Documentation

From curl to first query, in under five minutes.

Install the CLI, point it at a sandbox, create a tokenized table, and run a query. The rest of the docs go deep — these are the steps that matter on day one.

On this page

1 — Install the CLI

macOS and Linux. Windows via WSL.

# macOS / Linux — single binary, no daemons
$ curl -fsSL https://rjbase.io/install.sh | sh
$ rjbase --version
rjbase 1.0.0 (linux/amd64)

2 — Authenticate

rjbase login opens a browser, runs the OAuth flow, and writes a short-lived token to ~/.rjbase/credentials.

$ rjbase login --org acme
→ Opened browser. Approve the request to continue…
✓ Authenticated as alice@acme.com (engineering)

3 — Create a tokenized table

Declare which columns are sensitive in the table DDL. Everything downstream — storage, query plans, masking — honors that declaration.

$ rjbase sql <<EOF
CREATE TABLE events.signups (
  id      UUID     PRIMARY KEY,
  email   TEXT     TOKENIZED('pii.email'),
  country TEXT,
  ts      TIMESTAMP  DEFAULT now()
) PARTITION BY days(ts);
EOF

4 — Ingest some data

$ rjbase ingest events.signups \
    --from-csv ./signups.csv \
    --mode upsert
✓ 12,418 rows ingested
  • 12,418 emails tokenized (vault namespace: pii.email)
  • Hot tier: NVMe pool 'preview-01'

5 — Query

Tokens are first-class. Joins, aggregates, and group-bys work without ever revealing raw values.

$ rjbase sql "SELECT country, COUNT(DISTINCT email) AS n
                FROM events.signups
                WHERE ts >= now() - INTERVAL '7 days'
                GROUP BY country
                ORDER BY n DESC LIMIT 5"

┌──────────┬──────┐
│ country  │   n  │
├──────────┼──────┤
│ US       │ 4012 │
│ MX       │ 1188 │
│ BR       │  973 │
│ DE       │  842 │
│ JP       │  611 │
└──────────┴──────┘

6 — Wire up a reveal policy

Only the support service, with a written reason, can detokenize email addresses. Everything else stays opaque.

# policies/pii_email.yaml
namespace: pii.email
allow_detokenize:
  - subject: service.support
    require:
      - justification: "ticket:\\d+"
      - approver:      "role:cx-lead"
    rate_limit:
      - 50/hour

$ rjbase policy apply policies/pii_email.yaml
✓ Policy 'pii.email' applied. Effective immediately.

Want the full reference?

The full docs cover SDKs, streaming ingest, federation, time-travel, and the audit-export pipeline.

Request access