> passwords & credentials
Branch passwords are how apps authenticate to Vitess (MySQL) databases: named, role-scoped credentials minted per branch, shown once, and revocable at any time. Create one per app or environment, scope it to reader/writer/admin, give it a TTL if it's temporary, and rotate by creating a new one before deleting the old.
// passwords & credentials
6 commands$ pscale password create mydb main my-app-prod$ pscale password create mydb main metabase-ro --role reader$ pscale password create mydb main debug-session --ttl 2h$ pscale password list mydb main$ pscale password delete mydb main <password-id>$ pscale password renew mydb main <password-id>// faq
I lost the password right after creating it — can I see it again?
No. The plaintext password is displayed exactly once at creation and never again — pscale password list shows only names, roles, and IDs. Create a new password and delete the lost one; that's also the standard rotation procedure.
What roles can a branch password have?
reader, writer, readwriter, or admin. Follow least privilege: analytics dashboards get reader, the app gets readwriter, and only migration tooling gets admin. Add --replica to a reader password to route its reads to replicas and read-only regions instead of the primary.
Do these commands work on my Postgres database?
No — branch passwords are Vitess-only. Postgres branches use real database roles instead: `pscale role create` with inherited privileges like pg_read_all_data. Same idea (named, revocable, TTL-able credentials), different command family.