Important
Under active development. Not production-ready.
InferaDB Control is the administration plane for InferaDB. It manages organizations, users, vaults, clients, and token issuance. Control authenticates operators via passwordless email codes, passkeys (WebAuthn), and TOTP, enforces RBAC across tenants, and issues vault-scoped JWTs consumed by the InferaDB Engine. Data is persisted to InferaDB Ledger for cryptographic auditability.
- Authentication — Passwordless email codes, passkeys (WebAuthn), TOTP, recovery codes
- Multi-Tenancy — Organization-based isolation with role hierarchy and team management
- Vault Management — Create and manage vaults with schema versioning
- Client Auth — Ed25519 certificate lifecycle, RFC 7523 JWT client assertions
- Token Issuance — Vault-scoped JWTs with refresh token rotation for Engine API
git clone https://github.com/inferadb/control && cd control
mise trust && mise install
cargo run --bin inferadb-control -- --dev-modeDev mode uses in-memory storage and auto-generates an Ed25519 identity. The REST API is available at http://localhost:9090.
Production:
inferadb-control \
--listen 0.0.0.0:9090 \
--storage ledger \
--ledger-endpoint http://ledger:50051 \
--ledger-client-id ctrl-prod-01 \
--key-file /data/master.key \
--log-format json| CLI | Purpose | Default |
|---|---|---|
--listen |
HTTP bind address | 127.0.0.1:9090 |
--storage |
Storage backend: memory or ledger |
ledger |
--dev-mode |
Force in-memory storage (CLI only) | |
--key-file |
Path to AES-256-GCM master key | ./data/master.key |
--pem |
Ed25519 private key (PEM string) | |
--ledger-endpoint |
Ledger gRPC endpoint URL | |
--ledger-client-id |
Unique client ID for idempotency tracking | |
--log-level |
Tracing filter (info, debug, etc.) |
info |
--log-format |
auto, json, text |
auto |
--frontend-url |
Base URL for CORS and email links | http://localhost:3000 |
--webauthn-rp-id |
WebAuthn Relying Party domain | localhost |
--webauthn-origin |
WebAuthn Relying Party origin URL | http://localhost:3000 |
--worker-id |
Snowflake ID worker (0–1023, unique/node) | |
--trusted-proxy-depth |
Trusted proxy count for X-Forwarded-For |
|
--email-blinding-key |
HMAC-SHA256 key (64-char hex) | |
--email-host |
SMTP host (empty = email disabled) | "" |
See Configuration Reference for environment variables, email/SMTP setup, and all options.
mise trust && mise install
just build # Build workspace
just test # Run tests
just lint # Run clippy
just fmt # Format code
just ci # All checks- Getting Started — First steps with Control
- Configuration Reference — CLI flags, environment variables, email setup
- Authentication — Auth flows and session management
- Architecture — Crate structure and design decisions
- Deployment — Docker, Kubernetes, and Helm
- API Overview — Complete endpoint reference
- OpenAPI Spec — OpenAPI specification
Join us on Discord for questions and discussions.
Dual-licensed under MIT or Apache 2.0.