Skip to main content

DB Proxy Routes

DB proxy routes are wire-protocol tunnels that let agents connect to a migrated database through KnoxCall using a localhost:<port> listener. They can be created for any migration the reviewer owns — the committed_secret_id must reference an existing tenant secret, but no particular migration status is required. Routes are removed only via DELETE /admin/migrations/:id/db-proxy-routes/:routeId; cancelling the migration does not delete them. The write endpoints (POST and DELETE) require migration_reviewer permission + 5-minute step-up. The GET (list) endpoint requires only tenant access to the migration — no migration_reviewer role or step-up.

POST /admin/migrations/:id/db-proxy-routes

Create a new wire-protocol proxy route for a migration. Auth: migration_reviewer + 5-minute step-up

Request body

Returns 409 if local_port is already in use for the same agent.

Response

Status 201 Created.

GET /admin/migrations/:id/db-proxy-routes

List all proxy routes for a migration. Auth: tenant access to the migration (no migration_reviewer role or step-up required)

Response


DELETE /admin/migrations/:id/db-proxy-routes/:routeId

Remove a proxy route. The agent tunnel is torn down immediately. Auth: migration_reviewer + 5-minute step-up

Response

Returns 404 if the route is not found for this migration and tenant.