> passwords & credentials

Branch passwords are how apps authenticate to Vitess (MySQL) databases: named, role-scoped credentials minted per branch, shown once, and revocable at any time. Create one per app or environment, scope it to reader/writer/admin, give it a TTL if it's temporary, and rotate by creating a new one before deleting the old.

// passwords & credentials

6 commands

// faq

I lost the password right after creating it — can I see it again?

No. The plaintext password is displayed exactly once at creation and never again — pscale password list shows only names, roles, and IDs. Create a new password and delete the lost one; that's also the standard rotation procedure.

What roles can a branch password have?

reader, writer, readwriter, or admin. Follow least privilege: analytics dashboards get reader, the app gets readwriter, and only migration tooling gets admin. Add --replica to a reader password to route its reads to replicas and read-only regions instead of the primary.

Do these commands work on my Postgres database?

No — branch passwords are Vitess-only. Postgres branches use real database roles instead: `pscale role create` with inherited privileges like pg_read_all_data. Same idea (named, revocable, TTL-able credentials), different command family.