chore(docs): restructure security docs and enhance API Keys documentation

TizianoT · TizianoT · commit f5073e913894 · 2025-12-04T10:13:40.000+01:00
Separated Users and Roles &amp; Privileges into dedicated pages for better organization. Completely rewrote API Keys documentation with detailed instructions for creating, managing, and using API keys. Cleaned up navigation structure and removed duplicate content.
diff --git a/sqlite-cloud/_nav.ts b/sqlite-cloud/_nav.ts
@@ -287,7 +287,8 @@ const sidebarNav: SidebarNavStruct = [
   { title: "Webhooks", filePath: "webhooks", type: "inner", level: 0 },
   { title: "Pub/Sub", filePath: "pub-sub", type: "inner", level: 0 },
   //{ title: "Vector", filePath: "vector", type: "inner", level: 0 },
-  { title: "Users and Roles", filePath: "security", type: "inner", level: 0 },
+  { title: "Users", filePath: "users", type: "inner", level: 0 },
+  { title: "Roles & Privileges", filePath: "roles", type: "inner", level: 0 },
   { title: "API Keys", filePath: "apikey", type: "inner", level: 0 },
   { title: "Row-Level Security", filePath: "rls", type: "inner", level: 0 },
   { title: "OffSync", filePath: "offsync", type: "inner", level: 0 },
diff --git a/sqlite-cloud/platform/apikey.mdx b/sqlite-cloud/platform/apikey.mdx
@@ -1,20 +1,75 @@
 ---
 title: Security and Access Control
-description: SQLite Cloud provides secure access to resources through role-based authorization, which ensures user isolation and enhances security and manageability.
+description: Manage API Keys for secure application access, server-to-server communication, and SDK integration.
 category: platform
 status: publish
 slug: apikey
 ---
 
-## API KEYs 
 
 API KEYs can be used as an alternative authentication mechanism.
 Authentication through API keys ensures the same privileges as the user to which they are associated.
 API KEYs are recommended for all server-to-server authentication cases and are necessary for using the REST APIs and the SDKs that uses the WebSocket APIs.
 
-To create an API key for a user, click on the **Create API KEY** button.
+You can manage all keys in your cluster via the SQLite Cloud Dashboard under the **API Keys** section.
 
-![Dashboard Create APIKEY](@docs-website-assets/introduction/dashboard_create_apikey.png)
+---
+
+## Creating an API Key
+
+You can create an API Key and immediately assign it to any existing user in your cluster.
+
+1. Navigate to the **API Keys** section in the left sidebar.
+2. Click the **Create API Key** button.
+3. **API Key Name:** Enter a descriptive name to identify the key (e.g., `MobileApp_Prod`, `Backend_Worker`).
+4. **User:** Select the user this key will impersonate from the dropdown list.
+5. **Expiration:**
+    *   Select **Never expires** for long-running services.
+    *   Select **Set expiration date** to enforce a rotation policy or for temporary access tokens.
+6. Click **Create**.
+
+[VIDEO: create_apikey_global.mp4]
+{/* <!-- Video showing the global creation flow: entering a name, selecting a user from the dropdown, picking a date, and creating --> */}
+
+---
+
+## Managing API Keys
+
+The API Keys list provides a centralized view of all active keys, their associated users, and expiration status.
+
+### Regenerating a Key
+If a key is lost, forgotten, or you suspect it has been compromised (leaked), you should regenerate it immediately.
+
+1. Find the key in the list.
+2. Click the context menu (three dots) on the right.
+3. Select **Regenerate**.
+4. Confirm the action in the modal window.
+
+**Warning:** Regenerating a key invalidates the old key string immediately. You must update any applications or scripts using the old key with the new value to restore connectivity.
+
+[VIDEO: regenerate_apikey.mp4]
+{/* <!-- Video showing the regenerate flow and the confirmation modal --> */}
+
+### Editing and Deleting
+*   **Edit:** Allows you to rename the key or change its expiration settings without changing the key string itself.
+*   **Delete:** Permanently revokes the key. Applications using this key will no longer be able to connect.
+
+[VIDEO: delete_apikey.mp4]
+{/* <!-- Video showing the delete action --> */}
+
+---
+
+## Using API Keys
+
+Once generated, the API Key is typically used in the connection string of your SQLite Cloud client or SDK.
+
+The standard format for a connection string using an API Key is:
+```
+sqlitecloud://<host>:<port>?apikey=<your-api-key>
+```
+
+When using the REST API directly, the key should be passed in the Authorization header:
 
-The resulting table will display all the API keys associated with each user, along with their name.
-![Dashboard List APIKEY](@docs-website-assets/introduction/dashboard_list_apikey.png)
+```http
+Authorization: Bearer <your-api-key>
+```
diff --git a/sqlite-cloud/platform/pub-sub.mdx b/sqlite-cloud/platform/pub-sub.mdx
@@ -6,7 +6,6 @@ status: publish
 slug: pub-sub
 ---
 
-# SQLiteCloud Pub/Sub System
 
 **Publish/Subscribe (Pub/Sub)** is a messaging pattern that enables asynchronous communication between multiple applications. In the context of **SQLiteCloud**, Pub/Sub provides a robust way to deliver real-time updates or custom messages to subscribed clients when data changes or explicit notifications are issued.
 
diff --git a/sqlite-cloud/platform/roles.mdx b/sqlite-cloud/platform/roles.mdx
@@ -0,0 +1,149 @@
+---
+title: Roles & Privileges
+description: Understand the role-based access control system, built-in roles, and how to define custom access policies.
+category: platform
+status: publish
+slug: roles
+---
+import VideoPlayer from '@commons-components/Video/VideoPlayer.astro';
+import createRole from '@docs-website-assets/introduction/video/roles-privileges/roles_create_custom_role.mp4';
+import manageRole from '@docs-website-assets/introduction/video/roles-privileges/roles_manage_roles.mp4';
+
+import Callout from "@commons-components/Information/Callout.astro";
+
+
+
+In SQLite Cloud, a **Role** is a named collection of permissions (privileges) that allows specific actions on resources like databases, tables. Users can have multiple roles, which determine their access to the system.
+
+Roles are the bridge between Users and Resources:
+*   **Users** authenticate into the system.
+*   **Roles** define what those users are allowed to do.
+*   **Resources** (Databases, Tables) are the objects being accessed.
+
+You can manage role definitions via the SQLite Cloud Dashboard under the **Roles** section.
+
+---
+
+## Built-in Roles
+
+SQLite Cloud comes with a set of pre-defined roles designed to cover the most common use cases. These roles are available immediately and cannot be modified, but they can be scoped to specific databases or tables when assigned to a user.
+
+### General Access Roles
+*   **ADMIN:** This role possesses the highest level of privileges, with unrestricted access to all assigned permissions.
+*   **READ:** Grants read-only access to a specified database or table.
+*   **READWRITE:** Offers both read and write functionality for a specified database or table.
+*   **DBADMIN:** Allows for administrative tasks like indexing and statistics gathering but doesn't manage users or roles.
+
+### Any Database Roles
+These roles implicitly apply to the entire cluster (`*`) and do not require specific scoping during assignment.
+*   **READANYDATABASE:** Provides read-only access to any database and table.
+*   **READWRITEANYDATABASE:** Grants read and write capabilities across any database and table.
+*   **DBADMINANYDATABASE:** Provides administrative functions for any database.
+
+### Pub/Sub Roles
+*   **SUB:** Grants the subscribe privilege to a specified database, table, or channel.
+*   **PUB:** Offers the publish privilege to a specified database, table, or channel.
+*   **PUBSUB:** Combines subscribe and publish privileges for a specified database, table, or channel.
+*   **PUBSUBADMIN:** Allows the creation and removal of channel privileges for a specified database or channel.
+*   **SUBANYCHANNEL**: Provides the subscribe privilege for any channel or table.
+*   **PUBANYCHANNEL**: Grants the publish privilege for any channel or table.
+*   **PUBSUBANYCHANNEL**: Combines subscribe and publish privileges for any channel or table.
+*   **PUBSUBADMINANYCHANNEL**: Permits the creation and removal of channel privileges for any channel.
+
+### Cluster Management Roles
+*   **USERADMIN:** Enables the creation and modification of roles and users.
+*   **CLUSTERADMIN:** Empowers users to manage and monitor the cluster.
+*   **CLUSTERMONITOR:** Offers read-only access to cluster monitoring commands.
+*   **HOSTADMIN:** Allows monitoring and management of individual nodes.
+
+<Callout type="note" title="Restrictions">
+To further refine the scope of a role or privilege, you can specify a database and table name during the [CREATE ROLE](/docs/role-commands), [GRANT ROLE](/docs/role-commands), <a href="https://docs.sqlitecloud.io/docs/privilege-commands" target="_blank">GRANT PRIVILEGE</a> and <a href="https://docs.sqlitecloud.io/docs/privilege-commands" target="_blank">SET PRIVILEGE</a> commands, as well as during the <a href="https://docs.sqlitecloud.io/docs/user-commands" target="_blank">CREATE USER</a> command. If `NULL` is used, it means that the role or privilege is not assigned and cannot function without specifying a database and table name combination. To extend the validity to any database and table, you can utilize the special `*` character.
+</Callout>
+
+Below is the technical definition of all built-in roles and their mapped privileges:
+
+```bash
+>> LIST ROLES
+-----------------------|---------|----------------------------------------------------------------------------------------------------------------------------------------|--------------|-----------|
+ rolename              | builtin | privileges                                                                                                                             | databasename | tablename |
+-----------------------|---------|----------------------------------------------------------------------------------------------------------------------------------------|--------------|-----------|
+ ADMIN                 | 1       | READ,INSERT,UPDATE,DELETE,READWRITE,PRAGMA,CREATE_TABLE,CREATE_INDEX,CREATE_VIEW,                                                      |              |           |
+                       |         | CREATE_TRIGGER,DROP_TABLE,DROP_INDEX,DROP_VIEW,DROP_TRIGGER,ALTER_TABLE,ANALYZE,														  |              |           |
+                       |         | ATTACH,DETACH,DBADMIN,SUB,PUB,PUBSUB,BACKUP,RESTORE,DOWNLOAD,PLUGIN,SETTINGS,USERADMIN,												  |              |           |
+                       |         | CLUSTERADMIN,CLUSTERMONITOR,CREATE_DATABASE,DROP_DATABASE,HOSTADMIN,SWITCH_USER,PUBSUBCREATE,PUBSUBADMIN,WEBLITE,ADMIN 				  | NULL         | NULL      |
+ READ                  | 1       | READ                                                                                                                                   | NULL         | NULL      |
+ READANYDATABASE       | 1       | READ                                                                                                                                   | *            | *         |
+ READWRITE             | 1       | READ,INSERT,UPDATE,DELETE,READWRITE                                                                                                    | NULL         | NULL      |
+ READWRITEANYDATABASE  | 1       | READ,INSERT,UPDATE,DELETE,READWRITE                                                                                                    | *            | *         |
+ DBADMIN               | 1       | READ,INSERT,UPDATE,DELETE,READWRITE,PRAGMA,CREATE_TABLE,CREATE_INDEX,CREATE_VIEW,                                                      |              |           |
+                       |         | CREATE_TRIGGER,DROP_TABLE,DROP_INDEX,DROP_VIEW,DROP_TRIGGER,ALTER_TABLE,ANALYZE,ATTACH,DETACH,DBADMIN                                  | NULL         | NULL      |
+ DBADMINANYDATABASE    | 1       | READ,INSERT,UPDATE,DELETE,READWRITE,PRAGMA,CREATE_TABLE,CREATE_INDEX,CREATE_VIEW,													  |              |           |
+                       |         | CREATE_TRIGGER,DROP_TABLE,DROP_INDEX,DROP_VIEW,DROP_TRIGGER,ALTER_TABLE,ANALYZE,ATTACH,DETACH,DBADMIN                                  | *            | *         |
+ USERADMIN             | 1       | USERADMIN                                                                                                                              | *            | *         |
+ CLUSTERADMIN          | 1       | CLUSTERADMIN                                                                                                                           | *            | *         |
+ CLUSTERMONITOR        | 1       | CLUSTERMONITOR                                                                                                                         | *            | *         |
+ HOSTADMIN             | 1       | BACKUP,RESTORE,DOWNLOAD,CREATE_DATABASE,DROP_DATABASE,HOSTADMIN                                                                        | *            | *         |
+ SUB                   | 1       | SUB                                                                                                                                    | NULL         | NULL      |
+ SUBANYCHANNEL         | 1       | SUB                                                                                                                                    | *            | *         |
+ PUB                   | 1       | PUB                                                                                                                                    | NULL         | NULL      |
+ PUBANYCHANNEL         | 1       | PUB                                                                                                                                    | *            | *         |
+ PUBSUB                | 1       | SUB,PUB,PUBSUB                                                                                                                         | NULL         | NULL      |
+ PUBSUBANYCHANNEL      | 1       | SUB,PUB,PUBSUB                                                                                                                         | *            | *         |
+ PUBSUBADMIN           | 1       | SUB,PUB,PUBSUB,PUBSUBCREATE,PUBSUBADMIN                                                                                                | NULL         | NULL      |
+ PUBSUBADMINANYCHANNEL | 1       | SUB,PUB,PUBSUB,PUBSUBCREATE,PUBSUBADMIN                                                                                                | *            | *         |
+-----------------------|---------|----------------------------------------------------------------------------------------------------------------------------------------|--------------|-----------|
+```
+
+---
+
+## Custom Roles
+
+If the built-in roles do not fit your specific security model, you can create **User-Defined Roles**. This allows you to mix and match specific privileges.
+
+### Creating a Custom Role
+
+1. Navigate to the **Roles** section in the left sidebar.
+2. Click the **Create Role** button.
+3. **Name:** Enter a unique name for the role (e.g., `AuditLogger`, `HRManager`).
+4. **Privileges:** Select the specific atomic privileges this role should possess (see list below).
+5. Click **Create**.
+
+<VideoPlayer src={createRole} />
+
+### Managing Roles
+
+From the Roles list, you can:
+*   **Inspect:** Click on a role to see exactly which privileges it contains.
+*   **Edit:** Add or remove privileges from a custom role (Built-in roles cannot be edited).
+*   **Delete:** Remove a custom role.
+
+<VideoPlayer src={manageRole} />
+
+---
+
+## Privileges Reference
+
+In a role-based access control system, a **Privilege** represents a specific action or permission that a user or role is allowed to perform within the system.
+It defines what a user can or cannot do, such as reading, writing, or managing certain resources like tables, databases, or settings.
+Essentially, a privilege is a **right** or **ability** granted to a user or role, specifying their level of access and control over the system's resources.
+
+A privilege can be <a href="https://docs.sqlitecloud.io/docs/privilege-commands" target="_blank">granted</a>, <a href="https://docs.sqlitecloud.io/docs/privilege-commands" target="_blank">revoked</a> and <a href="https://docs.sqlitecloud.io/docs/privilege-commands" target="_blank">assigned</a> to a given role.
+A role can contains any combination of privileges.
+
+Below is the complete list of available privileges:
+
+| | | |
+| :--- | :--- | :--- |
+| NONE | READ | INSERT |
+| UPDATE | DELETE | READWRITE |
+| PRAGMA | CREATE_TABLE | CREATE_INDEX |
+| CREATE_VIEW | CREATE_TRIGGER | DROP_TABLE |
+| DROP_INDEX | DROP_VIEW | DROP_TRIGGER |
+| ALTER_TABLE | ANALYZE | ATTACH |
+| DETACH | DBADMIN | SUB |
+| PUB | PUBSUB | BACKUP |
+| RESTORE | DOWNLOAD | PLUGIN |
+| SETTINGS | USERADMIN | CLUSTERADMIN |
+| CLUSTERMONITOR | CREATE_DATABASE | DROP_DATABASE |
+| HOSTADMIN | SWITCH_USER | PUBSUBCREATE |
+| PUBSUBADMIN | WEBLITE | ADMIN |
diff --git a/sqlite-cloud/platform/security.mdx b/sqlite-cloud/platform/security.mdx
@@ -38,24 +38,9 @@ SQLite Cloud offers a comprehensive system of built-in roles designed to provide
 
 Here is an overview of the built-in roles:
 
-- **ADMIN**: This role possesses the highest level of privileges, with unrestricted access to all assigned permissions.
-- **READ**: Grants read-only access to a specified database or table.
-- **READANYDATABASE**: Provides read-only access to any database and table.
-- **READWRITE**: Offers both read and write functionality for a specified database or table.
-- **READWRITEANYDATABASE**: Grants read and write capabilities across any database and table.
-- **DBADMIN**: Allows for administrative tasks like indexing and statistics gathering but doesn't manage users or roles.
-- **DBADMINANYDATABASE**: Provides administrative functions for any database.
-- **USERADMIN**: Enables the creation and modification of roles and users.
-- **CLUSTERADMIN**: Empowers users to manage and monitor the cluster.
-- **CLUSTERMONITOR**: Offers read-only access to cluster monitoring commands.
-- **HOSTADMIN**: Allows monitoring and management of individual nodes.
-- **SUB**: Grants the subscribe privilege to a specified database, table, or channel.
 - **SUBANYCHANNEL**: Provides the subscribe privilege for any channel or table.
-- **PUB**: Offers the publish privilege to a specified database, table, or channel.
 - **PUBANYCHANNEL**: Grants the publish privilege for any channel or table.
-- **PUBSUB**: Combines subscribe and publish privileges for a specified database, table, or channel.
 - **PUBSUBANYCHANNEL**: Combines subscribe and publish privileges for any channel or table.
-- **PUBSUBADMIN**: Allows the creation and removal of channel privileges for a specified database or channel.
 - **PUBSUBADMINANYCHANNEL**: Permits the creation and removal of channel privileges for any channel.
 
 
diff --git a/sqlite-cloud/platform/users.mdx b/sqlite-cloud/platform/users.mdx
