data warehouse.

| | ELASTICSEARCH | 18 |

Elasticsearch search engine.

| | BIGQUERY | 19 |

Google BigQuery data warehouse.

| | DYNAMODB | 20 |

Amazon DynamoDB NoSQL database.

| | DATABRICKS | 21 |

Databricks lakehouse platform.

| | COCKROACHDB | 22 |

CockroachDB distributed SQL database.

| | COSMOSDB | 23 |

Azure Cosmos DB multi-model database.

| | TRINO | 24 |

Trino distributed SQL query engine.

| | CASSANDRA | 25 |

Apache Cassandra NoSQL database.

ExportFormat

Data export format.

Unspecified export format.

| | CSV | 1 |

Comma-separated values format.

| | JSON | 2 |

JavaScript Object Notation format.

| | SQL | 3 |

SQL statements format.

| | XLSX | 4 |

Microsoft Excel spreadsheet format.

RiskLevel

RiskLevel is the risk level.

Unspecified risk level.

| | LOW | 1 |

Low risk operation.

| | MODERATE | 2 |

Moderate risk operation.

| | HIGH | 3 |

High risk operation.

State

Resource lifecycle state.

| | ACTIVE | 1 |

Resource is active and operational.

| | DELETED | 2 |

Resource is soft-deleted but may be recoverable.

StatementType

StatementType represents the type of SQL statement.

| | CREATE_DATABASE | 1 |

DDL - CREATE statements

| | CREATE_TABLE | 2 |

| | CREATE_VIEW | 3 |

| | CREATE_INDEX | 4 |

| | CREATE_SEQUENCE | 5 |

| | CREATE_SCHEMA | 6 |

| | CREATE_FUNCTION | 7 |

| | CREATE_TRIGGER | 8 |

| | CREATE_PROCEDURE | 9 |

| | CREATE_EVENT | 10 |

| | CREATE_EXTENSION | 11 |

| | CREATE_TYPE | 12 |

| | DROP_DATABASE | 20 |

DDL - DROP statements

| | DROP_TABLE | 21 |

| | DROP_VIEW | 22 |

| | DROP_INDEX | 23 |

| | DROP_SEQUENCE | 24 |

| | DROP_SCHEMA | 25 |

| | DROP_FUNCTION | 26 |

| | DROP_TRIGGER | 27 |

| | DROP_PROCEDURE | 28 |

| | DROP_EVENT | 29 |

| | DROP_EXTENSION | 30 |

| | DROP_TYPE | 31 |

| | ALTER_DATABASE | 40 |

DDL - ALTER statements

| | ALTER_TABLE | 41 |

| | ALTER_VIEW | 42 |

| | ALTER_SEQUENCE | 43 |

| | ALTER_EVENT | 44 |

| | ALTER_TYPE | 45 |

| | ALTER_INDEX | 46 |

| | TRUNCATE | 50 |

DDL - Other

| | RENAME | 51 |

| | RENAME_INDEX | 52 |

| | RENAME_SCHEMA | 53 |

| | RENAME_SEQUENCE | 54 |

| | COMMENT | 55 |

| | INSERT | 60 |

DML statements

| | UPDATE | 61 |

| | DELETE | 62 |

VCSType

Version control system type.

Unspecified VCS type.

| | GITHUB | 1 |

GitHub version control platform.

| | GITLAB | 2 |

GitLab version control platform.

| | BITBUCKET | 3 |

Bitbucket version control platform.

| | AZURE_DEVOPS | 4 |

Azure DevOps version control platform.

WebhookType

Webhook integration type.

Unspecified type.

| | SLACK | 1 |

Slack integration.

| | DISCORD | 2 |

Discord integration.

| | TEAMS | 3 |

Microsoft Teams integration.

| | DINGTALK | 4 |

DingTalk integration.

| | FEISHU | 5 |

Feishu integration.

| | WECOM | 6 |

WeCom (WeChat Work) integration.

| | LARK | 7 |

Lark integration.

v1/issue_service.proto

Top

ApprovalFlow

The roles required for approval in order.

ApprovalTemplate

The approval flow definition.

The title of the approval template.

The description of the approval template.

ApproveIssueRequest

The name of the issue to add an approver. Format: projects/{project}/issues/{issue}

The comment explaining the approval decision.

BatchUpdateIssuesStatusRequest

The parent resource shared by all issues being updated. Format: projects/{project} If the operation spans parents, a dash (-) may be accepted as a wildcard. We only support updating the status of databases for now.

The list of issues to update. Format: projects/{project}/issues/{issue}

The new status.

The reason for the status change.

BatchUpdateIssuesStatusResponse

CreateIssueCommentRequest

The issue name Format: projects/{project}/issues/{issue}

The comment to create.

CreateIssueRequest

The parent, which owns this collection of issues. Format: projects/{project}

The issue to create.

GetIssueRequest

The name of the issue to retrieve. Format: projects/{project}/issues/{issue}

If set to true, bypass cache and fetch the latest data.

Issue

The name of the issue. Format: projects/{project}/issues/{issue}

The title of the issue.

The description of the issue.

The status of the issue.

The approval template for the issue.

Format: users/[email protected]

The plan associated with the issue. Can be empty. Format: projects/{project}/plans/{plan}

Used if the issue type is ROLE_GRANT.

The risk level of the issue.

Labels attached to the issue for categorization and filtering.

The access grant associated with this issue. Format: projects/{project}/accessGrants/{access_grant}

Issue.Approver

Approvers and their approval status for the issue.

The new status.

Format: users/[email protected]

IssueComment

A comment on an issue.

Format: projects/{project}/issues/{issue}/issueComments/{issueComment-uid}

The text content of the comment.

TODO: use struct message instead.

Format: users/{email}

Approval event.

Issue update event.

Plan spec update event.

IssueComment.Approval

Approval event information.

The approval status.

IssueComment.IssueUpdate

Issue update event information.

IssueComment.PlanSpecUpdate

Plan spec update event information (tracks sheet changes to plan specs).

The spec that was updated. Format: projects/{project}/plans/{plan}/specs/{spec}

The previous sheet. Format: projects/{project}/sheets/{sheet}

The new sheet. Format: projects/{project}/sheets/{sheet}

ListIssueCommentsRequest

Format: projects/{projects}/issues/{issue}

| | page_size | int32 | |

The maximum number of issue comments to return. The service may return fewer than this value. If unspecified, at most 10 issue comments will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListIssueComments call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListIssueComments must match the call that provided the page token.

ListIssueCommentsResponse

The issue comments from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

ListIssuesRequest

The parent, which owns this collection of issues. Format: projects/{project}

| | page_size | int32 | |

The maximum number of issues to return. The service may return fewer than this value. If unspecified, at most 10 issues will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListIssues call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListIssues must match the call that provided the page token.

Filter is used to filter issues returned in the list. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filters: - creator: issue creator full name in "users/{email or id}" format, support "==" operator. - status: the issue status, support "==" and "in" operator, check the IssueStatus enum for the values. - create_time: issue create time in "2006-01-02T15:04:05Z07:00" format, support ">=" or "<=" operator. - type: the issue type, support "==" and "in" operator, check the Type enum in the Issue message for the values. - labels: the issue labels, support "==" and "in" operator. - risk_level: the issue risk level, support "in" operator, check the RiskLevel enum for the values. - approval_status: issue approval status, support "==" operator. - current_approver: the issue approver, should in "users/{email} format", support "==" operator. For example: creator == "users/[email protected]" && status in ["OPEN", "DONE"] status == "CANCELED" && type == "DATABASE_CHANGE" labels in ["label1", "label2"] risk_level in ["HIGH", "MODERATE"] create_time >= "2025-01-02T15:04:05Z07:00"

Query is the query statement.

The order by of issues. Support: - create_time - update_time The default sorting order is ascending. For example: - order_by = "create_time desc" - order_by = "update_time asc"

ListIssuesResponse

The issues from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

RejectIssueRequest

The name of the issue to add a rejection. Format: projects/{project}/issues/{issue}

The comment explaining the rejection decision.

RequestIssueRequest

The name of the issue to request a issue. Format: projects/{project}/issues/{issue}

The comment explaining the request.

RoleGrant

The requested role. Format: roles/EXPORTER.

The user to be granted. Format: users/{email}.

The condition for the role. Same as the condition in IAM Binding message.

The duration for which the grant is valid.

SearchIssuesRequest

The parent, which owns this collection of issues. Format: projects/{project} Use "projects/-" to list all issues from all projects.

| | page_size | int32 | |

A page token, received from a previous SearchIssues call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to SearchIssues must match the call that provided the page token.

Filter is used to filter issues returned in the list. Check the filter field in the ListIssuesRequest message.

Query is the query statement.

The order by of issues. Support: - create_time - update_time The default sorting order is ascending. For example: - order_by = "create_time desc" - order_by = "update_time asc"

SearchIssuesResponse

The issues from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

UpdateIssueCommentRequest

The issue name Format: projects/{project}/issues/{issue}

The comment to update.

The list of fields to update.

If set to true, and the issue comment is not found, a new issue comment will be created. In this situation, update_mask is ignored.

UpdateIssueRequest

The issue to update. The issue's name field is used to identify the issue to update. Format: projects/{project}/issues/{issue}

The list of fields to update.

If set to true, and the issue is not found, a new issue will be created. In this situation, update_mask is ignored.

Issue.ApprovalStatus

The overall approval status for the issue.

Unspecified approval status.

| | CHECKING | 1 |

Approval checks are being evaluated.

| | PENDING | 2 |

Approval is pending.

| | APPROVED | 3 |

Issue has been approved.

| | REJECTED | 4 |

Issue has been rejected.

| | SKIPPED | 5 |

Approval was skipped.

Issue.Approver.Status

The approval status of an approver.

Unspecified status.

| | PENDING | 1 |

Awaiting approval.

| | APPROVED | 2 |

Approved.

| | REJECTED | 3 |

Rejected.

Issue.Type

The type of issue.

Unspecified issue type.

| | DATABASE_CHANGE | 1 |

Database schema or data change.

| | ROLE_GRANT | 2 |

Role grant request.

| | DATABASE_EXPORT | 3 |

Database data export request.

| | ACCESS_GRANT | 4 |

Temporary access grant request.

IssueComment.Approval.Status

Approval status values.

Unspecified status.

| | PENDING | 1 |

Approval pending.

| | APPROVED | 2 |

Approved.

| | REJECTED | 3 |

Rejected.

IssueStatus

The status of an issue.

Unspecified status.

| | OPEN | 1 |

Issue is open and active.

| | DONE | 2 |

Issue is completed.

| | CANCELED | 3 |

Issue is canceled.

IssueService

IssueService manages issues for tracking database changes and tasks.

Retrieves an issue by name. Permissions required: bb.issues.get

Creates a new issue for database changes or tasks. Permissions required: bb.issues.create

Lists issues in a project. Permissions required: bb.issues.list

Search for issues that the caller has the bb.issues.get permission on and also satisfy the specified filter & query. Permissions required: bb.issues.get

Updates an issue's properties such as title, description, or labels. Permissions required: bb.issues.update

Lists comments on an issue. Permissions required: bb.issueComments.list

Adds a comment to an issue. Permissions required: bb.issueComments.create

Updates an existing issue comment. Permissions required: bb.issueComments.update

Updates the status of multiple issues in a single operation. Permissions required: bb.issues.update

Approves an issue. Access determined by approval flow configuration - caller must be a designated approver for the current approval step. Permissions required: None (determined by approval flow)

Rejects an issue. Access determined by approval flow configuration - caller must be a designated approver for the current approval step. Permissions required: None (determined by approval flow)

Requests changes on an issue. Access determined by approval flow configuration - caller must be a designated approver for the current approval step. Permissions required: None (determined by approval flow)

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetIssue | GET | /v1/{name=projects/*/issues/*} | | | CreateIssue | POST | /v1/{parent=projects/*}/issues | issue | | ListIssues | GET | /v1/{parent=projects/*}/issues | | | SearchIssues | POST | /v1/{parent=projects/*}/issues:search | * | | UpdateIssue | PATCH | /v1/{issue.name=projects/*/issues/*} | issue | | ListIssueComments | GET | /v1/{parent=projects/*/issues/*}/issueComments | | | CreateIssueComment | POST | /v1/{parent=projects/*/issues/*}:comment | issue_comment | | UpdateIssueComment | PATCH | /v1/{parent=projects/*/issues/*}:comment | issue_comment | | BatchUpdateIssuesStatus | POST | /v1/{parent=projects/*}/issues:batchUpdateStatus | * | | ApproveIssue | POST | /v1/{name=projects/*/issues/*}:approve | * | | RejectIssue | POST | /v1/{name=projects/*/issues/*}:reject | * | | RequestIssue | POST | /v1/{name=projects/*/issues/*}:request | * |

v1/setting_service.proto

Top

AISetting

Algorithm

Algorithm.FullMask

substitution is the string used to replace the original value, the max length of the string is 16 bytes.

Algorithm.InnerOuterMask

| | suffix_len | int32 | |

Algorithm.MD5Mask

salt is the salt value to generate a different hash that with the word alone.

Algorithm.RangeMask

We store it as a repeated field to face the fact that the original value may have multiple parts should be masked. But frontend can be started with a single rule easily.

Algorithm.RangeMask.Slice

start is the start character index (0-based) of the original value, should be less than end. Uses character indices (not byte offsets) for display-oriented masking. Example: For "你好world", character index 2 refers to 'w' (the 3rd character).

| | end | int32 | |

end is the end character index (exclusive) of the original value. Uses character indices (not byte offsets) for display-oriented masking.

substitution is the string used to replace the OriginalValue[start:end).

Announcement

The alert level of announcement

The text of announcement

The optional link, user can follow the link to check extra details

AppIMSetting

AppIMSetting.DingTalk

AppIMSetting.Feishu

AppIMSetting.IMSetting

AppIMSetting.Lark

AppIMSetting.Slack

AppIMSetting.Teams

Azure AD tenant ID (Directory ID).

Azure AD application (client) ID.

Azure AD client secret.

AppIMSetting.Wecom

DataClassificationSetting

DataClassificationSetting.DataClassificationConfig

id is the uuid for classification. Each project can chose one classification config.

levels is user defined level list for classification.

classification is the id - DataClassification map. The id should in [0-9]+-[0-9]+-[0-9]+ format.

DataClassificationSetting.DataClassificationConfig.ClassificationEntry

DataClassificationSetting.DataClassificationConfig.DataClassification

id is the classification id in [0-9]+-[0-9]+-[0-9]+ format.

The sensitivity level. Maps to Level.level.

DataClassificationSetting.DataClassificationConfig.Level

| | level | int32 | |

The numeric level for ordering. Higher = more sensitive.

EmailSetting

EmailSetting.SMTPConfig

| | port | int32 | |

EnvironmentSetting

EnvironmentSetting.Environment

The resource name of the environment. Format: environments/{environment}. Output only.

| | id | string | |

The resource id of the environment. This value should be 4-63 characters, and valid characters are /[a-z][0-9]-/.

The display name of the environment.

EnvironmentSetting.Environment.TagsEntry

GetSettingRequest

The request message for getting a setting.

The resource name of the setting.

GetSettingResponse

The response message for getting a setting.

ListSettingsRequest

ListSettingsResponse

The settings from the specified request.

SemanticTypeSetting

SemanticTypeSetting.SemanticType

id is the uuid for semantic type.

the title of the semantic type, it should not be empty.

the description of the semantic type, it can be empty.

icon is the icon for semantic type, it can be emoji or base64 encoded image.

Setting

The schema of setting.

The resource name of the setting. Format: settings/{setting} Example: "settings/SEMANTIC_TYPES"

The configuration value of the setting.

SettingValue

The data in setting value.

| | ai | AISetting | |

TestEmailSettingRequest

| | to | string | |

TestEmailSettingResponse

UpdateSettingRequest

The request message for updating or creating a setting.

The setting to update.

validate_only is a flag to indicate whether to validate the setting value, server would not persist the setting value if it is true.

WorkspaceApprovalSetting

WorkspaceApprovalSetting.Rule

The condition that is associated with the rule. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec The source field filters which rules apply. The condition field then evaluates with full context. All supported variables: statement.affected_rows: affected row count in the DDL/DML, support "==", "!=", "<", "<=", ">", ">=" operations. statement.table_rows: table row count number, support "==", "!=", "<", "<=", ">", ">=" operations. resource.environment_id: the environment resource id, support "==", "!=", "in [xx]", "!(in [xx])" operations. resource.project_id: the project resource id, support "==", "!=", "in [xx]", "!(in [xx])", "contains()", "matches()", "startsWith()", "endsWith()" operations. resource.db_engine: the database engine type, support "==", "!=", "in [xx]", "!(in [xx])" operations. Check the Engine enum for values. statement.sql_type: the SQL type, support "==", "!=", "in [xx]", "!(in [xx])" operations. resource.database_name: the database name, support "==", "!=", "in [xx]", "!(in [xx])", "contains()", "matches()", "startsWith()", "endsWith()" operations. resource.schema_name: the schema name, support "==", "!=", "in [xx]", "!(in [xx])", "contains()", "matches()", "startsWith()", "endsWith()" operations. resource.table_name: the table name, support "==", "!=", "in [xx]", "!(in [xx])", "contains()", "matches()", "startsWith()", "endsWith()" operations. statement.text: the SQL statement, support "contains()", "matches()", "startsWith()", "endsWith()" operations. request.expiration_days: the role expiration days for the request, support "==", "!=", "<", "<=", ">", ">=" operations. request.role: the request role full name, support "==", "!=", "in [xx]", "!(in [xx])", "contains()", "matches()", "startsWith()", "endsWith()" operations. When source is CHANGE_DATABASE, support: statement.*, resource.* (excluding request.*) When source is CREATE_DATABASE, support: resource.environment_id, resource.project_id, resource.db_engine, resource.database_name When source is EXPORT_DATA, support: resource.environment_id, resource.project_id, resource.db_engine, resource.database_name, resource.schema_name, resource.table_name When source is REQUEST_ROLE, support: resource.project_id, request.expiration_days, request.role When source is REQUEST_ACCESS, support: resource.environment_id, resource.project_id, request.unmask For examples: resource.environment_id == "prod" && statement.affected_rows >= 100 resource.table_name.matches("sensitive_.*") && resource.db_engine == "MYSQL"

WorkspaceProfileSetting

The external URL is used for sso authentication callback.

Disallow self-service signup, users can only be invited by the owner.

Require 2FA for all users.

The duration for refresh token. Default is 7 days.

The setting of custom announcement

The max duration for role expired.

The workspace domain, e.g., bytebase.com.

Only user and group from the domains can be created and login.

The workspace database change mode.

Whether to disallow password signin. (Except workspace admins)

Whether to enable metric collection for the workspace.

The session expiration time if not activity detected for the user. Value <= 0 means no limit.

Whether to enable audit logging to stdout in structured JSON format. Requires TEAM or ENTERPRISE license.

Whether to display watermark on pages. Requires ENTERPRISE license.

The token for directory sync authentication.

Password restriction settings.

The duration for access token. Default is 1 hour.

Whether debug mode is enabled.

| | sql_result_size | int64 | |

The maximum result size limit in bytes for query and export, works for the SQL Editor and Export Center. The default value is 100MB, we will use the default value if the setting not exists, or the limit <= 0.

The query timeout duration for query and export, works for the SQL Editor and Export Center.

WorkspaceProfileSetting.PasswordRestriction

min_length is the minimum length for password, should no less than 8.

require_number requires the password must contains at least one number.

require_letter requires the password must contains at least one letter, regardless of upper case or lower case

require_uppercase_letter requires the password must contains at least one upper case letter.

require_special_character requires the password must contains at least one special character.

require_reset_password_for_first_login requires users to reset their password after the 1st login.

password_rotation requires users to reset their password after the duration.

AISetting.Provider

| | OPEN_AI | 1 |

| | CLAUDE | 2 |

| | GEMINI | 3 |

| | AZURE_OPENAI | 4 |

Algorithm.InnerOuterMask.MaskType

| | INNER | 1 |

| | OUTER | 2 |

Announcement.AlertLevel

We support three levels of AlertLevel: INFO, WARNING, and ERROR.

| | INFO | 1 |

| | WARNING | 2 |

| | CRITICAL | 3 |

DatabaseChangeMode

| | PIPELINE | 1 |

A more advanced database change process, including custom approval workflows and other advanced features. Default to this mode.

| | EDITOR | 2 |

A simple database change process in SQL editor. Users can execute SQL directly.

EmailSetting.SMTPConfig.Authentication

| | AUTHENTICATION_NONE | 1 |

| | PLAIN | 2 |

| | LOGIN | 3 |

| | CRAM_MD5 | 4 |

EmailSetting.SMTPConfig.Encryption

| | ENCRYPTION_NONE | 1 |

| | STARTTLS | 2 |

| | SSL_TLS | 3 |

EmailSetting.Type

| | SMTP | 1 |

Setting.SettingName

| | WORKSPACE_PROFILE | 1 |

| | WORKSPACE_APPROVAL | 2 |

| | APP_IM | 3 |

| | AI | 4 |

| | DATA_CLASSIFICATION | 5 |

| | SEMANTIC_TYPES | 6 |

| | ENVIRONMENT | 7 |

| | EMAIL | 8 |

WorkspaceApprovalSetting.Rule.Source

| | CHANGE_DATABASE | 1 |

| | CREATE_DATABASE | 2 |

| | EXPORT_DATA | 3 |

| | REQUEST_ROLE | 4 |

| | REQUEST_ACCESS | 5 |

SettingService

SettingService manages workspace-level settings and configurations.

Lists all workspace settings. Permissions required: bb.settings.list

Retrieves a workspace setting by name. Permissions required: bb.settings.get

Updates a workspace setting. Permissions required: bb.settings.set

Sends a test email using the provided config (without persisting). Permissions required: bb.settings.set

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | ListSettings | GET | /v1/settings | | | GetSetting | GET | /v1/{name=settings/*} | | | UpdateSetting | PATCH | /v1/{setting.name=settings/*} | setting | | TestEmailSetting | POST | /v1/{parent=workspaces/*}/settings/EMAIL:test | * |

v1/actuator_service.proto

Top

ActuatorInfo

System information and configuration for the Bytebase instance.

Actuator concept is similar to the Spring Boot Actuator.

The Bytebase server version.

The git commit hash of the build.

Whether the Bytebase instance is running in read-only mode.

Whether the Bytebase instance is running in SaaS mode where some features cannot be edited by users.

Whether the Bytebase instance is running in demo mode.

The host address of the Bytebase instance.

The port number of the Bytebase instance.

The external URL where users or webhook callbacks access Bytebase.

The last time any API call was made, refreshed on each request.

The unique identifier for the workspace. Format: workspaces/{id}

List of features that are not licensed.

Whether the Bytebase instance is running in Docker.

| | activated_user_count | int32 | |

The number of activated users.

| | activated_instance_count | int32 | |

The number of activated database instances.

| | total_instance_count | int32 | |

The total number of database instances.

Whether sample data setup is enabled.

Whether the external URL is set via command-line flag (and thus cannot be changed via UI).

| | replica_count | int32 | |

The number of active replicas (servers sharing the same database).

The default project for unassigned databases. Format: projects/{id}

| | user_count_in_iam | int32 | |

The number of users in the workspace IAM (for seat limit display).

DeleteCacheRequest

Request message for deleting cache.

GetActuatorInfoRequest

Request message for getting actuator information.

Optional. The workspace to scope the response to. Format: workspaces/{workspace} When unset, the workspace is resolved from the request context (self-hosted) or no workspace-scoped fields are returned (SaaS).

Restriction

Whether self-service user signup is disabled.

Whether password-based signin is disabled (except for workspace admins).

Password complexity and restriction requirements.

SetupSampleRequest

Request message for setting up sample data.

ActuatorService

ActuatorService manages system health and operational information.

Gets system information and health status of the Bytebase instance. When name is provided (or the workspace-scoped binding is used), the response includes workspace-scoped fields for that workspace. Permissions required: None

Sets up sample data for demonstration and testing purposes. Permissions required: bb.projects.create

Clears the system cache to force data refresh. Permissions required: None

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetActuatorInfo | GET | /v1/actuator/info | | | GetActuatorInfo | GET | /v1/{name=workspaces/*}/actuator/info | | | SetupSample | POST | /v1/actuator:setupSample | | | DeleteCache | DELETE | /v1/actuator/cache | |

v1/ai_service.proto

Top

AIChatMessage

A single message in the conversation.

The role of the message sender.

The text content of the message. Optional for assistant messages that only contain tool calls.

Tool calls made by the assistant. Only present in assistant messages.

The ID of the tool call this message is responding to. Only present in tool messages.

AIChatRequest

Request message for AIService.Chat.

The conversation messages.

The tool definitions available to the AI.

AIChatResponse

Response message for AIService.Chat.

The text content of the AI response. Optional when the response only contains tool calls.

Tool calls the AI wants to make.

Token usage for this provider call, when available.

AIChatToolCall

A tool call made by the AI.

The unique ID of this tool call.

The name of the tool to call.

The JSON-encoded arguments to pass to the tool.

Opaque provider-specific metadata (e.g., Gemini thought_signature). Frontend must echo this back unchanged when sending tool results.

AIChatToolDefinition

A tool definition that the AI can invoke.

The name of the tool.

A description of what the tool does.

The JSON Schema describing the tool's parameters.

AIChatUsage

Token usage for a single AI provider call.

Total tokens used by the provider call.

AIChatMessageRole

Role of a chat message.

Unspecified role.

| | AI_CHAT_MESSAGE_ROLE_SYSTEM | 1 |

System message providing instructions.

| | AI_CHAT_MESSAGE_ROLE_USER | 2 |

User message.

| | AI_CHAT_MESSAGE_ROLE_ASSISTANT | 3 |

Assistant (AI) message.

| | AI_CHAT_MESSAGE_ROLE_TOOL | 4 |

Tool result message.

AIService

AIService provides AI chat capabilities for the page agent.

Chat sends a conversation with tool definitions to the configured AI provider and returns the AI response.

Methods with HTTP bindings

v1/iam_policy.proto

Top

Binding

Binding associates members with a role and optional conditions.

The role that is assigned to the members. Format: roles/{role}

Specifies the principals requesting access for a Bytebase resource. For users, the member should be: user:{email} For groups, the member should be: group:{email} For service accounts, the member should be: serviceAccount:{email} For workload identities, the member should be: workloadIdentity:{email}

The condition that is associated with this binding, only used in the project IAM policy. If the condition evaluates to true, then this binding applies to the current request. If the condition evaluates to false, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Support variables: resource.database: the database full name in "instances/{instance}/databases/{database}" format, used by the "roles/sqlEditorUser" and "roles/sqlEditorReadUser" roles, support "==" operator. resource.schema_name: the schema name, used by the "roles/sqlEditorUser" and "roles/sqlEditorReadUser" roles, support "==" operator. resource.table_name: the table name, used by the "roles/sqlEditorUser" and "roles/sqlEditorReadUser" roles, support "==" operator. resource.environment_id: the environment to allow the DDL/DML operation in the SQL Editor, only works for the role with bb.sql.ddl or bb.sql.dml permissions. Support "in" operator. request.time: the expiration. Only support "<" operation in request.time \< timestamp("{ISO datetime string format}"). For example: resource.database == "instances/local-pg/databases/postgres" && resource.schema_name in ["public","another_schema"] resource.database == "instances/local-pg/databases/bytebase" && resource.schema_name == "public" && resource.table_name in ["audit_log"] resource.database == "instances/local-pg/databases/postgres" && resource.environment_id in ["test"] request.time < timestamp("2025-04-26T11:24:48.655Z")

The parsed expression of the condition.

BindingDelta

A single change to a binding.

The action that was performed on a Binding.

Role that is assigned to members. For example, roles/projectOwner.

Follows the same format of Binding.members.

The condition that is associated with this binding.

GetIamPolicyRequest

Request message for getting an IAM policy.

The name of the resource to get the IAM policy. Format: projects/{project} Format: workspaces/{workspace}

IamPolicy

IAM policy that binds members to roles.

Collection of binding. A binding binds one or more project members to a single project role.

The current etag of the policy. If an etag is provided and does not match the current etag of the policy, the call will be blocked and an ABORTED error will be returned.

PolicyDelta

Describes changes between two IAM policies.

The delta for Bindings between two policies.

SetIamPolicyRequest

Request message for setting an IAM policy.

The name of the resource to set the IAM policy. Format: projects/{project} Format: workspaces/{workspace}

The current etag of the policy.

BindingDelta.Action

Type of action performed on a binding.

Unspecified action.

| | ADD | 1 |

Add a binding.

| | REMOVE | 2 |

Remove a binding.

v1/audit_log_service.proto

Top

AuditData

Additional audit data specific to certain operations.

Changes to IAM policies.

AuditLog

Audit log entry recording system activity or API call.

The name of the log. Formats: - projects/{project}/auditLogs/{uid} - workspaces/{workspace}/auditLogs/{uid}

The timestamp when the audit log was created.

The user who performed the action. Format: users/{email}

The method or action being audited. For example: /bytebase.v1.SQLService/Query or bb.project.repository.push

The severity level of this audit log entry.

The resource associated with this audit log.

The request payload in JSON format.

The response payload in JSON format. Some fields may be omitted if they are too large or contain sensitive information.

The status of the operation.

The duration of the operation.

Service-specific metadata about the request, response, and activities.

Metadata about the request context.

ExportAuditLogsRequest

Request message for exporting audit logs.

The filter of the log. It should be a valid CEL expression. Check the filter field in the SearchAuditLogsRequest message.

The order by of the log. Only support order by create_time. The default sorting order is ascending. For example: - order_by = "create_time asc" - order_by = "create_time desc"

The export format.

| | page_size | int32 | |

The maximum number of logs to return. The service may return fewer than this value. If unspecified, at most 10 log entries will be returned. The maximum value is 5000; values above 5000 will be coerced to 5000.

A page token, received from a previous ExportAuditLogs call. Provide this to retrieve the subsequent page.

ExportAuditLogsResponse

Response message for exporting audit logs.

The exported audit log content in the requested format.

A token to retrieve next page of log entities. Pass this value in the page_token field in the subsequent call to retrieve the next page of log entities.

RequestMetadata

Metadata about the incoming request.

The IP address of the request originator.

The user agent string provided by the caller. This is supplied by the client and is not authenticated.

SearchAuditLogsRequest

Request message for searching audit logs.

The filter of the log. It should be a valid CEL expression. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filter: - method: the API name, can be found in the docs, should start with "/bytebase.v1." prefix. For example "/bytebase.v1.UserService/CreateUser". Support "==" operator. - severity: support "==" operator, check Severity enum in AuditLog message for values. - user: the actor, should in "users/{email}" format, support "==" operator. - create_time: support ">=" and "<=" operator. For example: - filter = "method == '/bytebase.v1.SQLService/Query'" - filter = "method == '/bytebase.v1.SQLService/Query' && severity == 'ERROR'" - filter = "method == '/bytebase.v1.SQLService/Query' && severity == 'ERROR' && user == 'users/[email protected]'" - filter = "method == '/bytebase.v1.SQLService/Query' && severity == 'ERROR' && create_time <= '2021-01-01T00:00:00Z' && create_time >= '2020-01-01T00:00:00Z'"

The order by of the log. Only support order by create_time. The default sorting order is ascending. For example: - order_by = "create_time asc" - order_by = "create_time desc"

| | page_size | int32 | |

A page token, received from a previous SearchLogs call. Provide this to retrieve the subsequent page.

SearchAuditLogsResponse

Response message for searching audit logs.

A token to retrieve next page of log entities. Pass this value in the page_token field in the subsequent call to retrieve the next page of log entities.

AuditLog.Severity

Severity level for audit log entries.

Unspecified severity level.

| | DEBUG | 1 |

Debug-level information.

| | INFO | 2 |

Informational messages.

| | NOTICE | 3 |

Notable events.

| | WARNING | 4 |

Warning conditions.

| | ERROR | 5 |

Error conditions.

| | CRITICAL | 6 |

Critical conditions.

| | ALERT | 7 |

Action must be taken immediately.

| | EMERGENCY | 8 |

System is unusable.

AuditLogService

AuditLogService manages audit logs for system activities and API calls.

Searches audit logs with optional filtering and pagination. Permissions required: bb.auditLogs.search

Exports audit logs in a specified format for external analysis. Permissions required: bb.auditLogs.export

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | SearchAuditLogs | POST | /v1/{parent=projects/*}/auditLogs:search | * | | SearchAuditLogs | POST | /v1/auditLogs:search | * | | ExportAuditLogs | POST | /v1/{parent=projects/*}/auditLogs:export | * | | ExportAuditLogs | POST | /v1/auditLogs:export | * |

v1/user_service.proto

Top

BatchGetUsersRequest

The user names to retrieve. Format: users/{email}

BatchGetUsersResponse

The users from the specified request.

CreateUserRequest

The user to create.

DeleteUserRequest

The name of the user to delete. Format: users/{email}

GetUserRequest

The name of the user to retrieve. Format: users/{email}

ListUsersRequest

The maximum number of users to return. The service may return fewer than this value. If unspecified, at most 10 users will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListUsers call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListUsers must match the call that provided the page token.

Show deleted users if specified.

Filter is used to filter users returned in the list. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filter: - name: the user name, support "==" and ".contains()" operator. - email: the user email, support "==" and ".contains()" operator. - state: check State enum for values, support "==" operator. - project: the project full name in "projects/{id}" format, support "==" operator. For example: name == "ed" name.contains("ed") email == "[email protected]" email.contains("ed") state == "DELETED" project == "projects/sample-project" You can combine filter conditions like: name.contains("ed") && project == "projects/sample-project" (name == "ed" || email == "[email protected]") && project == "projects/sample-project"

ListUsersResponse

The users from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

UndeleteUserRequest

The name of the deleted user. Format: users/{email}

UpdateEmailRequest

The name of the user whose email to update. Format: users/{email} Note: This is the current (old) email address. The new email is specified in the 'email' field.

The new email address.

UpdateUserRequest

The user to update. The user's name field is used to identify the user to update. Format: users/{email}

The list of fields to update.

The otp_code is used to verify the user's identity by MFA.

The regenerate_temp_mfa_secret flag means to regenerate temporary MFA secret for user. This is used for MFA setup. The temporary MFA secret and recovery codes will be returned in the response.

The regenerate_recovery_codes flag means to regenerate recovery codes for user.

If set to true, and the user is not found, a new user will be created. In this situation, update_mask is ignored.

User

The name of the user. Format: users/{email}

The lifecycle state of the user account.

The email address of the user, used for login and notifications.

The display title or full name of the user.

The password for authentication. Only used during user creation or password updates.

The service key for service account authentication.

The mfa_enabled flag means if the user has enabled MFA.

Temporary OTP secret used during MFA setup and regeneration.

Temporary recovery codes used during MFA setup and regeneration.

Timestamp when temp_otp_secret was created. Used by frontend to show countdown timer.

Should be a valid E.164 compliant phone number. Could be empty.

User profile metadata.

The groups for the user. Format: groups/{email}

The current workspace. Format: workspaces/{id}

User.Profile

The last time the user successfully logged in.

The last time the user changed their password.

source means where the user comes from. For now we support Entra ID SCIM sync, so the source could be Entra ID.

UserService

UserService manages user accounts and authentication.

Get the user. Any authenticated user can get the user. Permissions required: bb.users.get

Get the users in batch. Any authenticated user can batch get users. Permissions required: bb.users.get

Get the current authenticated user. Permissions required: None

List all users. Any authenticated user can list users. Permissions required: bb.users.list

Creates a user in the caller's workspace (admin action, self-hosted only). In SaaS mode, admins should add users via workspace IAM policy instead. Permissions required: bb.users.create

Updates a user. Users can update their own profile, or users with bb.users.update permission can update any user. Note: Email updates are not supported through this API. Use UpdateEmail instead. Permissions required: bb.users.update (or self)

Deletes a user. Requires bb.users.delete permission with additional validation: the last remaining workspace admin cannot be deleted. Permissions required: bb.users.delete

Restores a deleted user. Permissions required: bb.users.undelete

Updates a user's email address. Permissions required: bb.users.updateEmail

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetUser | GET | /v1/{name=users/*} | | | BatchGetUsers | GET | /v1/users:batchGet | | | GetCurrentUser | GET | /v1/users/me | | | ListUsers | GET | /v1/users | | | CreateUser | POST | /v1/users | user | | UpdateUser | PATCH | /v1/{user.name=users/*} | user | | DeleteUser | DELETE | /v1/{name=users/*} | | | UndeleteUser | POST | /v1/{name=users/*}:undelete | * | | UpdateEmail | POST | /v1/{name=users/*}:updateEmail | * |

v1/auth_service.proto

Top

ExchangeTokenRequest

External OIDC token (JWT) from CI/CD platform.

Workload Identity email for identifying which identity to authenticate as. Format: {name}@workload.bytebase.com

ExchangeTokenResponse

Bytebase access token.

IdentityProviderContext

Context for identity provider authentication.

OAuth2 authentication context.

OpenID Connect authentication context.

LoginRequest

User's email address.

User's password for authentication.

| | web | bool | |

If true, sets access token and refresh token as HTTP-only cookies instead of returning the token in the response body. Use for browser-based clients.

The name of the identity provider. Format: idps/{idp}

The idp_context is used to get the user information from identity provider.

The otp_code is used to verify the user's identity by MFA.

The recovery_code is used to recovery the user's identity with MFA.

The mfa_temp_token is used to verify the user's identity by MFA.

LoginResponse

Access token for authenticated requests. Only returned when web=false. For web=true, the token is set as an HTTP-only cookie.

Temporary token for MFA verification.

Whether user must reset password before continuing.

The user from the successful login.

LogoutRequest

Request to logout current user session.

OAuth2IdentityProviderContext

OAuth2 authentication context.

Authorization code from OAuth2 provider.

OIDCIdentityProviderContext

OpenID Connect authentication context.

Authorization code from OIDC provider.

RefreshRequest

Request to refresh the access token.

RefreshResponse

Response from refreshing the access token.

SignupRequest

The email for the new account.

The password for the new account.

The display name of the user.

SwitchWorkspaceRequest

The target workspace to switch to. Format: workspaces/{workspace}

| | web | bool | |

If true, sets tokens as HTTP-only cookies (browser clients).

OTP code for MFA verification. Required if the target workspace enforces MFA.

Recovery code for MFA verification (alternative to otp_code).

Temporary MFA token from a previous SwitchWorkspace call that returned mfa_temp_token.

AuthService

AuthService handles user authentication operations.

Authenticates a user and returns access tokens. Permissions required: None

Logs out the current user session. Permissions required: None

Exchanges an external OIDC token for a Bytebase access token. Used by CI/CD pipelines with Workload Identity Federation. Permissions required: None (validates via OIDC token)

Registers a new user account. Creates a principal and assigns a workspace: - If the user's email was pre-invited to a workspace, joins that workspace. - Otherwise, creates a new workspace with the user as admin. Returns access tokens so the user is logged in immediately after signup.

Refreshes the access token using the refresh token cookie. Permissions required: None (validates via refresh token cookie)

Switches the current user's active workspace and issues new tokens. The user must be a member of the target workspace.

Methods with HTTP bindings

v1/cel_service.proto

Top

BatchDeparseRequest

Request message for batch deparsing CEL expressions.

The CEL expression ASTs to deparse.

BatchDeparseResponse

Response message for batch deparsing CEL expressions.

The deparsed CEL expressions as strings.

BatchParseRequest

Request message for batch parsing CEL expressions.

The CEL expression strings to parse.

BatchParseResponse

Response message for batch parsing CEL expressions.

The parsed CEL expressions as AST.

CelService

CelService manages CEL (Common Expression Language) parsing and formatting operations.

Parses multiple CEL expression strings into AST representations. Permissions required: None

Converts multiple CEL AST representations back into expression strings. Permissions required: None

Methods with HTTP bindings

v1/database_catalog_service.proto

Top

ColumnCatalog

Column metadata within a table.

The column name.

The semantic type describing the data purpose.

User-defined labels for this column.

The data classification level for this column.

Object schema for complex column types like JSON.

ColumnCatalog.LabelsEntry

DatabaseCatalog

Catalog metadata for a database including schemas, tables, and columns.

The name of the database catalog. Format: instances/{instance}/databases/{database}/catalog

The schemas in the database.

GetDatabaseCatalogRequest

Request message for getting a database catalog.

The name of the database catalog to retrieve. Format: instances/{instance}/databases/{database}/catalog

ObjectSchema

Schema definition for object-type columns.

The data type of this object.

Struct schema.

Array schema.

The semantic type of this object.

ObjectSchema.ArrayKind

Array type with element schema.

The schema of array elements.

ObjectSchema.StructKind

Structure type with named properties.

Properties of the struct.

ObjectSchema.StructKind.PropertiesEntry

SchemaCatalog

Schema metadata within a database.

The schema name.

The tables in the schema.

TableCatalog

Table metadata within a schema.

The table name.

Regular table columns.

Object schema for JSON/XML columns.

The data classification level for this table.

TableCatalog.Columns

Column list for regular tables.

The columns in the table.

UpdateDatabaseCatalogRequest

Request message for updating a database catalog.

The database catalog to update. The catalog's name field is used to identify the database catalog to update. Format: instances/{instance}/databases/{database}/catalog

If set to true, and the database catalog is not found, a new database catalog will be created. In this situation, update_mask is ignored.

ObjectSchema.Type

Object schema data types.

Unspecified type.

| | STRING | 1 |

String type.

| | NUMBER | 2 |

Number type.

| | BOOLEAN | 3 |

Boolean type.

| | OBJECT | 4 |

Object/struct type.

| | ARRAY | 5 |

Array type.

DatabaseCatalogService

DatabaseCatalogService manages database schema metadata and classification.

Gets the catalog metadata for a database. Permissions required: bb.databaseCatalogs.get

Updates catalog metadata such as classifications and labels. Permissions required: bb.databaseCatalogs.update

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetDatabaseCatalog | GET | /v1/{name=instances/*/databases/*/catalog} | | | UpdateDatabaseCatalog | PATCH | /v1/{catalog.name=instances/*/databases/*/catalog} | catalog |

v1/database_group_service.proto

Top

CreateDatabaseGroupRequest

Request message for creating a database group.

The parent resource where this database group will be created. Format: projects/{project}

The database group to create.

The ID to use for the database group, which will become the final component of the database group's resource name. This value should be 4-63 characters, and valid characters are /[a-z][0-9]-/.

If set, validate the create request and preview the full database group response, but do not actually create it.

DatabaseGroup

A group of databases matched by expressions.

The name of the database group. Format: projects/{project}/databaseGroups/{databaseGroup}

The short name used in actual databases specified by users.

The condition that is associated with this database group. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Support variables: resource.environment_id: the environment resource id. Support "==", "!=", "in [XX]", "!(in [xx])" operations. resource.instance_id: the instance resource id. Support "==", "!=", "in [XX]", "!(in [xx])", "contains", "matches", "startsWith", "endsWith" operations. resource.database_name: the database name. Support "==", "!=", "in [XX]", "!(in [xx])", "contains", "matches", "startsWith", "endsWith" operations. resource.database_labels: the database labels. Support map access operations. All variables should join with "&&" condition. For example: resource.environment_id == "test" && resource.database_name.startsWith("sample_") resource.database_labels["tenant"] == "tenant1"

The list of databases that match the database group condition.

DatabaseGroup.Database

A database within a database group.

The resource name of the database. Format: instances/{instance}/databases/{database}

DeleteDatabaseGroupRequest

Request message for deleting a database group.

The name of the database group to delete. Format: projects/{project}/databaseGroups/{databaseGroup}

GetDatabaseGroupRequest

Request message for getting a database group.

The name of the database group to retrieve. Format: projects/{project}/databaseGroups/{databaseGroup}

The view to return. Defaults to DATABASE_GROUP_VIEW_BASIC.

ListDatabaseGroupsRequest

Request message for listing database groups.

The parent resource whose database groups are to be listed. Format: projects/{project}

The view to return. Defaults to DATABASE_GROUP_VIEW_BASIC.

ListDatabaseGroupsResponse

Response message for listing database groups.

The database groups from the specified request.

UpdateDatabaseGroupRequest

Request message for updating a database group.

The database group to update. The database group's name field is used to identify the database group to update. Format: projects/{project}/databaseGroups/{databaseGroup}

The list of fields to update.

If set to true, and the database group is not found, a new database group will be created. In this situation, update_mask is ignored.

DatabaseGroupView

View options for database group responses.

The default / unset value. The API will default to the BASIC view.

| | DATABASE_GROUP_VIEW_BASIC | 1 |

Include basic information about the database group, but exclude the list of matched databases and unmatched databases.

| | DATABASE_GROUP_VIEW_FULL | 2 |

Include everything.

DatabaseGroupService

DatabaseGroupService manages database groups for organizing databases by criteria.

Lists database groups in a project. Permissions required: bb.databaseGroups.list

Gets a database group by name. Permissions required: bb.databaseGroups.get

Creates a new database group. Permissions required: bb.databaseGroups.create

Updates a database group. Permissions required: bb.databaseGroups.update When allow_missing=true, also requires: bb.databaseGroups.create

Deletes a database group. Permissions required: bb.databaseGroups.delete

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | ListDatabaseGroups | GET | /v1/{parent=projects/*}/databaseGroups | | | GetDatabaseGroup | GET | /v1/{name=projects/*/databaseGroups/*} | | | CreateDatabaseGroup | POST | /v1/{parent=projects/*}/databaseGroups | database_group | | UpdateDatabaseGroup | PATCH | /v1/{database_group.name=projects/*/databaseGroups/*} | database_group | | DeleteDatabaseGroup | DELETE | /v1/{name=projects/*/databaseGroups/*} | |

v1/instance_role_service.proto

Top

InstanceRole

InstanceRole is the API message for instance role.

The name of the role. Format: instances/{instance}/roles/{role} The role name is the unique name for the role.

The role name. It's unique within the instance.

The role password.

The connection count limit for this role.

The expiration for the role's password.

The role attribute. For PostgreSQL, it contains super_user, no_inherit, create_role, create_db, can_login, replication, and bypass_rls. Docs: https://www.postgresql.org/docs/current/role-attributes.html For MySQL, it's the global privileges as GRANT statements, which means it only contains "GRANT ... ON *.* TO ...". Docs: https://dev.mysql.com/doc/refman/8.0/en/grant.html

ListInstanceRolesRequest

The parent, which owns this collection of roles. Format: instances/{instance}

| | page_size | int32 | |

Not used. The maximum number of roles to return. The service may return fewer than this value. If unspecified, at most 10 roles will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

Not used. A page token, received from a previous ListInstanceRoles call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListInstanceRoles must match the call that provided the page token.

Refresh will refresh and return the latest data.

ListInstanceRolesResponse

The roles from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

InstanceRoleService

InstanceRoleService manages database roles within instances.

Lists all database roles in an instance. Permissions required: bb.instanceRoles.list

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | ListInstanceRoles | GET | /v1/{parent=instances/*}/roles | |

v1/instance_service.proto

Top

AddDataSourceRequest

The name of the instance to add a data source to. Format: instances/{instance}

Identified by data source ID. Only READ_ONLY data source can be added.

Validate only also tests the data source connection.

BatchSyncInstancesRequest

The request message specifying the instances to sync. A maximum of 1000 instances can be synced in a batch.

BatchSyncInstancesResponse

BatchUpdateInstancesRequest

The request message specifying the resources to update.

BatchUpdateInstancesResponse

CreateInstanceRequest

The instance to create.

The ID to use for the instance, which will become the final component of the instance's resource name. This value should be 4-63 characters, and valid characters are /[a-z][0-9]-/.

Validate only also tests the data source connection.

DataSource

The unique identifier for this data source.

The type of data source (ADMIN or READ_ONLY).

The username for database authentication.

The password for database authentication.

Use SSL to connect to the data source. By default, we use system default SSL configuration.

The SSL certificate authority certificate.

The SSL client certificate.

The SSL client private key.

The local filesystem path to the SSL certificate authority certificate.

The local filesystem path to the SSL client certificate.

The local filesystem path to the SSL client private key.

Whether an SSL certificate authority certificate has been configured.

Whether an SSL client certificate has been configured.

Whether an SSL client private key has been configured.

Whether an SSL certificate authority path has been configured.

Whether an SSL client certificate path has been configured.

Whether an SSL client private key path has been configured.

verify_tls_certificate enables TLS certificate verification for SSL connections. Default is false (no verification) for backward compatibility. Set to true for secure connections (recommended for production). Only set to false for development or when certificates cannot be properly validated (e.g., self-signed certs, VPN environments).

The hostname or IP address of the database server.

The port number of the database server.

The name of the database to connect to.

| | srv | bool | |

srv, authentication_database and replica_set are used for MongoDB. srv is a boolean flag that indicates whether the host is a DNS SRV record.

authentication_database is the database name to authenticate against, which stores the user credentials.

replica_set is used for MongoDB replica set.

| | sid | string | |

sid and service_name are used for Oracle.

Connection over SSH. The hostname of the SSH server agent. Required.

The port of the SSH server agent. It's 22 typically. Required.

The user to login the server. Required.

The password to login the server. If it's empty string, no password is required.

The private key to login the server. If it's empty string, we will use the system default private key from os.Getenv("SSH_AUTH_SOCK").

PKCS#8 private key in PEM format. If it's empty string, no private key is required. Used for authentication when connecting to the data source.

Passphrase for the encrypted PKCS#8 private key. Only used when the private key is encrypted.

additional_addresses is used for MongoDB replica set.

direct_connection is used for MongoDB to dispatch all the operations to the node specified in the connection string.

region is the location of where the DB is, works for AWS RDS. For example, us-east-1.

warehouse_id is used by Databricks.

master_name is the master name used by connecting redis-master via redis sentinel.

master_username and master_password are master credentials used by redis sentinel mode.

Cluster is the cluster name for the data source. Used by CockroachDB.

Extra connection parameters for the database connection. For PostgreSQL HA, this can be used to set target_session_attrs=read-write

DataSource.AWSCredential

ARN of IAM role to assume for cross-account access. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id\_roles\_use.html

Optional external ID for additional security when assuming role. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id\_roles\_create\_for-user\_externalid.html

DataSource.Address

DataSource.AzureCredential

DataSource.ExtraConnectionParametersEntry

DataSource.GCPCredential

DataSourceExternalSecret

The type of external secret store.

| | url | string | |

The URL of the external secret store.

The authentication method for accessing the secret store.

AppRole authentication configuration.

Token for direct authentication.

engine name is the name for secret engine.

the secret name in the engine to store the password.

the key name for the password.

TLS configuration for connecting to Vault server. These fields are separate from the database TLS configuration in DataSource. skip_vault_tls_verification disables TLS certificate verification for Vault connections. Default is false (verification enabled) for security. Only set to true for development or when certificates cannot be properly validated.

CA certificate for Vault server verification.

Client certificate for mutual TLS authentication with Vault.

Client private key for mutual TLS authentication with Vault.

DataSourceExternalSecret.AppRoleAuthOption

The role ID for Vault AppRole authentication.

the secret id for the role without ttl.

The type of secret for AppRole authentication.

The path where the approle auth method is mounted.

DeleteInstanceRequest

The name of the instance to delete. Format: instances/{instance}

If set to true, any databases and sheets from this project will also be moved to default project, and all open issues will be closed.

If set to true, permanently purge the soft-deleted instance and all related resources. This operation is irreversible. Following AIP-165, this should only be used for administrative cleanup of old soft-deleted instances. The instance must already be soft-deleted for this to work.

GetInstanceRequest

The name of the instance to retrieve. Format: instances/{instance}

Instance

The name of the instance. Format: instances/{instance}

The lifecycle state of the instance.

The display title of the instance.

The database engine type.

The version of the database engine.

External URL to the database instance console.

Data source configurations for connecting to the instance.

The environment resource. Format: environments/prod where prod is the environment resource ID.

Whether the instance is activated for use.

Database roles available in this instance.

How often the instance is synced.

Enable sync for following databases. Default empty, means sync all schemas & databases.

The last time the instance was synced.

Labels are key-value pairs that can be attached to the instance. For example, { "org_group": "infrastructure", "environment": "production" }

Instance.LabelsEntry

InstanceResource

The display title of the instance.

The database engine type.

The version of the database engine.

Data source configurations for the instance.

Whether the instance is activated.

The name of the instance. Format: instances/{instance}

The environment resource. Format: environments/prod where prod is the environment resource ID.

KerberosConfig

The primary component of the Kerberos principal.

The instance component of the Kerberos principal.

The Kerberos realm.

The keytab file contents for authentication.

The hostname of the Key Distribution Center (KDC).

The port of the Key Distribution Center (KDC).

The transport protocol for KDC communication (tcp or udp).

ListInstanceDatabaseRequest

The name of the instance. Format: instances/{instance}

The target instance. We need to set this field if the target instance is not created yet.

ListInstanceDatabaseResponse

All database name list in the instance.

ListInstancesRequest

The maximum number of instances to return. The service may return fewer than this value. If unspecified, at most 10 instances will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListInstances call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListInstances must match the call that provided the page token.

Show deleted instances if specified.

Filter the instance. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filters: - name: the instance name, support "==" and ".contains()" operator. - resource_id: the instance id, support "==" and ".contains()" operator. - environment: the environment full name in "environments/{id}" format, support "==" operator. - state: the instance state, check State enum for values, support "==" operator. - engine: the instance engine, check Engine enum for values. Support "==", "in [xx]", "!(in [xx])" operator. - host: the instance host, support "==" and ".contains()" operator. - port: the instance port, support "==" and ".contains()" operator. - project: the project full name in "projects/{id}" format, support "==" operator. - labels.{key}: the instance label, support "==" and "in" operators. For example: name == "sample instance" name.contains("sample") resource_id == "sample-instance" resource_id.contains("sample") state == "DELETED" environment == "environments/test" environment == "" (find instances which environment is not set) engine == "MYSQL" engine in ["MYSQL", "POSTGRES"] !(engine in ["MYSQL", "POSTGRES"]) host == "127.0.0.1" host.contains("127.0") port == "54321" port.contains("543") labels.org_group == "infrastructure" labels.environment in ["prod", "production"] project == "projects/sample-project" You can combine filter conditions like: name.contains("sample") && environment == "environments/test" host == "127.0.0.1" && port == "54321"

The order by of instances. Support title, environment. The default sorting order is ascending. For example: - order_by = "title" - order_by = "title desc" - order_by = "title desc, environment asc"

ListInstancesResponse

The instances from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

RemoveDataSourceRequest

The name of the instance to remove a data source from. Format: instances/{instance}

Identified by data source ID. Only READ_ONLY data source can be removed.

SASLConfig

Kerberos authentication configuration.

SyncInstanceRequest

The name of instance. Format: instances/{instance}

When full sync is enabled, all databases in the instance will be synchronized. Otherwise, only the instance metadata (such as the database list) and any newly discovered databases will be synced.

SyncInstanceResponse

All database name list in the instance.

UndeleteInstanceRequest

The name of the deleted instance. Format: instances/{instance}

UpdateDataSourceRequest

The name of the instance to update a data source. Format: instances/{instance}

Identified by data source ID.

The list of fields to update.

Validate only also tests the data source connection.

If set to true, and the data source is not found, a new data source will be created. In this situation, update_mask is ignored.

UpdateInstanceRequest

The instance to update. The instance's name field is used to identify the instance to update. Format: instances/{instance}

The list of fields to update.

If set to true, and the instance is not found, a new instance will be created. In this situation, update_mask is ignored.

DataSource.AuthenticationType

| | PASSWORD | 1 |

| | GOOGLE_CLOUD_SQL_IAM | 2 |

| | AWS_RDS_IAM | 3 |

| | AZURE_IAM | 4 |

DataSource.RedisType

| | STANDALONE | 1 |

| | SENTINEL | 2 |

| | CLUSTER | 3 |

DataSourceExternalSecret.AppRoleAuthOption.SecretType

Unspecified secret type.

| | PLAIN | 1 |

Plain text secret.

| | ENVIRONMENT | 2 |

Secret from environment variable.

DataSourceExternalSecret.AuthType

Unspecified authentication type.

| | TOKEN | 1 |

ref: https://developer.hashicorp.com/vault/docs/auth/token

| | VAULT_APP_ROLE | 2 |

ref: https://developer.hashicorp.com/vault/docs/auth/approle

DataSourceExternalSecret.SecretType

Unspecified secret type.

| | VAULT_KV_V2 | 1 |

ref: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2

| | AWS_SECRETS_MANAGER | 2 |

ref: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

| | GCP_SECRET_MANAGER | 3 |

ref: https://cloud.google.com/secret-manager/docs

| | AZURE_KEY_VAULT | 4 |

ref: https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets

DataSourceType

Unspecified data source type.

| | ADMIN | 1 |

Admin data source with write permissions.

| | READ_ONLY | 2 |

Read-only data source for query operations.

InstanceService

InstanceService manages database instances and their connections.

Gets a database instance by name. Permissions required: bb.instances.get

Lists all database instances. Permissions required: bb.instances.list

Creates a new database instance. Permissions required: bb.instances.create

Updates a database instance. Permissions required: bb.instances.update

Deletes or soft-deletes a database instance. Permissions required: bb.instances.delete

Restores a soft-deleted database instance. Permissions required: bb.instances.undelete

Syncs database schemas and metadata from an instance. Permissions required: bb.instances.sync

Lists all databases within an instance without creating them. Permissions required: bb.instances.get

Syncs multiple instances in a single request. Permissions required: bb.instances.sync

Updates multiple instances in a single request. Permissions required: bb.instances.update

Adds a read-only data source to an instance. Permissions required: bb.instances.update

Removes a read-only data source from an instance. Permissions required: bb.instances.update

Updates a data source configuration. Permissions required: bb.instances.update

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetInstance | GET | /v1/{name=instances/*} | | | ListInstances | GET | /v1/instances | | | CreateInstance | POST | /v1/instances | instance | | UpdateInstance | PATCH | /v1/{instance.name=instances/*} | instance | | DeleteInstance | DELETE | /v1/{name=instances/*} | | | UndeleteInstance | POST | /v1/{name=instances/*}:undelete | * | | SyncInstance | POST | /v1/{name=instances/*}:sync | * | | ListInstanceDatabase | POST | /v1/{name=instances/*}:databases | * | | BatchSyncInstances | POST | /v1/instances:batchSync | * | | BatchUpdateInstances | POST | /v1/instances:batchUpdate | * | | AddDataSource | POST | /v1/{name=instances/*}:addDataSource | * | | RemoveDataSource | POST | /v1/{name=instances/*}:removeDataSource | * | | UpdateDataSource | PATCH | /v1/{name=instances/*}:updateDataSource | data_source |

v1/database_service.proto

Top

BatchGetDatabasesRequest

The parent resource shared by all databases being retrieved. - projects/{project}: batch get databases in a project; - instances/{instances}: batch get databases in a instance; Use "-" as wildcard to batch get databases across parent.

The list of database names to retrieve.

BatchGetDatabasesResponse

The databases from the specified request.

BatchSyncDatabasesRequest

The parent resource shared by all databases being updated. Format: instances/{instance} If the operation spans parents, a dash (-) may be accepted as a wildcard.

The list of database names to sync.

BatchSyncDatabasesResponse

BatchUpdateDatabasesRequest

The parent resource shared by all databases being updated. Format: instances/{instance} If the operation spans parents, a dash (-) may be accepted as a wildcard. We only support updating the project of databases for now.

The request message specifying the resources to update. A maximum of 1000 databases can be modified in a batch.

BatchUpdateDatabasesResponse

Databases updated.

BoundingBox

BoundingBox defines the spatial bounds for GEOMETRY spatial indexes.

Minimum X coordinate

Minimum Y coordinate

Maximum X coordinate

Maximum Y coordinate

Changelog

Format: instances/{instance}/databases/{database}/changelogs/{changelog}

| | schema_size | int64 | |

Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}/taskRuns/{taskRun}

The title of the plan associated with this changelog's task run. This field is populated by deriving the plan from task_run for display purposes.

CheckConstraintMetadata

CheckConstraintMetadata is the metadata for check constraints.

The name is the name of a check constraint.

The expression is the expression of a check constraint.

ColumnMetadata

ColumnMetadata is the metadata for columns.

The name is the name of a column.

| | position | int32 | |

The position is the position in columns.

The default value of column.

Oracle specific metadata. The default_on_null is the default on null of a column.

The on_update is the on update action of a column. For MySQL like databases, it's only supported for TIMESTAMP columns with CURRENT_TIMESTAMP as on update value.

The nullable is the nullable of a column.

The type is the type of a column.

The character_set is the character_set of a column.

The collation is the collation of a column.

The comment is the comment of a column.

The generation is the generation of a column.

The identity_generation is for identity columns, PG only.

| | identity_seed | int64 | |

The identity_seed is for identity columns, MSSQL only.

| | identity_increment | int64 | |

The identity_increment is for identity columns, MSSQL only.

The default_constraint_name is the name of the default constraint, MSSQL only. In MSSQL, default values are implemented as named constraints. When modifying or dropping a column's default value, you must reference the constraint by name. This field stores the actual constraint name from the database. Example: A column definition like: CREATE TABLE employees ( status NVARCHAR(20) DEFAULT 'active' ) Will create a constraint with an auto-generated name like 'DF__employees__statu__3B75D760' or a user-defined name if specified: ALTER TABLE employees ADD CONSTRAINT DF_employees_status DEFAULT 'active' FOR status To modify the default, you must first drop the existing constraint by name: ALTER TABLE employees DROP CONSTRAINT DF__employees__statu__3B75D760 ALTER TABLE employees ADD CONSTRAINT DF_employees_status DEFAULT 'inactive' FOR status This field is populated when syncing from the database. When empty (e.g., when parsing from SQL files), the system cannot automatically drop the constraint.

Database

The name of the database. Format: instances/{instance}/databases/{database} {database} is the database name in the instance.

The existence of a database.

The latest synchronization time.

The project for a database. Format: projects/{project}

The release that was last applied to this database. Format: projects/{project}/releases/{release_id} Example: projects/my-project/releases/release_20260115-RC00

The environment resource. Format: environments/prod where prod is the environment resource ID.

The effective environment based on environment tag above and environment tag on the instance. Inheritance follows https://cloud.google.com/resource-manager/docs/tags/tags-overview.

Labels will be used for deployment and policy control.

The instance resource.

The database is available for DML prior backup.

The sync status of the database.

The error message if sync failed.

Database.LabelsEntry

DatabaseMetadata

DatabaseMetadata is the metadata for databases.

The database metadata name. Format: instances/{instance}/databases/{database}/metadata

The schemas is the list of schemas in a database.

The character_set is the character set of a database.

The collation is the collation of a database.

The extensions is the list of extensions in a database.

The owner of the database.

The search_path is the search path of a PostgreSQL database.

DatabaseSDLSchema

DatabaseSDLSchema contains the schema in SDL format.

The SDL schema content. - For SINGLE_FILE format: contains the complete SDL schema as a text string. - For MULTI_FILE format: contains the ZIP archive as binary data.

The MIME type of the schema content. Indicates how the client should interpret the schema field. Examples: - "text/plain; charset=utf-8" for SINGLE_FILE format - "application/zip" for MULTI_FILE format

DatabaseSchema

DatabaseSchema is the metadata for databases.

The schema dump from database.

DependencyColumn

DependencyColumn is the metadata for dependency columns.

The schema is the schema of a reference column.

The table is the table of a reference column.

The column is the name of a reference column.

DependencyTable

The schema is the schema of a reference table.

The table is the name of a reference table.

DiffSchemaRequest

The name of the database or changelog. Format: database: instances/{instance}/databases/{database} changelog: instances/{instance}/databases/{database}/changelogs/{changelog}

The target schema.

The resource name of the changelog Format: instances/{instance}/databases/{database}/changelogs/{changelog}

DiffSchemaResponse

DimensionConstraint

DimensionConstraint defines constraints for a spatial dimension.

Dimension name/type (X, Y, Z, M, etc.)

Minimum value for this dimension

Maximum value for this dimension

Tolerance for this dimension

DimensionalConfig

DimensionalConfig defines dimensional and constraint parameters for spatial indexes.

Number of dimensions (2-4, default 2)

Spatial data type (GEOMETRY, GEOGRAPHY, POINT, POLYGON, etc.)

| | srid | int32 | |

Spatial reference system identifier (SRID)

Coordinate system constraints

EnumTypeMetadata

The name of a type.

The enum values of a type.

The comment describing the enum type.

Whether to skip this enum type during schema dump operations.

EventMetadata

The name of the event.

The schedule of the event.

The time zone of the event.

The SQL mode setting for the event.

The character set used by the client creating the event.

The collation used for the connection when creating the event.

The comment is the comment of an event.

ExtensionMetadata

ExtensionMetadata is the metadata for extensions.

The name is the name of an extension.

The schema is the extension that is installed to. But the extension usage is not limited to the schema.

The version is the version of an extension.

The description is the description of an extension.

ExternalTableMetadata

The name is the name of a external table.

The external_server_name is the name of the external server.

The external_database_name is the name of the external database.

The columns is the ordered list of columns in a foreign table.

ForeignKeyMetadata

ForeignKeyMetadata is the metadata for foreign keys.

The name is the name of a foreign key.

The columns are the ordered referencing columns of a foreign key.

The referenced_schema is the referenced schema name of a foreign key. It is an empty string for databases without such concept such as MySQL.

The referenced_table is the referenced table name of a foreign key.

The referenced_columns are the ordered referenced columns of a foreign key.

The on_delete is the on delete action of a foreign key.

The on_update is the on update action of a foreign key.

The match_type is the match type of a foreign key. The match_type is the PostgreSQL specific field. It's empty string for other databases.

FunctionMetadata

FunctionMetadata is the metadata for functions.

The name is the name of a function.

The definition is the definition of a function.

The signature is the name with the number and type of input arguments the function takes.

MySQL specific metadata.

The dependency_tables is the list of dependency tables of a function. For PostgreSQL, it's the list of tables that the function depends on the return type definition.

GenerationMetadata

GetChangelogRequest

The name of the changelog to retrieve. Format: instances/{instance}/databases/{database}/changelogs/{changelog}

GetDatabaseMetadataRequest

The name of the database to retrieve metadata. Format: instances/{instance}/databases/{database}/metadata

Filter is used to filter databases returned in the list. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filter: - schema: the schema name, support "==" operator. - table: the table name, support "==" and ".contains()" operator. For example: schema == "schema-a" table == "table-a" table.contains("table-a") schema == "schema-a" && table.contains("sample") The filter is used to search for tables containing "sample" in the schema "schemas/schema-a". The column masking level will only be returned when a table filter is used.

| | limit | int32 | |

Limit the response size of returned table metadata per schema. For example, if the database has 3 schemas, and each schema has 100 tables, if limit is 20, then only 20 tables will be returned for each schema, total 60 tables. Default 0, means no limit.

GetDatabaseRequest

The name of the database to retrieve. Format: instances/{instance}/databases/{database}

GetDatabaseSDLSchemaRequest

The name of the database to retrieve SDL schema. Format: instances/{instance}/databases/{database}/sdlSchema

The format of the SDL schema output.

GetDatabaseSchemaRequest

The name of the database to retrieve schema. Format: instances/{instance}/databases/{database}/schema

GetSchemaStringRequest

The name of the database. Format: instances/{instance}/databases/{database}

It's empty for DATABASE.

It's empty for DATABASE and SCHEMA.

If use the metadata to generate the schema string, the type is OBJECT_TYPE_UNSPECIFIED. Also the schema and object are empty.

GetSchemaStringResponse

GridLevel

GridLevel defines a tessellation grid level with its density.

Grid level number (1-4 for SQL Server)

Grid density (LOW, MEDIUM, HIGH)

IndexMetadata

IndexMetadata is the metadata for indexes.

The name is the name of an index.

The expressions are the ordered columns or expressions of an index. This could refer to a column or an expression.

The key_lengths are the ordered key lengths of an index. If the key length is not specified, it's -1.

The descending is the ordered descending of an index.

The type is the type of an index.

The unique is whether the index is unique.

The primary is whether the index is a primary key index.

The visible is whether the index is visible.

The comment is the comment of an index.

The definition of an index.

The schema name of the parent index.

The index name of the parent index.

| | granularity | int64 | |

The number of granules in the block. It's a ClickHouse specific field.

It's a PostgreSQL specific field. The unique constraint and unique index are not the same thing in PostgreSQL.

Spatial index configuration for spatial databases like SQL Server, PostgreSQL with PostGIS, etc.

https://www.postgresql.org/docs/current/catalog-pg-opclass.html Name of the operator class for each column. (PostgreSQL specific).

True if the operator class is the default. (PostgreSQL specific).

ListChangelogsRequest

The parent of the changelogs. Format: instances/{instance}/databases/{database}

| | page_size | int32 | |

The maximum number of changelogs to return. The service may return fewer than this value. If unspecified, at most 10 changelogs will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from the previous call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided must match the call that provided the page token.

Filter is used to filter changelogs returned in the list. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filter: - status: the changelog status, support "==" operation. check Changelog.Status for available values. - create_time: the changelog create time in "2006-01-02T15:04:05Z07:00" format, support ">=" or "<=" operator. Example: status == "DONE" status == "FAILED" && type == "SDL" create_time >= "2024-01-01T00:00:00Z" && create_time <= "2024-01-02T00:00:00Z"

ListChangelogsResponse

The list of changelogs.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

ListDatabasesRequest

projects/{project}: list databases in a project, require "bb.projects.get" permission. - workspaces/{id}: list databases in the workspace, require "bb.databases.list" permission. - instances/{instances}: list databases in a instance, require "bb.instances.get" permission

| | page_size | int32 | |

The maximum number of databases to return. The service may return fewer than this value. If unspecified, at most 10 databases will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListDatabases call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListDatabases must match the call that provided the page token.

Filter is used to filter databases returned in the list. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filter: - environment: the environment full name in "environments/{id}" format, support "==" operator. - name: the database name, support ".contains()" operator. - project: the project full name in "projects/{id}" format, support "==" operator. - instance: the instance full name in "instances/{id}" format, support "==" operator. - engine: the database engine, check Engine enum for values. Support "==", "in [xx]", "!(in [xx])" operator. - exclude_unassigned: should be "true" or "false", will not show unassigned databases if it's true, support "==" operator. - table: filter by the database table, support "==" and ".contains()" operator. - labels.{key}: the database label, support "==" and "in" operators. For example: environment == "environments/{environment resource id}" environment == "" (find databases which environment is not set) project == "projects/{project resource id}" instance == "instances/{instance resource id}" name.contains("database name") engine == "MYSQL" engine in ["MYSQL", "POSTGRES"] !(engine in ["MYSQL", "POSTGRES"]) exclude_unassigned == true table == "sample" table.contains("sam") labels.environment == "production" labels.region == "asia" labels.region in ["asia", "europe"] You can combine filter conditions like: environment == "environments/prod" && name.contains("employee")

Show deleted database if specified.

The order by of databases. Support name, project, instance. The default sorting order is ascending. For example: - order_by = "name" - order by name ascending - order_by = "name desc" - order_by = "name desc, project asc"

ListDatabasesResponse

The databases from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

MaterializedViewMetadata

MaterializedViewMetadata is the metadata for materialized views.

The name is the name of a materialized view.

The definition is the definition of a materialized view.

The comment is the comment of a materialized view.

The dependency_columns is the list of dependency columns of a materialized view.

The columns is the ordered list of columns in a table.

The indexes is the list of indexes in a table.

PackageMetadata

PackageMetadata is the metadata for packages.

The name is the name of a package.

The definition is the definition of a package.

ProcedureMetadata

ProcedureMetadata is the metadata for procedures.

The name is the name of a procedure.

The definition is the definition of a procedure.

The signature is the name with the number and type of input arguments the procedure takes.

MySQL specific metadata.

The comment is the comment of a procedure.

SchemaMetadata

SchemaMetadata is the metadata for schemas.

This is the concept of schema in Postgres, but it's a no-op for MySQL.

The name is the schema name. It is an empty string for databases without such concept such as MySQL.

The tables is the list of tables in a schema.

The external_tables is the list of external tables in a schema.

The views is the list of views in a schema.

The functions is the list of functions in a schema.

The procedures is the list of procedures in a schema.

The streams is the list of streams in a schema, currently, only used for Snowflake.

The routines is the list of routines in a schema, currently, only used for Snowflake.

The materialized_views is the list of materialized views in a schema.

The packages is the list of packages in a schema.

The owner of the schema.

The sequences is the list of sequences in a schema, sorted by name.

The events is the list of scheduled events in a schema.

The enum_types is the list of user-defined enum types in a schema.

Whether to skip this schema during schema dump operations.

The comment is the comment of a schema.

SequenceMetadata

The name of a sequence.

The data type of a sequence.

The start value of a sequence.

The minimum value of a sequence.

The maximum value of a sequence.

Increment value of a sequence.

Cycle is whether the sequence cycles.

Cache size of a sequence.

Last value of a sequence.

The owner table of the sequence.

The owner column of the sequence.

The comment describing the sequence.

Whether to skip this sequence during schema dump operations.

SpatialIndexConfig

SpatialIndexConfig defines the spatial index configuration for spatial databases.

Spatial indexing method (e.g., "SPATIAL", "R-TREE", "GIST")

Tessellation configuration for grid-based spatial indexes

Storage and performance configuration

Dimensional configuration

StorageConfig

StorageConfig defines storage and performance parameters for spatial indexes.

Fill factor percentage (1-100)

Buffering mode for PostgreSQL (auto, on, off)

Tablespace configuration for Oracle

| | sdo_level | int32 | |

| | commit_interval | int32 | |

SQL Server specific parameters

ON, OFF

| | maxdop | int32 | |

NONE, ROW, PAGE

StreamMetadata

The name is the name of a stream.

The table_name is the name of the table/view that the stream is created on.

The owner of the stream.

The comment of the stream.

The type of the stream.

Indicates whether the stream was last read before the stale_after time.

The mode of the stream.

The definition of the stream.

SyncDatabaseRequest

The name of the database to sync. Format: instances/{instance}/databases/{database}

SyncDatabaseResponse

TableMetadata

TableMetadata is the metadata for tables.

The name is the name of a table.

The columns is the ordered list of columns in a table.

The indexes is the list of indexes in a table.

The engine is the engine of a table.

The collation is the collation of a table.

The character set of table.

| | row_count | int64 | |

The row_count is the estimated number of rows of a table.

| | data_size | int64 | |

The data_size is the estimated data size of a table.

| | index_size | int64 | |

The index_size is the estimated index size of a table.

| | data_free | int64 | |

The data_free is the estimated free data size of a table.

The create_options is the create option of a table.

The comment is the comment of a table.

The foreign_keys is the list of foreign keys in a table.

The partitions is the list of partitions in a table.

The check_constraints is the list of check constraints in a table.

The owner of the table.

The sorting_keys is a tuple of column names or arbitrary expressions. ClickHouse specific field. Reference: https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/mergetree#order\_by

The triggers is the list of triggers associated with the table.

Whether to skip this table during schema dump operations.

https://docs.pingcap.com/tidb/stable/information-schema-tables/

https://docs.pingcap.com/tidb/stable/clustered-indexes/#clustered-indexes CLUSTERED or NONCLUSTERED.

TablePartitionMetadata

TablePartitionMetadata is the metadata for table partitions.

The name is the name of a table partition.

The type of a table partition.

The expression is the expression of a table partition. For PostgreSQL, the expression is the text of {FOR VALUES partition_bound_spec}, see https://www.postgresql.org/docs/current/sql-createtable.html. For MySQL, the expression is the expr or column_list of the following syntax. PARTITION BY { [LINEAR] HASH(expr) | [LINEAR] KEY [ALGORITHM={1 | 2}] (column_list) | RANGE{(expr) | COLUMNS(column_list)} | LIST{(expr) | COLUMNS(column_list)} }.

The value is the value of a table partition. For MySQL, the value is for RANGE and LIST partition types, - For a RANGE partition, it contains the value set in the partition's VALUES LESS THAN clause, which can be either an integer or MAXVALUE. - For a LIST partition, this column contains the values defined in the partition's VALUES IN clause, which is a list of comma-separated integer values. - For others, it's an empty string.

The use_default is whether the users use the default partition, it stores the different value for different database engines. For MySQL, it's [INT] type, 0 means not use default partition, otherwise, it's equals to number in syntax [SUB]PARTITION {number}.

The subpartitions is the list of subpartitions in a table partition.

TaskMetadata

The name is the name of a task.

| | id | string | |

The id is the snowflake-generated id of a task. Example: 01ad32a0-1bb6-5e93-0000-000000000001

The owner of the task.

The comment of the task.

The warehouse of the task.

The schedule interval of the task.

The predecessor tasks of the task.

The state of the task.

The condition of the task.

The definition of the task.

TessellationConfig

TessellationConfig defines tessellation parameters for spatial indexes.

Tessellation scheme (e.g., "GEOMETRY_GRID", "GEOGRAPHY_GRID", "GEOMETRY_AUTO_GRID")

Grid levels and densities for multi-level tessellation

| | cells_per_object | int32 | |

Number of cells per object (1-8192 for SQL Server)

Bounding box for GEOMETRY tessellation (not used for GEOGRAPHY)

TriggerMetadata

The name is the name of the trigger.

The event is the event of the trigger, such as INSERT, UPDATE, DELETE, TRUNCATE.

The timing is the timing of the trigger, such as BEFORE, AFTER.

The body is the body of the trigger.

The SQL mode setting for the trigger.

The character set used by the client creating the trigger.

The collation used for the connection when creating the trigger.

The comment describing the trigger.

Whether to skip this trigger during schema dump operations.

UpdateDatabaseRequest

The database to update. The database's name field is used to identify the database to update. Format: instances/{instance}/databases/{database}

The list of fields to update.

If set to true, and the database is not found, a new database will be created. In this situation, update_mask is ignored.

ViewMetadata

ViewMetadata is the metadata for views.

The name is the name of a view.

The definition is the definition of a view.

The comment is the comment of a view.

The dependency_columns is the list of dependency columns of a view.

The columns is the ordered list of columns in a table.

The triggers is the list of triggers in a view.

Changelog.Status

| | PENDING | 1 |

| | DONE | 2 |

| | FAILED | 3 |

ChangelogView

The default / unset value. The API will default to the BASIC view.

| | CHANGELOG_VIEW_BASIC | 1 |

| | CHANGELOG_VIEW_FULL | 2 |

ColumnMetadata.IdentityGeneration

| | ALWAYS | 1 |

| | BY_DEFAULT | 2 |

GenerationMetadata.Type

| | VIRTUAL | 1 |

| | STORED | 2 |

GetDatabaseSDLSchemaRequest.SDLFormat

SDLFormat specifies the output format for SDL schema.

Unspecified format. Defaults to SINGLE_FILE.

| | SINGLE_FILE | 1 |

Single file format: returns the complete SDL schema as a single file.

| | MULTI_FILE | 2 |

Multi-file format: returns the SDL schema as a ZIP archive containing multiple files organized by schema objects (tables, views, functions, etc.).

GetSchemaStringRequest.ObjectType

| | DATABASE | 1 |

| | SCHEMA | 2 |

| | TABLE | 3 |

| | VIEW | 4 |

| | MATERIALIZED_VIEW | 5 |

| | FUNCTION | 6 |

| | PROCEDURE | 7 |

| | SEQUENCE | 8 |

StreamMetadata.Mode

| | DEFAULT | 1 |

| | APPEND_ONLY | 2 |

| | INSERT_ONLY | 3 |

StreamMetadata.Type

| | DELTA | 1 |

SyncStatus

SyncStatus is the status of the database sync operation.

| | OK | 1 |

The database was synced successfully.

| | FAILED | 2 |

The database sync failed.

TablePartitionMetadata.Type

Type is the type of a table partition, some database engines may not

support all types. Only avilable for the following database engines now:

MySQL: RANGE, RANGE COLUMNS, LIST, LIST COLUMNS, HASH, LINEAR HASH, KEY,

LINEAR_KEY

(https://dev.mysql.com/doc/refman/8.0/en/partitioning-types.html) TiDB:

RANGE, RANGE COLUMNS, LIST, LIST COLUMNS, HASH, KEY PostgreSQL: RANGE,

LIST, HASH (https://www.postgresql.org/docs/current/ddl-partitioning.html)

| | RANGE | 1 |

| | RANGE_COLUMNS | 2 |

| | LIST | 3 |

| | LIST_COLUMNS | 4 |

| | HASH | 5 |

| | LINEAR_HASH | 6 |

| | KEY | 7 |

| | LINEAR_KEY | 8 |

TaskMetadata.State

| | STARTED | 1 |

| | SUSPENDED | 2 |

DatabaseService

DatabaseService manages databases and their schemas.

Retrieves a database by name. Permissions required: bb.databases.get

Retrieves multiple databases by their names. Permissions required: bb.databases.get

Lists databases in a project, instance, or workspace. Permissions required: bb.projects.get (for project parent), bb.databases.list (for workspace parent), or bb.instances.get (for instance parent)

Updates database properties such as labels and project assignment. Permissions required: bb.databases.update

Updates multiple databases in a single batch operation. Permissions required: bb.databases.update

Synchronizes database schema from the instance. Permissions required: bb.databases.sync

Synchronizes multiple databases in a single batch operation. Permissions required: bb.databases.sync

Retrieves database metadata including tables, columns, and indexes. Permissions required: bb.databases.getSchema

Retrieves database schema as DDL statements. Permissions required: bb.databases.getSchema

Retrieves database schema in SDL (Schema Definition Language) format. Permissions required: bb.databases.getSchema

Compares and generates migration statements between two schemas. Permissions required: bb.databases.get

Lists migration history for a database. Permissions required: bb.changelogs.list

Retrieves a specific changelog entry. Permissions required: bb.changelogs.get

Generates schema DDL for a database object. Permissions required: bb.databases.getSchema

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetDatabase | GET | /v1/{name=instances/*/databases/*} | | | BatchGetDatabases | GET | /v1/{parent=projects/*}/databases:batchGet | | | BatchGetDatabases | GET | /v1/{parent=instances/*}/databases:batchGet | | | ListDatabases | GET | /v1/{parent=projects/*}/databases | | | ListDatabases | GET | /v1/{parent=instances/*}/databases | | | ListDatabases | GET | /v1/{parent=workspaces/*}/databases | | | UpdateDatabase | PATCH | /v1/{database.name=instances/*/databases/*} | database | | BatchUpdateDatabases | POST | /v1/{parent=instances/*}/databases:batchUpdate | * | | SyncDatabase | POST | /v1/{name=instances/*/databases/*}:sync | * | | BatchSyncDatabases | POST | /v1/{parent=instances/*}/databases:batchSync | * | | GetDatabaseMetadata | GET | /v1/{name=instances/*/databases/*/metadata} | | | GetDatabaseSchema | GET | /v1/{name=instances/*/databases/*/schema} | | | GetDatabaseSDLSchema | GET | /v1/{name=instances/*/databases/*/sdlSchema} | | | DiffSchema | POST | /v1/{name=instances/*/databases/*}:diffSchema | * | | DiffSchema | POST | /v1/{name=instances/*/databases/*/changelogs/*}:diffSchema | * | | ListChangelogs | GET | /v1/{parent=instances/*/databases/*}/changelogs | | | GetChangelog | GET | /v1/{name=instances/*/databases/*/changelogs/*} | | | GetSchemaString | GET | /v1/{name=instances/*/databases/*/schemaString} | |

v1/group_service.proto

Top

BatchGetGroupsRequest

Request message for batch getting groups.

The group names to retrieve. Format: groups/{email}

BatchGetGroupsResponse

Response message for batch getting groups.

The groups from the specified request.

CreateGroupRequest

Request message for creating a group.

The group to create.

The email to use for the group, which will become the final component of the group's resource name.

DeleteGroupRequest

Request message for deleting a group.

The name of the group to delete. Format: groups/{email}

GetGroupRequest

Request message for getting a group.

The name of the group to retrieve. Format: groups/{email}

Group

A group of users within the workspace.

The name of the group to retrieve. Format: groups/{group}, the group should be email or uuid.

The display title of the group.

The description of the group.

The members of the group.

The source system where the group originated (e.g., Entra ID for SCIM sync).

The unique email for the group.

GroupMember

A member of a group with a role.

Member is the principal who belong to this group. Format: users/[email protected]

The member's role in the group.

ListGroupsRequest

Request message for listing groups.

The maximum number of groups to return. The service may return fewer than this value. If unspecified, at most 10 groups will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListGroups call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListGroups must match the call that provided the page token.

Filter is used to filter groups returned in the list. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filter: - title: the group title, support "==" and ".contains()" operator. - email: the group email, support "==" and ".contains()" operator. - project: the project full name in "projects/{id}" format, support "==" operator. For example: title == "dba" email == "[email protected]" title.contains("dba") email.contains("dba") project == "projects/sample-project" You can combine filter conditions like: title.contains("dba") || email.contains("dba")

ListGroupsResponse

Response message for listing groups.

The groups from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

UpdateGroupRequest

Request message for updating a group.

The group to update. The group's name field is used to identify the group to update. Format: groups/{email}

The list of fields to update.

If set to true, and the group is not found, a new group will be created. In this situation, update_mask is ignored.

GroupMember.Role

The role of a group member.

Unspecified role.

| | OWNER | 1 |

Group owner.

| | MEMBER | 2 |

Group member.

GroupService

GroupService manages user groups for organizing users and permissions.

Gets a group by name. Group members or users with bb.groups.get permission can get the group. Permissions required: bb.groups.get OR caller is the group member

Gets multiple groups in a single request. Group members or users with bb.groups.get permission can get the group. Permissions required: bb.groups.get OR caller is the group member

Lists all groups in the workspace. Permissions required: bb.groups.list

Creates a new group. Permissions required: bb.groups.create

Updates a group. Group owners or users with bb.groups.update permission can update. Permissions required: bb.groups.update OR caller is group owner When allow_missing=true, also requires: bb.groups.create

Deletes a group. Group owners or users with bb.groups.delete permission can delete. Permissions required: bb.groups.delete OR caller is group owner

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetGroup | GET | /v1/{name=groups/*} | | | BatchGetGroups | GET | /v1/groups:batchGet | | | ListGroups | GET | /v1/groups | | | CreateGroup | POST | /v1/groups | group | | UpdateGroup | PATCH | /v1/{group.name=groups/*} | group | | DeleteGroup | DELETE | /v1/{name=groups/*} | |

v1/idp_service.proto

Top

CreateIdentityProviderRequest

The identity provider to create.

The ID to use for the identity provider, which will become the final component of the identity provider's resource name. This value should be 4-63 characters, and valid characters are /[a-z][0-9]-/.

If set to true, the request will be validated without actually creating the identity provider.

DeleteIdentityProviderRequest

The name of the identity provider to delete. Format: idps/{identity_provider}

FieldMapping

FieldMapping saves the field names from user info API of identity provider.

As we save all raw json string of user info response data into principal.idp_user_info,

we can extract the relevant data based with FieldMapping.

Identifier is the field name of the unique identifier in 3rd-party idp user info. Required.

DisplayName is the field name of display name in 3rd-party idp user info. Optional.

Phone is the field name of primary phone in 3rd-party idp user info. Optional.

Groups is the field name of groups in 3rd-party idp user info. Optional. Mainly used for OIDC: https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/

GetIdentityProviderRequest

The name of the identity provider to retrieve. Format: idps/{idp}

IdentityProvider

The name of the identity provider. Format: idps/{idp}

The display title of the identity provider.

The domain for email matching when using this identity provider.

The type of identity provider protocol.

The configuration details for the identity provider.

IdentityProviderConfig

OAuth2 protocol configuration.

OIDC protocol configuration.

LDAP protocol configuration.

LDAPIdentityProviderConfig

LDAPIdentityProviderConfig is the structure for LDAP identity provider config.

Host is the hostname or IP address of the LDAP server, e.g., "ldap.example.com".

| | port | int32 | |

Port is the port number of the LDAP server, e.g., 389. When not set, the default port of the corresponding security protocol will be used, i.e. 389 for StartTLS and 636 for LDAPS.

SkipTLSVerify controls whether to skip TLS certificate verification.

BindDN is the DN of the user to bind as a service account to perform search requests.

BindPassword is the password of the user to bind as a service account.

BaseDN is the base DN to search for users, e.g., "ou=users,dc=example,dc=com".

UserFilter is the filter to search for users, e.g., "(uid=%s)".

SecurityProtocol is the security protocol to be used for establishing connections with the LDAP server.

FieldMapping is the mapping of the user attributes returned by the LDAP server.

ListIdentityProvidersRequest

The parent workspace whose identity providers should be listed. Format: workspaces/{workspace} When unset, the workspace is resolved from the request context.

ListIdentityProvidersResponse

The identity providers from the specified request.

OAuth2IdentityProviderConfig

OAuth2IdentityProviderConfig is the structure for OAuth2 identity provider config.

The authorization endpoint URL for OAuth2 flow.

The token endpoint URL for exchanging authorization code.

The user information endpoint URL.

The OAuth2 client identifier.

The OAuth2 client secret for authentication.

The list of OAuth2 scopes to request.

Mapping configuration for user attributes from OAuth2 response.

Whether to skip TLS certificate verification.

The authentication style for client credentials.

OAuth2IdentityProviderTestRequestContext

Authorize code from website.

OIDCIdentityProviderConfig

OIDCIdentityProviderConfig is the structure for OIDC identity provider config.

The OIDC issuer URL for the identity provider.

The OIDC client identifier.

The OIDC client secret for authentication.

The scopes that the OIDC provider supports. Should be fetched from the well-known configuration file of the OIDC provider.

Mapping configuration for user attributes from OIDC claims.

Whether to skip TLS certificate verification.

The authentication style for client credentials.

The authorization endpoint of the OIDC provider. Should be fetched from the well-known configuration file of the OIDC provider.

OIDCIdentityProviderTestRequestContext

Authorize code from OIDC provider.

TestIdentityProviderRequest

The identity provider to test connection including uncreated.

OIDC authentication context for test connection.

TestIdentityProviderResponse

The map of claims returned by the identity provider.

The matched user info from the claims.

TestIdentityProviderResponse.ClaimsEntry

TestIdentityProviderResponse.UserInfoEntry

UpdateIdentityProviderRequest

The identity provider to update. The identity provider's name field is used to identify the identity provider to update. Format: idps/{identity_provider}

The list of fields to update.

If set to true, and the identity provider is not found, a new identity provider will be created. In this situation, update_mask is ignored.

IdentityProviderType

Unspecified identity provider type.

| | OAUTH2 | 1 |

OAuth 2.0 authentication protocol.

| | OIDC | 2 |

OpenID Connect authentication protocol.

| | LDAP | 3 |

LDAP directory service authentication.

LDAPIdentityProviderConfig.SecurityProtocol

| | START_TLS | 1 |

StartTLS is the security protocol that starts with an unencrypted connection and then upgrades to TLS.

| | LDAPS | 2 |

LDAPS is the security protocol that uses TLS from the beginning.

OAuth2AuthStyle

| | IN_PARAMS | 1 |

IN_PARAMS sends the "client_id" and "client_secret" in the POST body as application/x-www-form-urlencoded parameters.

| | IN_HEADER | 2 |

IN_HEADER sends the client_id and client_password using HTTP Basic Authorization. This is an optional style described in the OAuth2 RFC 6749 section 2.3.1.

IdentityProviderService

IdentityProviderService manages external identity providers for SSO authentication.

Gets an identity provider by name. Permissions required: bb.identityProviders.get

Lists all configured identity providers (public endpoint for login page). Permissions required: None

Creates a new identity provider. Permissions required: bb.identityProviders.create

Updates an identity provider. Permissions required: bb.identityProviders.update When allow_missing=true, also requires: bb.identityProviders.create

Deletes an identity provider. Permissions required: bb.identityProviders.delete

Tests the connection and configuration of an identity provider. Permissions required: bb.identityProviders.update

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetIdentityProvider | GET | /v1/{name=idps/*} | | | ListIdentityProviders | GET | /v1/idps | | | ListIdentityProviders | GET | /v1/{parent=workspaces/*}/idps | | | CreateIdentityProvider | POST | /v1/idps | identity_provider | | UpdateIdentityProvider | PATCH | /v1/{identity_provider.name=idps/*} | identity_provider | | DeleteIdentityProvider | DELETE | /v1/{name=idps/*} | | | TestIdentityProvider | POST | /v1/idps/*:test | * |

v1/org_policy_service.proto

Top

CreatePolicyRequest

The parent resource where this instance will be created. Workspace resource name: workspaces/{workspace-id}. Environment resource name: environments/environment-id. Instance resource name: instances/instance-id. Database resource name: instances/instance-id/databases/database-name.

The policy to create.

The type of policy to create.

DeletePolicyRequest

The policy's name field is used to identify the instance to update. Format: {resource name}/policies/{policy type} Workspace resource name: workspaces/{workspace-id}. Environment resource name: environments/environment-id. Instance resource name: instances/instance-id. Database resource name: instances/instance-id/databases/database-name.

GetPolicyRequest

The name of the policy to retrieve. Format: {resource type}/{resource id}/policies/{policy type}

ListPoliciesRequest

The parent, which owns this collection of policies. Format: {resource type}/{resource id}

Filter by specific policy type.

Show deleted policies if specified.

ListPoliciesResponse

The policies from the specified request.

MaskingExemptionPolicy

MaskingExemptionPolicy is the allowlist of users who can access sensitive data.

MaskingExemptionPolicy.Exemption

Specifies the principals who are exempt from masking. For users, the member should be: user:{email} For groups, the member should be: group:{email} For service accounts, the member should be: serviceAccount:{email} For workload identities, the member should be: workloadIdentity:{email}

The condition that is associated with this exception policy instance. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec If the condition is empty, means the user can access all databases without expiration. Support variables: resource.instance_id: the instance resource id. Only support "==" operation. resource.database_name: the database name. Only support "==" operation. resource.schema_name: the schema name. Only support "==" operation. resource.table_name: the table name. Only support "==" operation. resource.column_name: the column name. Only support "==" operation. request.time: the expiration. Only support "<" operation in request.time \< timestamp("{ISO datetime string format}") All variables should join with "&&" condition. For example: resource.instance_id == "local" && resource.database_name == "employee" && request.time < timestamp("2025-04-30T11:10:39.000Z") resource.instance_id == "local" && resource.database_name == "employee"

MaskingRulePolicy

Policy for configuring data masking rules.

The list of masking rules.

MaskingRulePolicy.MaskingRule

A rule that defines when and how to mask data.

A unique identifier for the rule in UUID format.

The condition for the masking rule. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Support variables: resource.environment_id: the environment resource id. resource.project_id: the project resource id. resource.instance_id: the instance resource id. resource.database_name: the database name. resource.table_name: the table name. resource.column_name: the column name. resource.classification_level: the classification level (integer). Each variable support following operations: ==: the value equals the target. !=: the value not equals the target. in: the value matches one of the targets. !(in): the value not matches any of the targets. <, <=, >, >=: numeric comparison (classification_level only). For example: resource.environment_id == "test" && resource.project_id == "sample-project" resource.instance_id == "sample-instance" && resource.database_name == "employee" && resource.table_name in ["table1", "table2"] resource.environment_id != "test" || !(resource.project_id in ["poject1", "prject2"]) resource.instance_id == "sample-instance" && (resource.database_name == "db1" || resource.database_name == "db2")

The semantic type of data to mask (e.g., "SSN", "EMAIL").

Policy

The name of the policy. Format: {resource name}/policies/{policy type} Workspace resource name: workspaces/{workspace-id}. Environment resource name: environments/environment-id. Instance resource name: instances/instance-id. Database resource name: instances/instance-id/databases/database-name.

Whether this policy inherits from its parent resource.

The type of policy.

Whether the policy is enforced.

The resource type for the policy.

QueryDataPolicy

QueryDataPolicy is the policy configuration for querying data in the SQL Editor.

Support both project-level and workspace-level. The maximum number of rows to return in the SQL editor. The default value <= 0, means no limit.

workspace-level policy Disable data export in the SQL editor.

workspace-level policy Disable copying query results in the SQL editor.

workspace-level policy Allow using the admin data source to query in the SQL editor. If true, users can select the admin data source or read-only data source If false, 1. when read-only data source is configured, users're force to use the read-only data source 2. otherwise fallback to use the admin data source.

RolloutPolicy

Rollout policy configuration.

Whether rollout is automatic without manual approval.

The roles that can approve rollout execution.

TagPolicy

Policy for tagging resources with metadata.

tags is the key - value map for resources. for example, the environment resource can have the sql review config tag, like "bb.tag.review_config": "reviewConfigs/{review config resource id}"

TagPolicy.TagsEntry

UpdatePolicyRequest

The policy to update. The policy's name field is used to identify the instance to update. Format: {resource name}/policies/{policy type} Workspace resource name: workspaces/{workspace-id}. Environment resource name: environments/environment-id. Instance resource name: instances/instance-id. Database resource name: instances/instance-id/databases/database-name.

The list of fields to update.

If set to true, and the policy is not found, a new policy will be created. In this situation, update_mask is ignored.

PolicyResourceType

The resource type that a policy can be attached to.

Unspecified resource type.

| | WORKSPACE | 1 |

Workspace-level policy.

| | ENVIRONMENT | 2 |

Environment-level policy.

| | PROJECT | 3 |

Project-level policy.

PolicyType

The type of organizational policy.

Unspecified policy type.

| | MASKING_RULE | 1 |

Data masking rule policy.

| | MASKING_EXEMPTION | 2 |

Data masking exemption policy.

| | ROLLOUT_POLICY | 3 |

Rollout deployment policy.

| | TAG | 4 |

Resource tag policy.

| | DATA_QUERY | 6 |

Query data access policy.

OrgPolicyService

OrgPolicyService manages organizational policies at various resource levels.

Retrieves a policy by name. Permissions required: bb.policies.get

Lists policies at a specified resource level. Permissions required: bb.policies.list

Creates a new organizational policy. Permissions required: bb.policies.create

Updates an existing organizational policy. Permissions required: bb.policies.update

Deletes an organizational policy. Permissions required: bb.policies.delete

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetPolicy | GET | /v1/{name=workspaces/*/policies/*} | | | GetPolicy | GET | /v1/{name=projects/*/policies/*} | | | GetPolicy | GET | /v1/{name=environments/*/policies/*} | | | GetPolicy | GET | /v1/{name=instances/*/policies/*} | | | GetPolicy | GET | /v1/{name=instances/*/databases/*/policies/*} | | | ListPolicies | GET | /v1/{parent=workspaces/*}/policies | | | ListPolicies | GET | /v1/{parent=projects/*}/policies | | | ListPolicies | GET | /v1/{parent=environments/*}/policies | | | ListPolicies | GET | /v1/{parent=instances/*}/policies | | | ListPolicies | GET | /v1/{parent=instances/*/databases/*}/policies | | | CreatePolicy | POST | /v1/{parent=workspaces/*}/policies | policy | | CreatePolicy | POST | /v1/{parent=projects/*}/policies | policy | | CreatePolicy | POST | /v1/{parent=environments/*}/policies | policy | | CreatePolicy | POST | /v1/{parent=instances/*}/policies | policy | | CreatePolicy | POST | /v1/{parent=instances/*/databases/*}/policies | policy | | UpdatePolicy | PATCH | /v1/{policy.name=workspaces/*/policies/*} | policy | | UpdatePolicy | PATCH | /v1/{policy.name=projects/*/policies/*} | policy | | UpdatePolicy | PATCH | /v1/{policy.name=environments/*/policies/*} | policy | | UpdatePolicy | PATCH | /v1/{policy.name=instances/*/policies/*} | policy | | UpdatePolicy | PATCH | /v1/{policy.name=instances/*/databases/*/policies/*} | policy | | DeletePolicy | DELETE | /v1/{name=workspaces/*/policies/*} | | | DeletePolicy | DELETE | /v1/{name=projects/*/policies/*} | | | DeletePolicy | DELETE | /v1/{name=environments/*/policies/*} | | | DeletePolicy | DELETE | /v1/{name=instances/*/policies/*} | | | DeletePolicy | DELETE | /v1/{name=instances/*/databases/*/policies/*} | |

v1/rollout_service.proto

Top

BatchCancelTaskRunsRequest

The task name for the taskRuns. Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task} Use projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/- to cancel task runs under the same stage.

The taskRuns to cancel. Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}/taskRuns/{taskRun}

BatchCancelTaskRunsResponse

BatchRunTasksRequest

The stage name for the tasks. Format: projects/{project}/plans/{plan}/rollout/stages/{stage}

The tasks to run. Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}

The task run should run after run_time.

If true, skip prior backup for this run even if the task has prior backup enabled.

BatchRunTasksResponse

BatchSkipTasksRequest

The stage name for the tasks. Format: projects/{project}/plans/{plan}/rollout/stages/{stage}

The tasks to skip. Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}

The reason for skipping the tasks.

BatchSkipTasksResponse

CreateRolloutRequest

The parent plan for which this rollout will be created. Format: projects/{project}/plans/{plan}

Create the rollout only for the specified target. Format: environments/{environment} If unspecified, all stages are created. If set to "", no stages are created.

GetRolloutRequest

The name of the rollout to retrieve. This is the rollout resource name, which is the plan name plus /rollout suffix. Format: projects/{project}/plans/{plan}/rollout

GetTaskRunLogRequest

Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}/taskRuns/{taskRun}

GetTaskRunRequest

Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}/taskRuns/{taskRun}

GetTaskRunSessionRequest

Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}/taskRuns/{taskRun}

ListRolloutsRequest

The parent, which owns this collection of rollouts. Format: projects/{project} Use "projects/-" to list all rollouts from all projects.

| | page_size | int32 | |

The maximum number of rollouts to return. The service may return fewer than this value. If unspecified, at most 10 rollouts will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListRollouts call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListRollouts must match the call that provided the page token.

Filter is used to filter rollouts returned in the list. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filters: - update_time: rollout update time in "2006-01-02T15:04:05Z07:00" format, support ">=" or "<=" operator. - task_type: the task type, support "in" operator, check the Task.Type enum for the values. For example: update_time >= "2025-01-02T15:04:05Z07:00" task_type in ["DATABASE_MIGRATE", "DATABASE_EXPORT"]

ListRolloutsResponse

The rollouts from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

ListTaskRunsRequest

The parent, which owns this collection of taskRuns. Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task} Use "projects/{project}/plans/{plan}/rollout/stages/-/tasks/-" to list all taskRuns from a rollout.

ListTaskRunsResponse

The taskRuns from the specified request.

PreviewTaskRunRollbackRequest

Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}/taskRuns/{taskRun}

PreviewTaskRunRollbackResponse

The rollback SQL statement that would undo the task run.

Rollout

The resource name of the rollout. Format: projects/{project}/plans/{plan}/rollout

The title of the rollout, inherited from the associated plan. This field is output only and cannot be directly set.

Stages and thus tasks of the rollout.

Stage

Format: projects/{project}/plans/{plan}/rollout/stages/{stage} Use "-" for {stage} when the stage has no environment or deleted environment.

| | id | string | |

id is the environment id of the stage. e.g., "prod". Use "-" when the stage has no environment or deleted environment.

environment is the environment of the stage. Format: environments/{environment} for valid environments, or "environments/-" for stages without environment or with deleted environments.

The tasks within this stage.

Task

Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}

A UUID4 string that uniquely identifies the Spec.

Status is the status of the task.

The reason why the task was skipped.

Format: instances/{instance} if the task is DatabaseCreate. Format: instances/{instance}/databases/{database}

The update_time is the update time of latest task run. If there are no task runs, it will be empty.

The run_time is the scheduled run time of latest task run. If there are no task runs or the task run is not scheduled, it will be empty.

Task.DatabaseCreate

Payload for creating a new database.

Format: projects/{project}/sheets/{sheet}

Task.DatabaseDataExport

Payload for exporting database data.

The resource name of the sheet. Format: projects/{project}/sheets/{sheet}

Task.DatabaseUpdate

Payload for updating a database schema.

Format: projects/{project}/sheets/{sheet}

Format: projects/{project}/releases/{release}

TaskRun

Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}/taskRuns/{taskRun}

Format: users/[email protected]

The current execution status of the task run.

Below are the results of a task run. Detailed information about the task run result.

The time when the task run started execution.

The export archive status for data export tasks.

Indicates whether a prior backup was created for this task run. When true, rollback SQL can be generated via PreviewTaskRunRollback. Backup details are available in the task run logs.

Scheduling information about the task run.

The task run should run after run_time. This can only be set when creating the task run calling BatchRunTasks.

TaskRun.SchedulerInfo

Information about task run scheduling.

The time when the scheduling info was reported.

The cause for the task run waiting.

TaskRun.SchedulerInfo.WaitingCause

Information about why a task run is waiting.

Waiting due to parallel tasks limit.

TaskRunLog

Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}/taskRuns/{taskRun}/log

The log entries for this task run.

TaskRunLogEntry

The type of this log entry.

The time when the log was recorded.

The replica ID for this log entry.

Schema dump details (if type is SCHEMA_DUMP).

Command execution details (if type is COMMAND_EXECUTE).

Database sync details (if type is DATABASE_SYNC).

Transaction control details (if type is TRANSACTION_CONTROL).

Prior backup details (if type is PRIOR_BACKUP).

Retry information details (if type is RETRY_INFO).

Compute diff details (if type is COMPUTE_DIFF).

Release file execution details (if type is RELEASE_FILE_EXECUTE).

TaskRunLogEntry.CommandExecute

Command execution details.

When the command was logged.

The byte offset range of the executed command in the sheet. Uses byte offsets (not character indices) for efficient slicing of sheet content bytes. Example: For "SELECT 你好;" in a UTF-8 sheet, range [0, 13) represents all 13 bytes.

The executed statement.

The response from executing the command.

TaskRunLogEntry.CommandExecute.CommandResponse

Command execution response.

When the response was logged.

Error message if command execution failed.

| | affected_rows | int64 | |

Total affected rows.

all_affected_rows is the affected rows of each command. all_affected_rows may be unavailable if the database driver doesn't support it. Caller should fallback to affected_rows in that case.

TaskRunLogEntry.ComputeDiff

Schema diff computation details.

When diff computation started.

When diff computation ended.

Error message if computation failed.

TaskRunLogEntry.DatabaseSync

Database synchronization details.

When the database sync started.

When the database sync ended.

Error message if sync failed.

TaskRunLogEntry.PriorBackup

Prior backup operation details.

When the backup started.

When the backup ended.

The backup details.

Error message if the backup failed.

TaskRunLogEntry.PriorBackup.PriorBackupDetail

Prior backup detail for rollback purposes.

The list of backed up tables.

TaskRunLogEntry.PriorBackup.PriorBackupDetail.Item

A single backup table mapping.

The original table information.

The target backup table information.

The start position in the SQL statement.

The end position in the SQL statement.

TaskRunLogEntry.PriorBackup.PriorBackupDetail.Item.Table

Table information.

The database information. Format: instances/{instance}/databases/{database}

The schema name.

The table name.

TaskRunLogEntry.ReleaseFileExecute

Release file execution details.

The version of the file being executed (e.g., "0001").

The file path within the release (e.g., "2.2/V0001_create_table.sql").

TaskRunLogEntry.RetryInfo

Retry information for failed operations.

The error that triggered the retry.

| | retry_count | int32 | |

Current retry attempt number.

| | maximum_retries | int32 | |

Maximum number of retries allowed.

TaskRunLogEntry.SchemaDump

Schema dump operation details.

When the schema dump started.

When the schema dump ended.

Error message if the schema dump failed.

TaskRunLogEntry.TransactionControl

Transaction control operation details.

The type of transaction control.

Error message if the operation failed.

TaskRunSession

Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}/taskRuns/{taskRun}/session

PostgreSQL session information.

TaskRunSession.Postgres

PostgreSQL session information.

session is the session of the task run executing commands.

blocking_sessions block session.

blocked_sessions are blocked by session.

TaskRunSession.Postgres.Session

PostgreSQL session information read from pg_stat_activity.

Process ID of the session.

PIDs of sessions blocking this session.

Current query being executed.

Session state (active, idle, etc.).

Wait event type if session is waiting.

Specific wait event if session is waiting.

Database name.

User name.

Application name.

Client IP address.

Client port number.

When the backend process started.

When the current transaction started.

When the current query started.

Task.Status

Unspecified status.

| | NOT_STARTED | 1 |

Task has not started and is awaiting its turn in the deployment sequence.

| | PENDING | 2 |

Task is ready to run and waiting for approval or scheduled time.

| | RUNNING | 3 |

Task is currently executing.

| | DONE | 4 |

Task completed successfully.

| | FAILED | 5 |

Task execution failed with errors.

| | CANCELED | 6 |

Task execution was canceled by a user.

| | SKIPPED | 7 |

Task was skipped and will not be executed.

Task.Type

Unspecified task type.

| | GENERAL | 1 |

General task for miscellaneous operations.

| | DATABASE_CREATE | 2 |

Database creation task that creates a new database. Use payload DatabaseCreate.

| | DATABASE_MIGRATE | 3 |

Database migration task that applies versioned schema changes. Use payload DatabaseUpdate.

| | DATABASE_EXPORT | 4 |

Database export task that exports query results or table data. Use payload DatabaseDataExport.

TaskRun.ExportArchiveStatus

Unspecified export archive status.

| | READY | 1 |

Export archive is ready for download.

| | EXPORTED | 2 |

Export archive has been downloaded by the user.

TaskRun.Status

Unspecified status.

| | PENDING | 1 |

Task run is queued and waiting to start execution.

| | RUNNING | 2 |

Task run is currently executing.

| | DONE | 3 |

Task run completed successfully.

| | FAILED | 4 |

Task run execution failed with errors.

| | CANCELED | 5 |

Task run execution was canceled by a user.

| | AVAILABLE | 6 |

Task run is ready for immediate execution.

TaskRunLogEntry.TransactionControl.Type

Transaction control type.

Unspecified type.

| | BEGIN | 1 |

Begin transaction.

| | COMMIT | 2 |

Commit transaction.

| | ROLLBACK | 3 |

Rollback transaction.

TaskRunLogEntry.Type

The type of log entry.

Unspecified type.

| | SCHEMA_DUMP | 1 |

Schema dump operation.

| | COMMAND_EXECUTE | 2 |

Command execution.

| | DATABASE_SYNC | 3 |

Database synchronization.

| | TRANSACTION_CONTROL | 5 |

Transaction control (BEGIN, COMMIT, ROLLBACK).

| | PRIOR_BACKUP | 6 |

Prior backup operation.

| | RETRY_INFO | 7 |

Retry information.

| | COMPUTE_DIFF | 8 |

Schema diff computation.

| | RELEASE_FILE_EXECUTE | 9 |

Release file execution.

RolloutService

RolloutService manages the execution of deployment plans.

Retrieves a rollout by its plan name. Permissions required: bb.rollouts.get

Lists rollouts in a project. Permissions required: bb.rollouts.list

Creates a new rollout for a plan. Permissions required: bb.rollouts.create (or issue creator for data export issues)

Lists task run executions for a task. Permissions required: bb.taskRuns.list

Retrieves a task run by name. Permissions required: bb.taskRuns.list

Retrieves execution logs for a task run. Permissions required: bb.taskRuns.list

Retrieves database session information for a running task. Permissions required: bb.taskRuns.list

Executes multiple tasks in a rollout stage. Permissions required: bb.taskRuns.create (or issue creator for data export issues, or user with rollout policy role for the environment)

Skips multiple tasks in a rollout stage. Permissions required: bb.taskRuns.create (or issue creator for data export issues, or user with rollout policy role for the environment)

Cancels multiple running task executions. Permissions required: bb.taskRuns.create (or issue creator for data export issues, or user with rollout policy role for the environment)

Generates rollback SQL for a completed task run. Permissions required: bb.taskRuns.list

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetRollout | GET | /v1/{name=projects/*/plans/*/rollout} | | | ListRollouts | GET | /v1/{parent=projects/*}/rollouts | | | CreateRollout | POST | /v1/{parent=projects/*/plans/*}/rollout | * | | ListTaskRuns | GET | /v1/{parent=projects/*/plans/*/rollout/stages/*/tasks/*}/taskRuns | | | GetTaskRun | GET | /v1/{name=projects/*/plans/*/rollout/stages/*/tasks/*/taskRuns/*} | | | GetTaskRunLog | GET | /v1/{parent=projects/*/plans/*/rollout/stages/*/tasks/*/taskRuns/*}/log | | | GetTaskRunSession | GET | /v1/{parent=projects/*/plans/*/rollout/stages/*/tasks/*/taskRuns/*}/session | | | BatchRunTasks | POST | /v1/{parent=projects/*/plans/*/rollout/stages/*}/tasks:batchRun | * | | BatchSkipTasks | POST | /v1/{parent=projects/*/plans/*/rollout/stages/*}/tasks:batchSkip | * | | BatchCancelTaskRuns | POST | /v1/{parent=projects/*/plans/*/rollout/stages/*/tasks/*}/taskRuns:batchCancel | * | | PreviewTaskRunRollback | POST | /v1/{name=projects/*/plans/*/rollout/stages/*/tasks/*/taskRuns/*}:previewRollback | * |

v1/sql_service.proto

Top

AICompletionRequest

AICompletionRequest.Message

AICompletionResponse

candidates is used for results with multiple choices and candidates. Used for OpenAI and Gemini.

AICompletionResponse.Candidate

AICompletionResponse.Candidate.Content

parts is used for a result content with multiple parts.

AICompletionResponse.Candidate.Content.Part

AdminExecuteRequest

The name is the instance name to execute the query against. Format: instances/{instance}/databases/{databaseName}

The SQL statement to execute.

| | limit | int32 | |

The maximum number of rows to return.

The default schema to execute the statement. Equals to the current schema in Oracle and search path in Postgres.

Container is the container name to execute the query against, used for CosmosDB only.

AdminExecuteResponse

The query results.

Advice

The advice level.

| | code | int32 | |

The advice code.

The advice title.

The advice content.

The start_position is inclusive and the end_position is exclusive. TODO: use range instead

The type of linting rule that generated this advice.

DiffMetadataRequest

The metadata of the source schema.

The metadata of the target schema.

The database engine of the schema.

DiffMetadataResponse

The diff of the metadata.

ExportRequest

The name is the resource name to execute the export against. Format: instances/{instance}/databases/{database} Format: instances/{instance} Format: projects/{project}/plans/{plan}/rollout Format: projects/{project}/plans/{plan}/rollout/stages/{stage}

The SQL statement to execute.

| | limit | int32 | |

The maximum number of rows to return.

The export format.

The admin is used for workspace owner and DBA for exporting data from SQL Editor Admin mode. The exported data is not masked.

The zip password provide by users.

The id of data source. If omitted, Export resolves the data source server-side by using the single read-only data source when exactly one exists, or the admin data source otherwise. It can also be set explicitly to export from the admin data source or a specific read-only data source.

The default schema to search objects. Equals to the current schema in Oracle and search path in Postgres.

ExportResponse

The export file content.

MaskingReason

The semantic type that triggered masking (e.g., "SSN", "email", "phone").

Human-readable semantic type title.

The masking rule ID that matched (if applicable).

The masking algorithm used.

Additional context (e.g., "Matched global rule: PII Protection").

| | classification_level | int32 | |

The classification level that triggered masking.

Icon associated with the semantic type (if any).

QueryHistory

The name for the query history. Format: projects/{project}/queryHistories/{id}

The database name to execute the query. Format: instances/{instance}/databases/{databaseName}

QueryOption

QueryRequest

The name is the instance name to execute the query against. Format: instances/{instance}/databases/{databaseName}

The SQL statement to execute.

| | limit | int32 | |

The maximum number of rows to return.

The id of data source. If omitted, Query resolves the data source server-side by using the single read-only data source when exactly one exists, or the admin data source otherwise. It can also be set explicitly to query the admin data source or a specific read-only data source.

Explain the statement.

The default schema to search objects. Equals to the current schema in Oracle and search path in Postgres.

Container is the container name to execute the query against, used for CosmosDB only.

QueryResponse

The query results.

QueryResult

Column names of the query result.

Column types of the query result. The types come from the Golang SQL driver.

Rows of the query result.

| | rows_count | int64 | |

The error message if the query failed.

The time it takes to execute the query.

The query statement for the result.

Informational or debug messages returned by the database engine during query execution. Examples include PostgreSQL's RAISE NOTICE, MSSQL's PRINT, or Oracle's DBMS_OUTPUT.PUT_LINE.

Masking reasons for each column (empty for non-masked columns).

QueryResult.CommandError

Permission denied with resource information or disallowed command_type.

Either resources or command_type is available.

Disallowed command_type.

QueryResult.Message

QueryResult.PostgresError

refer https://www.postgresql.org/docs/11/protocol-error-fields.html

for field description.

| | position | int32 | |

| | internal_position | int32 | |

| | line | int32 | |

QueryResult.SyntaxError

Syntax error with position information for editor highlighting

Position information for highlighting in editor

QueryRow

Row values of the query result.

RowValue

| | int32_value | int32 | |

| | int64_value | int64 | |

value_value is used for Spanner and TUPLE ARRAY MAP in Clickhouse only.

timestamp_value is used for the timestamp without time zone data type, meaning it only includes the timestamp without any time zone or location info. Although it may be expressed as a UTC value, it should be seen as a timestamp missing location context.

timestamp_tz_value is used for the timestamptz data type, which accurately represents the timestamp with location information.

RowValue.Timestamp

| | accuracy | int32 | |

The accuracy is the number of digits after the decimal point.

RowValue.TimestampTZ

Zone is the time zone abbreviations in timezone database such as "PDT", "PST". https://en.wikipedia.org/wiki/List\_of\_tz\_database\_time\_zones We retrieve the time zone information from the timestamptz field in the database. A timestamp is in UTC or epoch time, and with zone info, we can convert it to a local time string. Zone and offset are returned by time.Time.Zone()

| | offset | int32 | |

The offset is in seconds east of UTC

| | accuracy | int32 | |

SearchQueryHistoriesRequest

The maximum number of histories to return. The service may return fewer than this value. If unspecified, at most 10 history entries will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListQueryHistory call. Provide this to retrieve the subsequent page.

Filter is the filter to apply on the search query history The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filter: - project: the project full name in "projects/{id}" format, support "==" operator. - database: the database full name in "instances/{id}/databases/{name}" format, support "==" operator. - instance: the instance full name in "instances/{id}" format, support "==" operator. - type: the type, should be "QUERY" or "EXPORT", support "==" operator. - statement: the SQL statement, support ".contains()" operator. For example: project == "projects/{project}" database == "instances/{instance}/databases/{database}" instance == "instances/{instance}" type == "QUERY" type == "EXPORT" statement.contains("select") type == "QUERY" && statement.contains("select")

SearchQueryHistoriesResponse

The list of history.

A token to retrieve next page of history. Pass this value in the page_token field in the subsequent call to ListQueryHistory method to retrieve the next page of history.

Advice.Level

Level represents the severity level of the advice.

Unspecified advice level.

| | SUCCESS | 1 |

Success status indicating the check passed without issues.

| | WARNING | 2 |

Warning status indicating potential issues that should be reviewed.

| | ERROR | 3 |

Error status indicating critical issues that must be addressed.

Advice.RuleType

RuleType indicates the source of the linting rule.

Unspecified rule type.

| | PARSER_BASED | 1 |

Parser-based rule enforced by the built-in SQL parser. These are non-configurable, mandatory checks for schema health.

| | AI_POWERED | 2 |

AI-powered rule defined by user in natural language. These are custom, flexible checks powered by AI models.

QueryHistory.Type

Unspecified query history type.

| | QUERY | 1 |

Query execution for data retrieval.

| | EXPORT | 2 |

Data export operation to file.

QueryOption.MSSQLExplainFormat

defaults to SHOWPLAN_ALL

| | MSSQL_EXPLAIN_FORMAT_ALL | 1 |

SHOWPLAN_ALL

| | MSSQL_EXPLAIN_FORMAT_XML | 2 |

SHOWPLAN_XML

QueryOption.RedisRunCommandsOn

UNSPECIFIED defaults to SINGLE_NODE.

| | SINGLE_NODE | 1 |

Execute Redis commands on a single node in the cluster.

| | ALL_NODES | 2 |

Execute Redis commands on all nodes in the cluster for cluster-wide operations.

QueryResult.CommandError.Type

| | DDL | 1 |

| | DML | 2 |

| | NON_READ_ONLY | 3 |

QueryResult.Message.Level

Unspecified message level.

| | INFO | 1 |

Informational message.

| | WARNING | 2 |

Warning message indicating potential issues.

| | DEBUG | 3 |

Debug message for development and troubleshooting.

| | LOG | 4 |

General log message.

| | NOTICE | 5 |

Notice message for important information.

| | EXCEPTION | 6 |

Exception message indicating error conditions.

SQLService

SQLService executes SQL queries and manages query operations.

Executes a read-only SQL query against a database. Permissions required: bb.databases.get

Executes SQL with admin privileges via streaming connection. Permissions required: bb.sql.admin

SearchQueryHistories searches query histories for the caller. Permissions required: None (only returns caller's own query histories)

Exports query results to a file format. Permissions required: bb.databases.get

Computes schema differences between two database metadata. Permissions required: None

Provides AI-powered SQL completion and generation. Permissions required: None (authenticated users only, requires AI to be enabled)

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | Query | POST | /v1/{name=instances/*/databases/*}:query | * | | AdminExecute | GET | /v1:adminExecute | | | SearchQueryHistories | POST | /v1/queryHistories:search | * | | Export | POST | /v1/{name=instances/*/databases/*}:export | * | | Export | POST | /v1/{name=projects/*/plans/*/rollout}:export | * | | Export | POST | /v1/{name=projects/*/plans/*/rollout/stages/*}:export | * | | DiffMetadata | POST | /v1/schemaDesign:diffMetadata | * | | AICompletion | POST | /v1/sql/aiCompletion | * |

v1/plan_service.proto

Top

CancelPlanCheckRunRequest

The name of the plan check run to cancel. Format: projects/{project}/plans/{plan}/planCheckRun

CancelPlanCheckRunResponse

CreatePlanRequest

The parent project where this plan will be created. Format: projects/{project}

The plan to create.

GetPlanCheckRunRequest

The name of the plan check run to retrieve. Format: projects/{project}/plans/{plan}/planCheckRun

GetPlanRequest

The name of the plan to retrieve. Format: projects/{project}/plans/{plan}

ListPlansRequest

The parent, which owns this collection of plans. Format: projects/{project} Use "projects/-" to list all plans from all projects.

| | page_size | int32 | |

The maximum number of plans to return. The service may return fewer than this value. If unspecified, at most 10 plans will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListPlans call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListPlans must match the call that provided the page token.

Filter is used to filter plans returned in the list. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filters: - creator: the plan creator full name in "users/{email or id}" format, support "==" operator. - create_time: the plan create time in "2006-01-02T15:04:05Z07:00" format, support ">=" or "<=" operator. - has_rollout: whether the plan has rollout, support "==" operator, the value should be "true" or "false". - has_issue: the plan has issue or not, support "==" operator, the value should be "true" or "false". - title: the plan title, support "==" operator for exact match and ".contains()" operator for case-insensitive substring match. - spec_type: the plan spec config type, support "==" operator, the value should be "create_database_config", "change_database_config", or "export_data_config". - state: the plan state, support "==" operator, the value should be "ACTIVE" or "DELETED". For example: creator == "users/[email protected]" && create_time >= "2025-01-02T15:04:05Z07:00" has_rollout == false && has_issue == true title == "My Plan" title.contains("database migration") spec_type == "change_database_config" state == "ACTIVE"

ListPlansResponse

The plans from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

Plan

The name of the plan. plan is a system generated ID. Format: projects/{project}/plans/{plan}

The state of the plan.

The issue associated with the plan. Can be empty. Format: projects/{project}/issues/{issue}

The title of the plan.

The description of the plan.

The deployment specs for the plan.

Format: users/[email protected]

The status count of the latest plan check runs. Keys are: - SUCCESS - WARNING - ERROR - RUNNING

Whether the plan has started the rollout.

The approval status of the linked issue. Unspecified when no linked issue exists.

Per-stage rollout status summary. Ordered by environment deployment order. Empty when no rollout exists.

Plan.ChangeDatabaseConfig

The list of targets. Multi-database format: [instances/{instance-id}/databases/{database-name}]. Single database group format: [projects/{project}/databaseGroups/{databaseGroup}].

The resource name of the sheet. Format: projects/{project}/sheets/{sheet}

The resource name of the release. Format: projects/{project}/releases/{release}

If set, a backup of the modified data will be created automatically before any changes are applied.

Plan.CreateDatabaseConfig

The resource name of the instance on which the database is created. Format: instances/{instance}

The name of the database to create.

table is the name of the table, if it is not empty, Bytebase should create a table after creating the database. For example, in MongoDB, it only creates the database when we first store data in that database.

character_set is the character set of the database.

collation is the collation of the database.

cluster is the cluster of the database. This is only applicable to ClickHouse for "ON CLUSTER <<cluster>>".

owner is the owner of the database. This is only applicable to Postgres for "WITH OWNER <<owner>>".

The environment resource. Format: environments/prod where prod is the environment resource ID.

Plan.ExportDataConfig

The list of targets. Multi-database format: [instances/{instance-id}/databases/{database-name}]. Single database group format: [projects/{project}/databaseGroups/{databaseGroup}].

The resource name of the sheet. Format: projects/{project}/sheets/{sheet}

The format of the exported file.

The zip password provide by users. Leave it empty if no needs to encrypt the zip file.

Plan.PlanCheckRunStatusCountEntry

| | value | int32 | |

Plan.RolloutStageSummary

The stage resource name. Format: projects/{project}/plans/{plan}/rollout/stages/{stage}

Task status counts for this stage.

Plan.Spec

A UUID4 string that uniquely identifies the Spec.

Plan.TaskStatusCount

The task status.

| | count | int32 | |

The number of tasks in the status.

PlanCheckRun

Format: projects/{project}/plans/{plan}/planCheckRun

error is set if the Status is FAILED.

PlanCheckRun.Result

| | code | int32 | |

Target identification for consolidated results. Format: instances/{instance}/databases/{database}

PlanCheckRun.Result.SqlReviewReport

Position of the SQL statement.

PlanCheckRun.Result.SqlSummaryReport

statement_types are the types of statements that are found in the sql.

| | affected_rows | int64 | |

RunPlanChecksRequest

The plan to run plan checks. Format: projects/{project}/plans/{plan}

The UUID of the specific spec to run plan checks for. This should match the spec.id field in Plan.Spec. If not set, all specs in the plan will be used.

RunPlanChecksResponse

UpdatePlanRequest

The plan to update. The plan's name field is used to identify the plan to update. Format: projects/{project}/plans/{plan}

The list of fields to update.

If set to true, and the plan is not found, a new plan will be created. In this situation, update_mask is ignored.

PlanCheckRun.Result.Type

| | STATEMENT_ADVISE | 1 |

| | STATEMENT_SUMMARY_REPORT | 2 |

| | GHOST_SYNC | 3 |

PlanCheckRun.Status

| | RUNNING | 1 |

| | DONE | 2 |

| | FAILED | 3 |

| | CANCELED | 4 |

PlanService

PlanService manages deployment plans for database changes.

Retrieves a deployment plan by name. Permissions required: bb.plans.get

Lists deployment plans in a project. Permissions required: bb.plans.list

Creates a new deployment plan. Permissions required: bb.plans.create

UpdatePlan updates the plan. The plan creator and the user with bb.plans.update permission on the project can update the plan. Permissions required: bb.plans.update (or creator)

Gets the plan check run for a deployment plan. Permissions required: bb.planCheckRuns.get

Executes validation checks on a deployment plan. Permissions required: bb.planCheckRuns.run

Cancels the plan check run for a deployment plan. Permissions required: bb.planCheckRuns.run

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetPlan | GET | /v1/{name=projects/*/plans/*} | | | ListPlans | GET | /v1/{parent=projects/*}/plans | | | CreatePlan | POST | /v1/{parent=projects/*}/plans | plan | | UpdatePlan | PATCH | /v1/{plan.name=projects/*/plans/*} | plan | | GetPlanCheckRun | GET | /v1/{name=projects/*/plans/*/planCheckRun} | | | RunPlanChecks | POST | /v1/{name=projects/*/plans/*}:runPlanChecks | * | | CancelPlanCheckRun | POST | /v1/{name=projects/*/plans/*/planCheckRun}:cancel | * |

v1/project_service.proto

Top

Activity

Activity types for webhook notifications.

AddWebhookRequest

The name of the project to add the webhook to. Format: projects/{project}

The webhook to add.

BatchDeleteProjectsRequest

The names of the projects to delete. Format: projects/{project}

If set to true, permanently purge the soft-deleted projects and all related resources. This operation is irreversible. Following AIP-165, this should only be used for administrative cleanup of old soft-deleted projects. All projects must already be soft-deleted for this to work. When purge=true, all databases will be moved to the default project before deletion. When purge=false (soft delete/archive), the projects and their databases/issues remain unchanged.

BatchGetProjectsRequest

The names of projects to retrieve. Format: projects/{project}

BatchGetProjectsResponse

The projects from the specified request.

CreateProjectRequest

The project to create.

The ID to use for the project, which will become the final component of the project's resource name. This value should be 4-63 characters, and valid characters are /[a-z][0-9]-/.

DeleteProjectRequest

The name of the project to delete. Format: projects/{project}

If set to true, permanently purge the soft-deleted project and all related resources. This operation is irreversible. Following AIP-165, this should only be used for administrative cleanup of old soft-deleted projects. The project must already be soft-deleted for this to work. When purge=true, all databases will be moved to the default project before deletion. When purge=false (soft delete/archive), the project and its databases/issues remain unchanged.

GetProjectRequest

The name of the project to retrieve. Format: projects/{project}

Label

A label for categorizing and organizing issues.

The label value/name.

The color code for the label (e.g., hex color).

The group this label belongs to.

ListProjectsRequest

The maximum number of projects to return. The service may return fewer than this value. If unspecified, at most 10 projects will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListProjects call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListProjects must match the call that provided the page token.

Show deleted projects if specified.

Filter the project. Check filter for SearchProjectsRequest for details. Supports filtering by name, resource_id, state, and labels (e.g., labels.environment == "production").

The order by of projects. Support title. The default sorting order is ascending. For example: - order_by = "title" - order_by = "title desc" - order_by = "title asc"

ListProjectsResponse

The projects from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

Project

The name of the project. Format: projects/{project}

The lifecycle state of the project.

The title or name of a project. It's not unique within the workspace.

The list of webhooks configured for the project.

The data classification configuration ID for the project.

Labels available for tagging issues in this project.

Force issue labels to be used when creating an issue.

Enforce issue title to be created by user instead of generated by Bytebase.

Whether to enable database tenant mode for PostgreSQL. If enabled, issues will include "set role <db_owner>" statement.

Whether to allow issue creators to self-approve their own issues.

Execution retry policy for task runs.

| | ci_sampling_size | int32 | |

The maximum number of database rows to sample during CI data validation. Without specification, sampling is disabled, resulting in full validation.

| | parallel_tasks_per_rollout | int32 | |

The maximum number of parallel tasks allowed during rollout execution.

Labels are key-value pairs that can be attached to the project. For example, { "environment": "production", "team": "backend" }

Whether to enforce SQL review checks to pass before issue creation. If enabled, issues cannot be created when SQL review finds errors.

Whether to require issue approval before rollout.

Whether to require plan check to have no error before rollout.

Once enabled, users can request and use the just-in-time access in the SQL Editor.

Project.ExecutionRetryPolicy

Execution retry policy configuration.

The maximum number of retries for lock timeout errors.

Project.LabelsEntry

RemoveWebhookRequest

The webhook to remove. Identified by its url.

SearchProjectsRequest

Show deleted projects if specified.

Filter the project. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filters: - name: the project name, support "==" and ".contains()" operator. - resource_id: the project id, support "==" and ".contains()" operator. - exclude_default: if not include the default project, should be "true" or "false", support "==" operator. - state: check the State enum for the values, support "==" operator. - labels.{key}: the project label, support "==" and "in" operators. For example: name == "project name" name.contains("project name") resource_id == "project id" resource_id.contains("project id") exclude_default == true state == "DELETED" labels.environment == "production" labels.tier == "critical" labels.environment in ["staging", "prod"] You can combine filter conditions like: name == "project name" && resource_id.contains("project id") name.contains("project name") || resource_id == "project id" labels.environment == "production" && labels.tier == "critical"

| | page_size | int32 | |

A page token, received from a previous SearchProjects call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to SearchProjects must match the call that provided the page token.

The order by of projects. Support title. The default sorting order is ascending. For example: - order_by = "title" - order_by = "title desc" - order_by = "title asc"

SearchProjectsResponse

The projects from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

TestWebhookRequest

The name of the project which owns the webhook to test. Format: projects/{project}

The webhook to test. Identified by its url.

TestWebhookResponse

The result of the test, empty if the test is successful.

UndeleteProjectRequest

The name of the deleted project. Format: projects/{project}

UpdateProjectRequest

The project to update. The project's name field is used to identify the project to update. Format: projects/{project}

The list of fields to update.

If set to true, and the project is not found, a new project will be created. In this situation, update_mask is ignored.

UpdateWebhookRequest

The webhook to modify.

The list of fields to update.

If set to true, and the webhook is not found, a new webhook will be created. In this situation, update_mask is ignored.

Webhook

name is the name of the webhook, generated by the server. format: projects/{project}/webhooks/{webhook}

Webhook integration type. type is the type of the webhook.

title is the title of the webhook.

| | url | string | |

url is the url of the webhook, should be unique within the project.

if direct_message is set, the notification is sent directly to the persons and url will be ignored. IM integration setting should be set for this function to work.

notification_types is the list of activities types that the webhook is interested in. Bytebase will only send notifications to the webhook if the activity type is in the list. It should not be empty, and should be a subset of the following: - ISSUE_CREATED - ISSUE_APPROVAL_REQUESTED - ISSUE_SENT_BACK - ISSUE_APPROVED - PIPELINE_FAILED - PIPELINE_COMPLETED

Activity.Type

Activity type enumeration.

Unspecified type.

| | ISSUE_CREATED | 10 |

ISSUE_CREATED represents a new issue creation event.

| | ISSUE_APPROVAL_REQUESTED | 11 |

ISSUE_APPROVAL_REQUESTED represents an approval request event.

| | ISSUE_SENT_BACK | 12 |

ISSUE_SENT_BACK represents an issue being sent back by an approver.

| | PIPELINE_FAILED | 13 |

PIPELINE_FAILED represents a pipeline failure event.

| | PIPELINE_COMPLETED | 14 |

PIPELINE_COMPLETED represents a pipeline completion event.

| | ISSUE_APPROVED | 15 |

ISSUE_APPROVED represents an issue being fully approved.

ProjectService

ProjectService manages projects that group databases and changes.

GetProject retrieves a project by name. Users with "bb.projects.get" permission on the workspace or the project owner can access this method. Permissions required: bb.projects.get

BatchGetProjects retrieves multiple projects by their names. Permissions required: bb.projects.get

Lists all projects in the workspace with optional filtering. Permissions required: bb.projects.list

Searches for projects with advanced filtering capabilities. Permissions required: bb.projects.get (or project-level bb.projects.get for specific projects)

Creates a new project in the workspace. Permissions required: bb.projects.create

Updates an existing project's properties. Permissions required: bb.projects.update

Deletes (soft-delete or purge) a project. Permissions required: bb.projects.delete

Restores a soft-deleted project. Permissions required: bb.projects.undelete

Deletes multiple projects in a single operation. Permissions required: bb.projects.delete

Retrieves the IAM policy for a project. Permissions required: bb.projects.getIamPolicy

Sets the IAM policy for a project. Permissions required: bb.projects.setIamPolicy

Adds a webhook to a project for notifications. Permissions required: bb.projects.update

Updates an existing webhook configuration. Permissions required: bb.projects.update

Removes a webhook from a project. Permissions required: bb.projects.update

Tests a webhook by sending a test notification. Permissions required: bb.projects.update

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetProject | GET | /v1/{name=projects/*} | | | BatchGetProjects | GET | /v1/projects:batchGet | | | ListProjects | GET | /v1/projects | | | SearchProjects | POST | /v1/projects:search | * | | CreateProject | POST | /v1/projects | project | | UpdateProject | PATCH | /v1/{project.name=projects/*} | project | | DeleteProject | DELETE | /v1/{name=projects/*} | | | UndeleteProject | POST | /v1/{name=projects/*}:undelete | * | | BatchDeleteProjects | POST | /v1/projects:batchDelete | * | | GetIamPolicy | GET | /v1/{resource=projects/*}:getIamPolicy | | | SetIamPolicy | POST | /v1/{resource=projects/*}:setIamPolicy | * | | AddWebhook | POST | /v1/{project=projects/*}:addWebhook | * | | UpdateWebhook | PATCH | /v1/{webhook.name=projects/*/webhooks/*}:updateWebhook | webhook | | RemoveWebhook | POST | /v1/{webhook.name=projects/*/webhooks/*}:removeWebhook | * | | TestWebhook | POST | /v1/{project=projects/*}:testWebhook | * |

v1/release_service.proto

Top

CheckReleaseRequest

Format: projects/{project}

The release to check.

The targets to dry-run the release. Can be database or databaseGroup. Format: projects/{project}/databaseGroups/{databaseGroup} instances/{instance}/databases/{database}

Custom linting rules in natural language for AI-powered validation. Each rule should be a clear statement describing the desired schema constraint. Example: "All tables must have a primary key" Example: "VARCHAR columns should specify a maximum length"

CheckReleaseResponse

The check results for each file and target combination.

| | affected_rows | int64 | |

The total affected rows across all checks.

The aggregated risk level of the check.

CheckReleaseResponse.CheckResult

Check result for a single release file on a target database.

The file path that is being checked.

The target that the check is performed on. Should be a database. Format: instances/{instance}/databases/{database}

The list of advice for the file and the target.

| | affected_rows | int64 | |

The count of affected rows of the statement on the target.

The risk level of the statement on the target.

CreateReleaseRequest

Format: projects/{project}

The release to create.

Template for release ID generation. Available variables: {date}, {time}, {timestamp}, {iteration}. Example: "release_{date}-RC{iteration}" generates "release_20260119-RC00". Default: "release_{date}-RC{iteration}".

Timezone for {date} and {time} variables in the template. Must be a valid IANA timezone (e.g., "UTC", "America/Los_Angeles"). Default: "UTC".

DeleteReleaseRequest

The name of the release to delete. Format: projects/{project}/releases/{release}

GetReleaseRequest

Format: projects/{project}/releases/{release}

ListReleaseCategoriesRequest

Format: projects/{project}

ListReleaseCategoriesResponse

The unique category values in the project.

ListReleasesRequest

Format: projects/{project}

| | page_size | int32 | |

The maximum number of releases to return. The service may return fewer than this value. If unspecified, at most 10 releases will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListReleases call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListReleases must match the call that provided the page token.

Show deleted releases if specified.

Filter is used to filter releases returned in the list. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filters: - category: release category, support "==" operator. For example: category == "webapp"

ListReleasesResponse

The releases from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

Release

Format: projects/{project}/releases/{release}

Category extracted from release name (e.g., "webapp", "analytics"). Set by Bytebase action during release creation.

The SQL files included in the release.

The version control source of the release.

Format: users/[email protected]

The lifecycle state of the release.

The type of schema change for all files in this release.

Release.File

A SQL file in a release.

The path of the file. e.g., 2.2/V0001_create_table.sql.

The version identifier for the file.

For inputs, we must either use sheet or statement. For outputs, we always use sheet. statement is the preview of the sheet content. The sheet that holds the content. Format: projects/{project}/sheets/{sheet}

The raw SQL statement content.

The SHA256 hash value of the sheet content or the statement.

Release.VCSSource

Version control system source information.

The type of VCS.

| | url | string | |

The url link to the e.g., GitHub commit or pull request.

UndeleteReleaseRequest

The name of the deleted release. Format: projects/{project}/releases/{release}

UpdateReleaseRequest

The release to update.

The list of fields to be updated.

Release.Type

The type of schema change.

Unspecified type.

| | VERSIONED | 1 |

Versioned schema migration.

| | DECLARATIVE | 2 |

Declarative schema definition.

ReleaseService

ReleaseService manages releases for coordinating deployments.

Retrieves a release by name. Permissions required: bb.releases.get

Lists releases in a project. Permissions required: bb.releases.list

Creates a new release with SQL files. Permissions required: bb.releases.create

Updates an existing release. Permissions required: bb.releases.update When allow_missing=true, also requires: bb.releases.create

Deletes a release. Permissions required: bb.releases.delete

Restores a deleted release. Permissions required: bb.releases.undelete

Validates a release by dry-running checks on target databases. Permissions required: bb.releases.check

Lists all unique categories in a project. Permissions required: bb.releases.list

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetRelease | GET | /v1/{name=projects/*/releases/*} | | | ListReleases | GET | /v1/{parent=projects/*}/releases | | | CreateRelease | POST | /v1/{parent=projects/*}/releases | release | | UpdateRelease | PATCH | /v1/{release.name=projects/*/releases/*} | release | | DeleteRelease | DELETE | /v1/{name=projects/*/releases/*} | | | UndeleteRelease | POST | /v1/{name=projects/*/releases/*}:undelete | | | CheckRelease | POST | /v1/{parent=projects/*}/releases:check | * | | ListReleaseCategories | GET | /v1/{parent=projects/*}/releases:listCategories | |

v1/review_config_service.proto

Top

CreateReviewConfigRequest

The SQL review config to create.

DeleteReviewConfigRequest

The name of the SQL review config to delete. Format: reviewConfigs/{reviewConfig}

GetReviewConfigRequest

The name of the SQL review config to retrieve. Format: reviewConfigs/{reviewConfig}

ListReviewConfigsRequest

ListReviewConfigsResponse

The SQL review configs from the specified request.

ReviewConfig

The name of the SQL review config. Format: reviewConfigs/{reviewConfig}

The title of the review configuration.

Whether the review configuration is enabled.

The SQL review rules to enforce.

Resources using the config. Format: {resource}/{resource id}, e.g., environments/test.

SQLReviewRule

SQL review rule configuration. Check the SQL_REVIEW_RULES_DOCUMENTATION.md for details.

The type of SQL review rule.

The severity level of the rule.

The database engine this rule applies to.

SQLReviewRule.CommentConventionRulePayload

| | max_length | int32 | |

SQLReviewRule.NamingCaseRulePayload

SQLReviewRule.NamingRulePayload

Payload message types for SQL review rules

SQLReviewRule.NumberRulePayload

SQLReviewRule.StringArrayRulePayload

SQLReviewRule.StringRulePayload

UpdateReviewConfigRequest

The SQL review config to update. The name field is used to identify the SQL review config to update.

The list of fields to update.

If set to true, and the config is not found, a new config will be created. In this situation, update_mask is ignored.

SQLReviewRule.Level

The severity level for SQL review rules.

Unspecified level.

| | ERROR | 1 |

Rule violation is an error.

| | WARNING | 2 |

Rule violation is a warning.

SQLReviewRule.Type

| | ENGINE_MYSQL_USE_INNODB | 1 |

| | NAMING_FULLY_QUALIFIED | 2 |

| | NAMING_TABLE | 3 |

| | NAMING_COLUMN | 4 |

| | NAMING_INDEX_PK | 5 |

| | NAMING_INDEX_UK | 6 |

| | NAMING_INDEX_FK | 7 |

| | NAMING_INDEX_IDX | 8 |

| | NAMING_COLUMN_AUTO_INCREMENT | 9 |

| | NAMING_TABLE_NO_KEYWORD | 10 |

| | NAMING_IDENTIFIER_NO_KEYWORD | 11 |

| | NAMING_IDENTIFIER_CASE | 12 |

| | STATEMENT_SELECT_NO_SELECT_ALL | 13 |

| | STATEMENT_WHERE_REQUIRE_SELECT | 14 |

| | STATEMENT_WHERE_REQUIRE_UPDATE_DELETE | 15 |

| | STATEMENT_WHERE_NO_LEADING_WILDCARD_LIKE | 16 |

| | STATEMENT_DISALLOW_ON_DEL_CASCADE | 17 |

| | STATEMENT_DISALLOW_RM_TBL_CASCADE | 18 |

| | STATEMENT_DISALLOW_COMMIT | 19 |

| | STATEMENT_DISALLOW_LIMIT | 20 |

| | STATEMENT_DISALLOW_ORDER_BY | 21 |

| | STATEMENT_MERGE_ALTER_TABLE | 22 |

| | STATEMENT_INSERT_ROW_LIMIT | 23 |

| | STATEMENT_INSERT_MUST_SPECIFY_COLUMN | 24 |

| | STATEMENT_INSERT_DISALLOW_ORDER_BY_RAND | 25 |

| | STATEMENT_AFFECTED_ROW_LIMIT | 26 |

| | STATEMENT_DML_DRY_RUN | 27 |

| | STATEMENT_DISALLOW_ADD_COLUMN_WITH_DEFAULT | 28 |

| | STATEMENT_ADD_CHECK_NOT_VALID | 29 |

| | STATEMENT_ADD_FOREIGN_KEY_NOT_VALID | 30 |

| | STATEMENT_DISALLOW_ADD_NOT_NULL | 31 |

| | STATEMENT_SELECT_FULL_TABLE_SCAN | 32 |

| | STATEMENT_CREATE_SPECIFY_SCHEMA | 33 |

| | STATEMENT_CHECK_SET_ROLE_VARIABLE | 34 |

| | STATEMENT_DISALLOW_USING_FILESORT | 35 |

| | STATEMENT_DISALLOW_USING_TEMPORARY | 36 |

| | STATEMENT_WHERE_NO_EQUAL_NULL | 37 |

| | STATEMENT_WHERE_DISALLOW_FUNCTIONS_AND_CALCULATIONS | 38 |

| | STATEMENT_QUERY_MINIMUM_PLAN_LEVEL | 39 |

| | STATEMENT_WHERE_MAXIMUM_LOGICAL_OPERATOR_COUNT | 40 |

| | STATEMENT_MAXIMUM_LIMIT_VALUE | 41 |

| | STATEMENT_MAXIMUM_JOIN_TABLE_COUNT | 42 |

| | STATEMENT_MAXIMUM_STATEMENTS_IN_TRANSACTION | 43 |

| | STATEMENT_JOIN_STRICT_COLUMN_ATTRS | 44 |

| | STATEMENT_NON_TRANSACTIONAL | 45 |

| | STATEMENT_ADD_COLUMN_WITHOUT_POSITION | 46 |

| | STATEMENT_DISALLOW_OFFLINE_DDL | 47 |

| | STATEMENT_DISALLOW_CROSS_DB_QUERIES | 48 |

| | STATEMENT_MAX_EXECUTION_TIME | 49 |

| | STATEMENT_REQUIRE_ALGORITHM_OPTION | 50 |

| | STATEMENT_REQUIRE_LOCK_OPTION | 51 |

| | STATEMENT_OBJECT_OWNER_CHECK | 52 |

| | TABLE_REQUIRE_PK | 53 |

| | TABLE_NO_FOREIGN_KEY | 54 |

| | TABLE_DROP_NAMING_CONVENTION | 55 |

| | TABLE_COMMENT | 56 |

| | TABLE_DISALLOW_PARTITION | 57 |

| | TABLE_DISALLOW_TRIGGER | 58 |

| | TABLE_NO_DUPLICATE_INDEX | 59 |

| | TABLE_TEXT_FIELDS_TOTAL_LENGTH | 60 |

| | TABLE_DISALLOW_SET_CHARSET | 61 |

| | TABLE_DISALLOW_DDL | 62 |

| | TABLE_DISALLOW_DML | 63 |

| | TABLE_LIMIT_SIZE | 64 |

| | TABLE_REQUIRE_CHARSET | 65 |

| | TABLE_REQUIRE_COLLATION | 66 |

| | COLUMN_REQUIRED | 67 |

| | COLUMN_NO_NULL | 68 |

| | COLUMN_DISALLOW_CHANGE_TYPE | 69 |

| | COLUMN_SET_DEFAULT_FOR_NOT_NULL | 70 |

| | COLUMN_DISALLOW_CHANGE | 71 |

| | COLUMN_DISALLOW_CHANGING_ORDER | 72 |

| | COLUMN_DISALLOW_DROP | 73 |

| | COLUMN_DISALLOW_DROP_IN_INDEX | 74 |

| | COLUMN_COMMENT | 75 |

| | COLUMN_AUTO_INCREMENT_MUST_INTEGER | 76 |

| | COLUMN_TYPE_DISALLOW_LIST | 77 |

| | COLUMN_DISALLOW_SET_CHARSET | 78 |

| | COLUMN_MAXIMUM_CHARACTER_LENGTH | 79 |

| | COLUMN_MAXIMUM_VARCHAR_LENGTH | 80 |

| | COLUMN_AUTO_INCREMENT_INITIAL_VALUE | 81 |

| | COLUMN_AUTO_INCREMENT_MUST_UNSIGNED | 82 |

| | COLUMN_CURRENT_TIME_COUNT_LIMIT | 83 |

| | COLUMN_REQUIRE_DEFAULT | 84 |

| | COLUMN_DEFAULT_DISALLOW_VOLATILE | 85 |

| | COLUMN_ADD_NOT_NULL_REQUIRE_DEFAULT | 86 |

| | COLUMN_REQUIRE_CHARSET | 87 |

| | COLUMN_REQUIRE_COLLATION | 88 |

| | SCHEMA_BACKWARD_COMPATIBILITY | 89 |

| | DATABASE_DROP_EMPTY_DATABASE | 90 |

| | INDEX_NO_DUPLICATE_COLUMN | 91 |

| | INDEX_KEY_NUMBER_LIMIT | 92 |

| | INDEX_PK_TYPE_LIMIT | 93 |

| | INDEX_TYPE_NO_BLOB | 94 |

| | INDEX_TOTAL_NUMBER_LIMIT | 95 |

| | INDEX_PRIMARY_KEY_TYPE_ALLOWLIST | 96 |

| | INDEX_CREATE_CONCURRENTLY | 97 |

| | INDEX_TYPE_ALLOW_LIST | 98 |

| | INDEX_NOT_REDUNDANT | 99 |

| | SYSTEM_CHARSET_ALLOWLIST | 100 |

| | SYSTEM_COLLATION_ALLOWLIST | 101 |

| | SYSTEM_COMMENT_LENGTH | 102 |

| | SYSTEM_PROCEDURE_DISALLOW_CREATE | 103 |

| | SYSTEM_EVENT_DISALLOW_CREATE | 104 |

| | SYSTEM_VIEW_DISALLOW_CREATE | 105 |

| | SYSTEM_FUNCTION_DISALLOW_CREATE | 106 |

| | SYSTEM_FUNCTION_DISALLOWED_LIST | 107 |

| | ADVICE_ONLINE_MIGRATION | 108 |

| | BUILTIN_PRIOR_BACKUP_CHECK | 109 |

| | BUILTIN_WALK_THROUGH_CHECK | 110 |

| | STATEMENT_DISALLOW_TRUNCATE | 111 |

ReviewConfigService

ReviewConfigService manages approval flow configurations.

Creates a new SQL review configuration. Permissions required: bb.reviewConfigs.create

Lists all SQL review configurations. Permissions required: bb.reviewConfigs.list

Retrieves a SQL review configuration by name. Permissions required: bb.reviewConfigs.get

Updates a SQL review configuration. Permissions required: bb.reviewConfigs.update When allow_missing=true, also requires: bb.reviewConfigs.create

Deletes a SQL review configuration. Permissions required: bb.reviewConfigs.delete

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | CreateReviewConfig | POST | /v1/reviewConfigs | review_config | | ListReviewConfigs | GET | /v1/reviewConfigs | | | GetReviewConfig | GET | /v1/{name=reviewConfigs/*} | | | UpdateReviewConfig | PATCH | /v1/{review_config.name=reviewConfigs/*} | review_config | | DeleteReviewConfig | DELETE | /v1/{name=reviewConfigs/*} | |

v1/revision_service.proto

Top

BatchCreateRevisionsRequest

The parent resource shared by all revisions being created. Format: instances/{instance}/databases/{database}

The request message specifying the revisions to create. A maximum of 100 revisions can be created in a batch.

BatchCreateRevisionsResponse

The created revisions.

CreateRevisionRequest

Format: instances/{instance}/databases/{database}

The revision to create.

DeleteRevisionRequest

The name of the revision to delete. Format: instances/{instance}/databases/{database}/revisions/{revision}

GetRevisionRequest

The name of the revision. Format: instances/{instance}/databases/{database}/revisions/{revision}

ListRevisionsRequest

The parent of the revisions. Format: instances/{instance}/databases/{database}

| | page_size | int32 | |

The maximum number of revisions to return. The service may return fewer than this value. If unspecified, at most 10 revisions will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListRevisions call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListRevisions must match the call that provided the page token.

Whether to include deleted revisions in the results.

ListRevisionsResponse

The revisions from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

Revision

Format: instances/{instance}/databases/{database}/revisions/{revision}

Format: projects/{project}/releases/{release} Can be empty.

Format: users/[email protected] Can be empty.

Can be empty.

Format: projects/{project}/releases/{release}/files/{file_path} The file_path segment is URL-encoded since file paths may contain "/". Can be empty.

The schema version string for this revision.

The sheet that holds the content. Format: projects/{project}/sheets/{sheet}

The SHA256 hash value of the sheet.

The task run associated with the revision. Can be empty. Format: projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}/taskRuns/{taskRun}

The type of the revision.

Revision.Type

The type of schema revision.

Unspecified type.

| | VERSIONED | 1 |

Versioned schema migration.

| | DECLARATIVE | 2 |

Declarative schema definition.

RevisionService

RevisionService manages schema revision history.

Lists schema revisions for a database. Permissions required: bb.revisions.list

Retrieves a schema revision by name. Permissions required: bb.revisions.get

Creates multiple schema revisions in a single operation. Permissions required: bb.revisions.create

Deletes a schema revision. Permissions required: bb.revisions.delete

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | ListRevisions | GET | /v1/{parent=instances/*/databases/*}/revisions | | | GetRevision | GET | /v1/{name=instances/*/databases/*/revisions/*} | | | BatchCreateRevisions | POST | /v1/{parent=instances/*/databases/*}/revisions:batchCreate | * | | DeleteRevision | DELETE | /v1/{name=instances/*/databases/*/revisions/*} | |

v1/role_service.proto

Top

CreateRoleRequest

The role to create.

The ID to use for the role, which will become the final component of the role's resource name. This value should be 4-63 characters, and valid characters are /[a-z][A-Z][0-9]/.

DeleteRoleRequest

The name of the role to delete. Format: roles/{role}

GetRoleRequest

The name of the role to retrieve. Format: roles/{role}

ListRolesRequest

ListRolesResponse

The roles from the specified request.

Role

Role defines a set of permissions that can be assigned to users.

Resource name. Format: roles/{role}

Human-readable title.

Optional description of the role.

List of permission identifiers granted by this role.

Role type indicating if it's built-in or custom.

UpdateRoleRequest

The role to update.

The list of fields to update.

If set to true, and the role is not found, a new role will be created. In this situation, update_mask is ignored.

Role.Type

| | BUILT_IN | 1 |

System-defined role that cannot be modified.

| | CUSTOM | 2 |

User-defined role that can be modified.

RoleService

RoleService manages workspace roles and permissions.

Lists roles in the workspace. Permissions required: bb.roles.list

Retrieves a role by name. Permissions required: bb.roles.get

Creates a new custom role. Permissions required: bb.roles.create

Updates a role's properties. Permissions required: bb.roles.update When allow_missing=true, also requires: bb.roles.create

Deletes a custom role. Permissions required: bb.roles.delete

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | ListRoles | GET | /v1/roles | | | GetRole | GET | /v1/{name=roles/*} | | | CreateRole | POST | /v1/roles | role | | UpdateRole | PATCH | /v1/{role.name=roles/*} | role | | DeleteRole | DELETE | /v1/{name=roles/*} | |

v1/service_account_service.proto

Top

CreateServiceAccountRequest

Request message for creating a service account.

The parent resource where this service account will be created. Format: projects/{project} for project-level, workspaces/{id} for workspace-level.

The ID to use for the service account, which will become the final component of the service account's email in the format: {service_account_id}@service.bytebase.com or {service_account_id}@{project-id}.service.bytebase.com

The service account to create.

DeleteServiceAccountRequest

Request message for deleting a service account.

The name of the service account to delete. Format: serviceAccounts/{email}

GetServiceAccountRequest

Request message for getting a service account.

The name of the service account to retrieve. Format: serviceAccounts/{email}

ListServiceAccountsRequest

Request message for listing service accounts.

The parent resource. Format: projects/{project} for project-level, workspaces/{id} for workspace-level.

| | page_size | int32 | |

The maximum number of service accounts to return. The service may return fewer than this value. If unspecified, at most 10 service accounts will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListServiceAccounts call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListServiceAccounts must match the call that provided the page token.

Show deleted service accounts if specified.

Filter is used to filter service accounts returned in the list. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filter: - name: the service account name, support "==" and ".contains()" operator. - email: the service account email, support "==" and ".contains()" operator. - state: check State enum for values, support "==" operator. For example: name == "ed" name.contains("ed") state == "DELETED" email == "[email protected]" email.contains("ed")

ListServiceAccountsResponse

Response message for listing service accounts.

The service accounts from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

ServiceAccount

ServiceAccount represents an API integration account.

The name of the service account. Format: serviceAccounts/{email}

The state of the service account.

The email of the service account. For workspace-level: {name}@service.bytebase.com For project-level: {name}@{project-id}.service.bytebase.com

The display title of the service account.

The service key for authentication. Only returned on creation or key rotation.

The timestamp when the service account was created.

UndeleteServiceAccountRequest

Request message for restoring a deleted service account.

The name of the deleted service account. Format: serviceAccounts/{email}

UpdateServiceAccountRequest

Request message for updating a service account.

The service account to update. The service account's name field is used to identify the service account to update. Format: serviceAccounts/{email}

The list of fields to update. Supported fields: title, service_key (triggers key rotation)

ServiceAccountService

ServiceAccountService manages service accounts for API integrations.

Creates a new service account. For workspace-level: parent is workspaces/{id}, permission bb.serviceAccounts.create on workspace. For project-level: parent is projects/{project}, permission bb.serviceAccounts.create on project.

Gets a service account by name. Permissions required: bb.serviceAccounts.get

Lists service accounts. For workspace-level: parent is workspaces/{id}, permission bb.serviceAccounts.list on workspace. For project-level: parent is projects/{project}, permission bb.serviceAccounts.list on project.

Updates a service account. Permissions required: bb.serviceAccounts.update

Deletes a service account. Permissions required: bb.serviceAccounts.delete

Restores a deleted service account. Permissions required: bb.serviceAccounts.undelete

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | CreateServiceAccount | POST | /v1/{parent=projects/*}/serviceAccounts | service_account | | CreateServiceAccount | POST | /v1/{parent=workspaces/*}/serviceAccounts | service_account | | GetServiceAccount | GET | /v1/{name=serviceAccounts/*} | | | ListServiceAccounts | GET | /v1/{parent=projects/*}/serviceAccounts | | | ListServiceAccounts | GET | /v1/{parent=workspaces/*}/serviceAccounts | | | UpdateServiceAccount | PATCH | /v1/{service_account.name=serviceAccounts/*} | service_account | | DeleteServiceAccount | DELETE | /v1/{name=serviceAccounts/*} | | | UndeleteServiceAccount | POST | /v1/{name=serviceAccounts/*}:undelete | * |

v1/sheet_service.proto

Top

BatchCreateSheetsRequest

The parent resource where all sheets will be created. Format: projects/{project}

BatchCreateSheetsResponse

CreateSheetRequest

The parent resource where this sheet will be created. Format: projects/{project}

The sheet to create.

GetSheetRequest

The name of the sheet to retrieve. Format: projects/{project}/sheets/{sheet}

| | raw | bool | |

By default, the content of the sheet is cut off, set the raw to true to retrieve the full content.

Sheet

The name of the sheet resource. Format: projects/{project}/sheets/{sheet} The sheet ID is generated by the server on creation and cannot be changed.

The content of the sheet. By default, it will be cut off, if it doesn't match the content_size, you can set the raw to true in GetSheet request to retrieve the full content.

| | content_size | int64 | |

content_size is the full size of the content, may not match the size of the content field.

SheetService

SheetService manages SQL scripts and saved queries.

Creates a new SQL sheet. Permissions required: bb.sheets.create

Creates multiple SQL sheets in a single operation. Permissions required: bb.sheets.create

Retrieves a SQL sheet by name. Permissions required: bb.sheets.get

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | CreateSheet | POST | /v1/{parent=projects/*}/sheets | sheet | | BatchCreateSheets | POST | /v1/{parent=projects/*}/sheets:batchCreate | * | | GetSheet | GET | /v1/{name=projects/*/sheets/*} | |

v1/subscription_service.proto

Top

CancelPurchaseRequest

CreatePurchaseRequest

| | seats | int32 | |

GetPaymentInfoRequest

GetSubscriptionRequest

ListPurchasePlansRequest

ListPurchasePlansResponse

PaymentInfo

Stripe Billing Portal URL for invoice management.

Whether the subscription is scheduled to cancel at the end of the current billing period.

PlanConfig

PlanConfig represents the configuration for all plans loaded from plan.yaml

PlanLimitConfig

PlanLimitConfig represents a single plan's configuration

| | maximum_instance_count | int32 | |

| | maximum_seat_count | int32 | |

PurchaseBillingMethod

PurchaseDiscount

| | value | int32 | |

PurchasePlan

PurchasePlanAdditional

| | unit_price | int32 | |

Price in USD cents per month.

| | free_count | int32 | |

| | minimum_count | int32 | |

| | maximum_count | int32 | |

-1 means unlimited.

PurchaseResponse

If set, redirect to this Stripe Checkout URL. If empty, the update was applied directly using the existing payment method.

Stripe Checkout Session ID. Used to verify the session after redirect.

Subscription

| | seats | int32 | |

| | instances | int32 | |

| | active_instances | int32 | |

| | ha | bool | |

Whether high availability (multiple replicas) is enabled.

Etag for optimistic concurrency on purchase updates. Only set in SaaS mode.

UpdatePurchaseRequest

| | seats | int32 | |

UploadLicenseRequest

VerifyCheckoutSessionRequest

VerifyCheckoutSessionResponse

Stripe Checkout Session status: "complete", "expired", or "open".

BillingInterval

| | MONTH | 1 |

| | YEAR | 2 |

PlanFeature

PlanFeature represents the available features in Bytebase

| | FEATURE_DATABASE_CHANGE | 1 |

Database Change Management

| | FEATURE_GIT_BASED_SCHEMA_VERSION_CONTROL | 2 |

| | FEATURE_DECLARATIVE_SCHEMA_MIGRATION | 3 |

| | FEATURE_COMPARE_AND_SYNC_SCHEMA | 4 |

| | FEATURE_ONLINE_SCHEMA_CHANGE | 5 |

| | FEATURE_PRE_DEPLOYMENT_SQL_REVIEW | 6 |

| | FEATURE_AUTOMATIC_BACKUP_BEFORE_DATA_CHANGES | 7 |

| | FEATURE_ONE_CLICK_DATA_ROLLBACK | 8 |

| | FEATURE_MULTI_DATABASE_BATCH_CHANGES | 9 |

| | FEATURE_PROGRESSIVE_ENVIRONMENT_DEPLOYMENT | 10 |

| | FEATURE_SCHEDULED_ROLLOUT_TIME | 11 |

| | FEATURE_DATABASE_CHANGELOG | 12 |

| | FEATURE_SCHEMA_DRIFT_DETECTION | 13 |

| | FEATURE_ROLLOUT_POLICY | 14 |

| | FEATURE_WEB_BASED_SQL_EDITOR | 15 |

SQL Editor & Development

| | FEATURE_SQL_EDITOR_ADMIN_MODE | 16 |

| | FEATURE_NATURAL_LANGUAGE_TO_SQL | 17 |

| | FEATURE_AI_QUERY_EXPLANATION | 18 |

| | FEATURE_AI_QUERY_SUGGESTIONS | 19 |

| | FEATURE_AUTO_COMPLETE | 20 |

| | FEATURE_SCHEMA_DIAGRAM | 21 |

| | FEATURE_SCHEMA_EDITOR | 22 |

| | FEATURE_DATA_EXPORT | 23 |

| | FEATURE_DATA_OFFLINE_EXPORT | 24 |

| | FEATURE_QUERY_HISTORY | 25 |

| | FEATURE_SAVED_AND_SHARED_SQL_SCRIPTS | 26 |

| | FEATURE_BATCH_QUERY | 27 |

| | FEATURE_INSTANCE_READ_ONLY_CONNECTION | 28 |

| | FEATURE_QUERY_POLICY | 29 |

| | FEATURE_RESTRICT_COPYING_DATA | 30 |

| | FEATURE_IAM | 31 |

Security & Compliance

| | FEATURE_INSTANCE_SSL_CONNECTION | 32 |

| | FEATURE_INSTANCE_CONNECTION_OVER_SSH_TUNNEL | 33 |

| | FEATURE_INSTANCE_CONNECTION_IAM_AUTHENTICATION | 34 |

| | FEATURE_GOOGLE_AND_GITHUB_SSO | 35 |

| | FEATURE_USER_GROUPS | 36 |

| | FEATURE_DISALLOW_SELF_SERVICE_SIGNUP | 37 |

| | FEATURE_CUSTOM_INSTANCE_SYNC_TIME | 38 |

| | FEATURE_CUSTOM_INSTANCE_CONNECTION_LIMIT | 39 |

| | FEATURE_RISK_ASSESSMENT | 40 |

| | FEATURE_APPROVAL_WORKFLOW | 41 |

| | FEATURE_AUDIT_LOG | 42 |

| | FEATURE_ENTERPRISE_SSO | 43 |

| | FEATURE_TWO_FA | 44 |

| | FEATURE_PASSWORD_RESTRICTIONS | 45 |

| | FEATURE_DISALLOW_PASSWORD_SIGNIN | 46 |

| | FEATURE_CUSTOM_ROLES | 47 |

| | FEATURE_REQUEST_ROLE_WORKFLOW | 48 |

| | FEATURE_JIT | 49 |

| | FEATURE_DATA_MASKING | 50 |

| | FEATURE_DATA_CLASSIFICATION | 51 |

| | FEATURE_SCIM | 52 |

| | FEATURE_DIRECTORY_SYNC | 53 |

| | FEATURE_TOKEN_DURATION_CONTROL | 54 |

| | FEATURE_EXTERNAL_SECRET_MANAGER | 55 |

| | FEATURE_USER_EMAIL_DOMAIN_RESTRICTION | 56 |

| | FEATURE_PROJECT_MANAGEMENT | 57 |

Administration & Support

| | FEATURE_ENVIRONMENT_MANAGEMENT | 58 |

| | FEATURE_IM_NOTIFICATIONS | 59 |

| | FEATURE_TERRAFORM_PROVIDER | 60 |

| | FEATURE_DATABASE_GROUPS | 61 |

| | FEATURE_ENVIRONMENT_TIERS | 62 |

| | FEATURE_DASHBOARD_ANNOUNCEMENT | 63 |

| | FEATURE_API_INTEGRATION_GUIDANCE | 64 |

| | FEATURE_CUSTOM_LOGO | 65 |

| | FEATURE_WATERMARK | 66 |

| | FEATURE_ROADMAP_PRIORITIZATION | 67 |

| | FEATURE_CUSTOM_MSA | 68 |

| | FEATURE_COMMUNITY_SUPPORT | 69 |

| | FEATURE_EMAIL_SUPPORT | 70 |

| | FEATURE_DEDICATED_SUPPORT_WITH_SLA | 71 |

PlanType

Unspecified plan type.

| | FREE | 1 |

Free plan with basic features and no cost.

| | TEAM | 2 |

Team plan with collaboration features for small to medium teams.

| | ENTERPRISE | 3 |

Enterprise plan with advanced features and dedicated support.

PurchaseDiscount.Type

| | PERCENTAGE_OFF | 1 |

| | FIXED_MONTH_OFF | 2 |

| | FIXED_PRICE_OFF | 3 |

PurchasePlanAdditional.Type

| | USER | 1 |

SubscriptionService

SubscriptionService manages enterprise subscriptions and licensing.

GetSubscription returns the current subscription. If there is no license, we will return a free plan subscription without expiration time. If there is expired license, we will return a free plan subscription with the expiration time of the expired license.

Uploads an enterprise license (self-hosted only).

CreatePurchase creates a new subscription purchase (SaaS only). Returns a Stripe Checkout URL for the user to complete payment.

UpdatePurchase updates an existing subscription (SaaS only). May return a Stripe Checkout URL if payment method change is needed.

CancelPurchase cancels an active subscription (SaaS only).

GetPaymentInfo returns payment details for the current subscription (SaaS only).

VerifyCheckoutSession verifies a Stripe Checkout Session status (SaaS only).

ListPurchasePlans returns available plans for self-service purchase.

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetSubscription | GET | /v1/subscription | | | UploadLicense | PATCH | /v1/subscription/license | * | | CreatePurchase | POST | /v1/subscription:purchase | * | | UpdatePurchase | POST | /v1/subscription:updatePurchase | * | | CancelPurchase | POST | /v1/subscription:cancelPurchase | * | | GetPaymentInfo | GET | /v1/subscription/paymentInfo | | | VerifyCheckoutSession | GET | /v1/subscription/checkoutSession/{session_id} | | | ListPurchasePlans | GET | /v1/subscription/plans | |

v1/workload_identity_service.proto

Top

CreateWorkloadIdentityRequest

Request message for creating a workload identity.

The parent resource where this workload identity will be created. Format: projects/{project} for project-level, workspaces/{id} for workspace-level.

The ID to use for the workload identity, which will become the final component of the workload identity's email in the format: {workload_identity_id}@workload.bytebase.com or {workload_identity_id}@{project-id}.workload.bytebase.com

The workload identity to create.

DeleteWorkloadIdentityRequest

Request message for deleting a workload identity.

The name of the workload identity to delete. Format: workloadIdentities/{email}

GetWorkloadIdentityRequest

Request message for getting a workload identity.

The name of the workload identity to retrieve. Format: workloadIdentities/{email}

ListWorkloadIdentitiesRequest

Request message for listing workload identities.

The parent resource. Format: projects/{project} for project-level, workspaces/{id} for workspace-level.

| | page_size | int32 | |

The maximum number of workload identities to return. The service may return fewer than this value. If unspecified, at most 10 workload identities will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

A page token, received from a previous ListWorkloadIdentities call. Provide this to retrieve the subsequent page. When paginating, all other parameters provided to ListWorkloadIdentities must match the call that provided the page token.

Show deleted workload identities if specified.

Filter is used to filter workload identities returned in the list. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filter: - name: the workload identity name, support "==" and ".contains()" operator. - email: the workload identity email, support "==" and ".contains()" operator. - state: check State enum for values, support "==" operator. For example: name == "ed" name.contains("ed") state == "DELETED" email == "[email protected]" email.contains("ed")

ListWorkloadIdentitiesResponse

Response message for listing workload identities.

The workload identities from the specified request.

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

UndeleteWorkloadIdentityRequest

Request message for restoring a deleted workload identity.

The name of the deleted workload identity. Format: workloadIdentities/{email}

UpdateWorkloadIdentityRequest

Request message for updating a workload identity.

The workload identity to update. The workload identity's name field is used to identify the workload identity to update. Format: workloadIdentities/{email}

The list of fields to update. Supported fields: title, workload_identity_config

WorkloadIdentity

WorkloadIdentity represents an external CI/CD workload identity.

The name of the workload identity. Format: workloadIdentities/{email}

The state of the workload identity.

The email of the workload identity. For workspace-level: {name}@workload.bytebase.com For project-level: {name}@{project-id}.workload.bytebase.com

The display title of the workload identity.

The timestamp when the workload identity was created.

The workload identity configuration for OIDC token validation.

WorkloadIdentityConfig

WorkloadIdentityConfig for API layer

Platform type (currently only GITHUB is supported)

OIDC Issuer URL (auto-filled based on provider_type, can be overridden)

Allowed audiences for token validation

Subject pattern to match (e.g., "repo:owner/repo:ref:refs/heads/main")

WorkloadIdentityConfig.ProviderType

ProviderType identifies the CI/CD platform.

| | GITHUB | 1 |

| | GITLAB | 2 |

WorkloadIdentityService

WorkloadIdentityService manages workload identities for external CI/CD integrations.

Creates a new workload identity. For workspace-level: parent is workspaces/{id}, permission bb.workloadIdentities.create on workspace. For project-level: parent is projects/{project}, permission bb.workloadIdentities.create on project.

Gets a workload identity by name. Permissions required: bb.workloadIdentities.get

Lists workload identities. For workspace-level: parent is workspaces/{id}, permission bb.workloadIdentities.list on workspace. For project-level: parent is projects/{project}, permission bb.workloadIdentities.list on project.

Updates a workload identity. Permissions required: bb.workloadIdentities.update

Deletes a workload identity. Permissions required: bb.workloadIdentities.delete

Restores a deleted workload identity. Permissions required: bb.workloadIdentities.undelete

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | CreateWorkloadIdentity | POST | /v1/{parent=projects/*}/workloadIdentities | workload_identity | | CreateWorkloadIdentity | POST | /v1/{parent=workspaces/*}/workloadIdentities | workload_identity | | GetWorkloadIdentity | GET | /v1/{name=workloadIdentities/*} | | | ListWorkloadIdentities | GET | /v1/{parent=projects/*}/workloadIdentities | | | ListWorkloadIdentities | GET | /v1/{parent=workspaces/*}/workloadIdentities | | | UpdateWorkloadIdentity | PATCH | /v1/{workload_identity.name=workloadIdentities/*} | workload_identity | | DeleteWorkloadIdentity | DELETE | /v1/{name=workloadIdentities/*} | | | UndeleteWorkloadIdentity | POST | /v1/{name=workloadIdentities/*}:undelete | * |

v1/worksheet_service.proto

Top

BatchUpdateWorksheetOrganizerRequest

BatchUpdateWorksheetOrganizerResponse

CreateWorksheetRequest

The parent resource where this worksheet will be created. Format: projects/{project}

The worksheet to create.

DeleteWorksheetRequest

The name of the worksheet to delete. Format: projects/{project}/worksheets/{worksheet}

GetWorksheetRequest

The name of the worksheet to retrieve. Format: projects/{project}/worksheets/{worksheet}

SearchWorksheetsRequest

The parent resource of the worksheets. Format: projects/{project}

To filter the search result. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec Supported filter: - creator: the worksheet creator in "users/{email}" format, support "==" and "!=" operator. - starred: should be "true" or "false", filter starred/unstarred sheets, support "==" operator. - visibility: check Visibility enum in the Worksheet message for values, support "==" and "in [xx]" operator. For example: creator == "users/{email}" creator != "users/{email}" starred == true starred == false visibility in ["PRIVATE", "PROJECT_READ", "PROJECT_WRITE"] visibility == "PRIVATE"

SearchWorksheetsResponse

The worksheets that matched the search criteria.

UpdateWorksheetOrganizerRequest

The organizer to update. The organizer's worksheet field is used to identify the worksheet. Format: projects/{project}/worksheets/{worksheet}

The list of fields to be updated. Fields are specified relative to the worksheet organizer. Only support update the following fields for now: - starred

If set to true, and the worksheet organizer is not found, a new worksheet organizer will be created. In this situation, update_mask is ignored.

UpdateWorksheetRequest

The worksheet to update. The worksheet's name field is used to identify the worksheet to update. Format: projects/{project}/worksheets/{worksheet}

The list of fields to be updated. Fields are specified relative to the worksheet. (e.g., title, statement; *not* worksheet.title or worksheet.statement) Only support update the following fields for now: - title - statement - starred - visibility

Worksheet

The name of the worksheet resource, generated by the server. Canonical parent is project. Format: projects/{project}/worksheets/{worksheet}

The project resource name. Format: projects/{project}

The database resource name. Format: instances/{instance}/databases/{database} If the database parent doesn't exist, the database field is empty.

The title of the worksheet.

The creator of the Worksheet. Format: users/{email}

The create time of the worksheet.

The last update time of the worksheet.

The content of the worksheet. By default, it will be cut off in SearchWorksheet() method. If it doesn't match the content_size, you can use GetWorksheet() request to retrieve the full content.

| | content_size | int64 | |

content_size is the full size of the content, may not match the size of the content field.

starred indicates whether the worksheet is starred by the current authenticated user.

WorksheetOrganizer

The name of the worksheet. Format: projects/{project}/worksheets/{worksheet}

starred means if the worksheet is starred.

Worksheet.Visibility

| | PROJECT_READ | 1 |

Read access in project scope, worksheet OWNER/DBA and project OWNER can read/write, other project members can read.

| | PROJECT_WRITE | 2 |

Write access in project scope, worksheet OWNER/DBA and all members in the project can write the worksheet.

| | PRIVATE | 3 |

Private, only worksheet OWNER can read/write.

WorksheetService

WorksheetService manages SQL worksheets for query development.

Creates a personal worksheet used in SQL Editor. Any authenticated user can create their own worksheets. Permissions required: None (authenticated users only)

Get a worksheet by name. The users can access this method if, - they are the creator of the worksheet; - they have bb.worksheets.get permission on the workspace; - the sheet is shared with them with PROJECT_READ and PROJECT_WRITE visibility, and they have bb.projects.get permission on the project. Permissions required: bb.worksheets.get (or creator, or project member for shared worksheets)

Search for worksheets. This is used for finding my worksheets or worksheets shared by other people. The sheet accessibility is the same as GetWorksheet(). Permissions required: bb.worksheets.get (or creator, or project member for shared worksheets)

Update a worksheet. The users can access this method if, - they are the creator of the worksheet; - they have bb.worksheets.manage permission on the workspace; - the sheet is shared with them with PROJECT_WRITE visibility, and they have bb.projects.get permission on the project. Permissions required: bb.worksheets.manage (or creator, or project member for PROJECT_WRITE worksheets)

Update the organizer of a worksheet. The access is the same as UpdateWorksheet method. Permissions required: bb.worksheets.get (or creator, or project member for shared worksheets)

Batch update the organizers of worksheets. The access is the same as UpdateWorksheet method. Permissions required: bb.worksheets.get (or creator, or project member for shared worksheets)

Delete a worksheet. The access is the same as UpdateWorksheet method. Permissions required: bb.worksheets.manage (or creator, or project member for PROJECT_WRITE worksheets)

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | CreateWorksheet | POST | /v1/{parent=projects/*}/worksheets | worksheet | | GetWorksheet | GET | /v1/{name=projects/*/worksheets/*} | | | SearchWorksheets | POST | /v1/{parent=projects/*}/worksheets:search | * | | UpdateWorksheet | PATCH | /v1/{worksheet.name=projects/*/worksheets/*} | worksheet | | UpdateWorksheetOrganizer | PATCH | /v1/{organizer.worksheet=projects/*/worksheets/*}/organizer | organizer | | BatchUpdateWorksheetOrganizer | PATCH | /v1/worksheets/organizer:batchUpdate | * | | DeleteWorksheet | DELETE | /v1/{name=projects/*/worksheets/*} | |

v1/workspace_service.proto

Top

GetWorkspaceRequest

The workspace name, format: workspaces/{workspace}. Use "workspaces/-" to get the current/default workspace.

ListWorkspacesRequest

ListWorkspacesResponse

UpdateWorkspaceRequest

Workspace

Format: workspaces/{workspace}

The branding logo.

WorkspaceService

WorkspaceService manages workspace-level operations and profile.

Gets a workspace by name. Supports "workspaces/-" to resolve the current workspace: - Authenticated: uses the workspace from JWT context - Self-hosted unauthenticated: returns the single workspace - SaaS unauthenticated: returns minimal response

Lists all workspaces the current user is a member of.

Updates a workspace. Currently only title can be updated.

Retrieves IAM policy for the workspace. Permissions required: bb.workspaces.getIamPolicy

Sets IAM policy for the workspace. Permissions required: bb.workspaces.setIamPolicy

Methods with HTTP bindings

| Method Name | Method | Pattern | Body | | GetWorkspace | GET | /v1/{name=workspaces/*} | | | ListWorkspaces | GET | /v1/workspaces | | | UpdateWorkspace | PATCH | /v1/{workspace.name=workspaces/*} | * | | GetIamPolicy | GET | /v1/{resource=workspaces/*}:getIamPolicy | | | SetIamPolicy | POST | /v1/{resource=workspaces/*}:setIamPolicy | * |

Scalar Value Types

Protocol Documentation

Protocol Documentation

Table of Contents

v1/annotation.proto

AuthMethod

File-level Extensions

v1/access_grant_service.proto

AccessGrant

ActivateAccessGrantRequest

CreateAccessGrantRequest

GetAccessGrantRequest

ListAccessGrantsRequest

ListAccessGrantsResponse

RevokeAccessGrantRequest

SearchMyAccessGrantsRequest

SearchMyAccessGrantsResponse

AccessGrant.Status

AccessGrantService

Methods with HTTP bindings

v1/common.proto

PermissionDeniedDetail

Position

Range

Engine

ExportFormat

RiskLevel

State

StatementType

VCSType

WebhookType

v1/issue_service.proto

ApprovalFlow

ApprovalTemplate

ApproveIssueRequest

BatchUpdateIssuesStatusRequest

BatchUpdateIssuesStatusResponse

CreateIssueCommentRequest

CreateIssueRequest

GetIssueRequest

Issue

Issue.Approver

IssueComment

IssueComment.Approval

IssueComment.IssueUpdate

IssueComment.PlanSpecUpdate

ListIssueCommentsRequest

ListIssueCommentsResponse

ListIssuesRequest

ListIssuesResponse

RejectIssueRequest

RequestIssueRequest

RoleGrant

SearchIssuesRequest

SearchIssuesResponse

UpdateIssueCommentRequest

UpdateIssueRequest

Issue.ApprovalStatus

Issue.Approver.Status

Issue.Type

IssueComment.Approval.Status

IssueStatus

IssueService

Methods with HTTP bindings

v1/setting_service.proto

AISetting

Algorithm

Algorithm.FullMask

Algorithm.InnerOuterMask

Algorithm.MD5Mask

Algorithm.RangeMask

Algorithm.RangeMask.Slice

Announcement

AppIMSetting

AppIMSetting.DingTalk

AppIMSetting.Feishu

AppIMSetting.IMSetting

AppIMSetting.Lark

AppIMSetting.Slack

AppIMSetting.Teams

AppIMSetting.Wecom