tinySQL HTTP / gRPC Server (server)

July 10, 2026 · View on GitHub

A production-oriented server that exposes a tinySQL database over HTTP (JSON REST API) and gRPC (JSON codec). Supports optional bearer-token authentication, TLS on both transports, request size and timeout limits, trusted-proxy configuration, and peer-to-peer federation for read fan-out across multiple instances.

Build

cd cmd/server
go build -o server .

Quick start

# In-memory, no auth, HTTP only
./server -http :8080 -dsn "mem://?tenant=default"

# File-backed with auth token
./server -http :8080 -dsn "file:/var/lib/tinysql/data.db?tenant=main&autosave=1" \
         -auth "my-secret-token"

# HTTP + gRPC, with peer federation
./server -http :8080 -grpc :9090 \
         -dsn "mem://?tenant=default" \
         -peers "node2:9090,node3:9090"

Flags

Core

FlagDescriptionDefault
-dsnStorage DSNmem://?tenant=default
-httpHTTP listen address:8080
-grpcgRPC listen address (disabled if empty)
-authBearer token for all requests
-tenantDefault tenant namedefault
-peersComma-separated host:grpcPort peers for federation
-vVerbose loggingfalse

TLS

FlagDescription
-tls-min-versionMinimum TLS version (1.2 or 1.3)
-http-tls-cert / -http-tls-keyCertificate/key for HTTP TLS
-grpc-tls-cert / -grpc-tls-keyCertificate/key for gRPC TLS
-peer-tlsEnable TLS when connecting to peers
-peer-tls-caCA certificate for peer TLS
-peer-tls-server-nameOverride server name for peer TLS verification
-peer-tls-skip-verifyDisable peer TLS certificate verification

Limits

FlagDefaultDescription
-max-body-bytes1048576Maximum HTTP request body size
-max-sql-bytes65536Maximum SQL statement size
-grpc-max-recv-bytes4194304gRPC max receive message size
-grpc-max-send-bytes4194304gRPC max send message size

Timeouts

FlagDefaultDescription
-request-timeout30sPer-request execution timeout
-peer-timeout5sTimeout for federated peer calls
-shutdown-timeout10sGraceful shutdown deadline

HTTP hardening

FlagDefaultDescription
-trusted-proxiesComma-separated CIDR ranges of trusted proxies
-http-read-timeout15sHTTP server read timeout
-http-read-header-timeout5sHTTP header read timeout
-http-write-timeout30sHTTP server write timeout
-http-idle-timeout60sHTTP keep-alive idle timeout
-http-max-header-bytes8192Maximum HTTP header size

HTTP API

All request and response bodies are JSON.

POST /api/exec

Execute a DML/DDL statement (no result rows returned).

{ "tenant": "default", "sql": "CREATE TABLE t (id INT, name TEXT)" }

Response: { "rows_affected": 0, "elapsed_ms": 1 }

POST /api/query

Execute a SELECT and return rows.

{ "tenant": "default", "sql": "SELECT * FROM t" }

Optional request-level timeout override:

{ "tenant": "default", "sql": "SELECT * FROM t", "timeout_ms": 5000 }

Response:

{
  "columns": ["id", "name"],
  "rows": [[1, "Alice"]],
  "elapsed_ms": 2
}

GET /api/status

Returns server version, uptime, and tenant list.

GET /api/cluster/status

Returns cluster health information for configured federation peers, including per-peer reachability and response duration.

POST /api/federated/query

Fan-out a read query to all configured peers and merge results. Supports optional timeout_ms and peer_timeout_ms overrides in the request body.

GET /healthz / GET /readyz

Liveness and readiness probes (return 200 OK when healthy).

GET /metrics

Prometheus-compatible metrics endpoint.

Load testing

A built-in load generator lives in loadtest/:

cd cmd/server
go build -o ../../bin/tinysql-loadtest ./loadtest

./bin/tinysql-loadtest \
  -url http://127.0.0.1:8080/api/query \
  -tenant default \
  -sql "SELECT 1" \
  -requests 10000 \
  -concurrency 100

See loadtest/README.md for full options.

Authentication

Pass the bearer token in the Authorization header:

curl -H "Authorization: Bearer my-secret-token" \
     -d '{"tenant":"default","sql":"SELECT 1"}' \
     http://localhost:8080/api/query