> system.init()

The Fastest Way to Enable

AIAccesstoyourDatabases

Safely and Securely

ekaya-demo

What is Ekaya?

The Ekaya Engine is an on-prem MCP Server that provides the safe and secure link between AI and your databases and giving you full access control over who and what can query data while preventing prompt injection attacks and detecting data leakage. All in a self-hostable solution so that your data never leaves your network boundary.

Project: Demo

Ekaya Demo Project screen showing the project configuration and ontology management interface

An On-Prem MCP Server

Ekaya Engine is a single deployable server that connects to your database and exposes tools to AI through a managed and controlled MCP interface. Your data never leaves your network.

AI-Optimized Ontology

Ekaya builds a semantic layer on top of your database that bridges technical schema with business meaning — enabling AI to create accurate queries and analyze data in your terms.

Apps give you Superpowers

The AI Data Liaison enables Business Users to make better decisions 10x faster while cutting ad-hoc requests to the data team by half.

Enterprise-Level Security & Data Governance

Production-ready security with compliance framework support and complete audit trails

Authentication & Access Control

SSO Integration: Works with your existing identity provider (Okta, Auth0, Google Workspace, Azure AD)
OAuth 2.1: Industry-standard authentication with PKCE for secure token exchange
Multi-Tenant Isolation: Complete project-level separation with dedicated connection pools
Row-Level Security: Database-native RLS policies enforce data access boundaries
Role-Based Access: Admin, Data, and User roles with project-level isolation

Data Protection & Encryption

In Transit: TLS 1.3 encryption for all communications
At Rest: Leverages your database native encryption
Data Sovereignty: Your data never leaves your network—Ekaya connects to your databases directly
Credential Security: Passwords and secrets never logged or exposed
Optional mTLS: Mutual TLS support for additional transport security

Audit Trails & Compliance Readiness

Every AI-to-database interaction is logged with full context — who accessed what, when, how, and why.

Built-In Audit Infrastructure:

Full query history with user attribution
MCP tool call logging with request/response capture
Structured JSON audit events with severity levels
Configurable audit retention policies
Security event detection (SQL injection, unusual access patterns)

Finally, audit logs that matter: Know exactly WHO accessed WHAT data through AI tools, with complete context for compliance and security investigations.

Security Model

Every request is authenticated and authorized. No shared credentials, no connection pooling across users, and no cross-tenant data access. Your database RLS policies are enforced automatically.

Open Source & Zero Lock-in

True open source with Apache 2.0 license—your insurance policy against vendor risk

NeverWorryAboutVendorLock-inAgain

The Ekaya Engine is truly open source under Apache 2.0—not "source available" or "open core." You have complete freedom to fork, modify, and deploy without licensing restrictions or vendor dependencies. Ekaya operates a service that lets you manage server instances and user invitations and access.

Complete Source Access

Apache 2.0 License: Full commercial use rights with no restrictions
Public Repository: All code on GitHub, fully auditable
No Hidden Components: Everything needed to run in production included
Fork-Friendly: Take the project in your own direction if needed

Self-Hosting Freedom

Behind Your Firewall: Deploy in your VPC with complete control
Air-Gapped Support: Run in isolated environments without internet
Custom Applications: Deploy your own applications at no cost
Your Infrastructure: Cloud Run, Kubernetes, bare metal—your choice

Standard Protocols, Zero Proprietary Formats

Ekaya uses industry-standard protocols and formats. Your data and configurations remain portable.

Data Access

MCP (Model Context Protocol)
REST APIs
Standard SQL

Data Storage

Ekaya Engine uses PostgreSQL
Datasource adapters support dozens of databases
Multi-tenancy is supported via RLS

Configurations

YAML config with env var overrides
Embedded SQL migrations
Startup config validation

Your Data Stays Yours

Ekaya Engine runs in your environment and connects directly to your databases. Your database credentials and query results stay within your infrastructure.This is your infrastructure, your data, your control.

Integration & Compatibility

Works with your existing infrastructure—databases, identity providers, and tools

Database Support

Bring your own database. Ekaya connects to your existing data stores without data duplication.

PostgreSQL: Full support including Aurora PostgreSQL and Supabase, with RLS enforcement
Microsoft SQL Server: SQL Server 2019+ and Azure SQL Database with Azure AD auth
Direct Connections: Ekaya connects to your database—no ETL, no data movement
Security Preserved: Your existing RLS policies and permissions enforced automatically

Identity & Access

Integrate with your existing identity provider for seamless SSO and access control.

SSO Ready: Okta, Auth0, Google Workspace, Azure AD, any OAuth 2.1 provider
JWKS Validation: Configurable JWKS endpoints for JWT verification from your issuer
Role Mapping: JWT roles propagated into project-level access control
Agent API Keys: Dedicated API key authentication for MCP tool access

Extensible by Design

Ekaya provides standard REST APIs and MCP tools for custom integrations. Build your own clients, extend functionality, or integrate with proprietary systems.Your data access layer, your way.

Deployment & Operations

Production-ready operations with comprehensive monitoring and simple deployment

Operational Simplicity

Single ~0MB binary includes everything: MCP server, REST API, and React UI. No microservices to coordinate, no complex service mesh, no distributed state to synchronize.One binary. One configuration file. That's it.

Deployment Options

Cloud Run: Serverless with automatic scaling and managed SSL (recommended)
Kubernetes: StatefulSet or Deployment with HPA for enterprise control
Docker: Standard containerized deployment on any infrastructure
Bare Metal: Direct binary execution on Linux servers
Localhost: Run locally for development and testing

Monitoring & Observability

Health Checks: /health endpoint for load balancer integration
Connection Metrics: /metrics endpoint with connection pool statistics
Structured Logging: JSON logs via zap with request context
Security Alerts: Configurable triggers for SQL injection, unusual access, and more
Audit Dashboard: Built-in UI for reviewing MCP tool call and query history

Configuration Management

YAML configuration files (version control friendly)
Environment variable overrides for secrets
Config validation on startup with clear error messages
Embedded SQL migrations run automatically on startup

Reliability & Recovery

Graceful Shutdown: In-flight request draining with configurable timeout
Health Checks: Docker HEALTHCHECK and /health endpoint for orchestrators
Rolling Updates: Stateless request handling supports rolling deployments
SQL Injection Prevention: libinjection-based parameter scanning on every query

Architecture & Scalability

Built for enterprise scale with horizontal scaling and multi-tenant isolation

Horizontal Scaling

Ekaya Engine is designed for horizontal scaling. Persistent state lives in PostgreSQL, enabling straightforward scaling with standard container orchestration.

Graceful shutdown with in-flight request draining
Cloud Run and Kubernetes compatible with health checks
Embedded UI and migrations—nothing extra to deploy
Single port serves REST API, MCP server, and UI together

Multi-Tenant Isolation

Each project operates in complete isolation with dedicated resources and security boundaries.

Separate connection pools per project
Independent semantic layers and business rules
Isolated audit trails for compliance
No cross-tenant data access possible