Connect your sources
Point Regixo at your real databases and SaaS. It reads the connection string from an
environment variable you name — your secret never touches regixo.yml. This page
covers every connector that’s actually built, the exact strings, and how to reach a locked-down
database.
How connecting works
Each source is one entry in regixo.yml. The entry holds the name of the env
var that carries the secret (connectionRef), never the secret itself. At scan time
Regixo resolves the value from your environment. Two ways to add a source:
- Auto-detected — if a known env var is set,
regixo startoffers to add it for you (see Auto-detect). - By hand —
regixo add <type>, a wizard on a terminal or flag-driven when scripted.
Ten source kinds ship natively: the four SQL drivers (Postgres, Redshift, MySQL, SQL Server), Snowflake and BigQuery (cloud warehouses), Stripe, manual CSV, dbt (lineage), and script — a bring-your-own connector you author for anything else. HubSpot, Salesforce, Google Workspace, S3/GCS/Azure Blob and OpenAPI/JSON-schema import are on the roadmap, not shipped — reach those through BYOC.
Honest caveat: Snowflake and BigQuery ship, but neither has yet been run against a live account — they're proven by fixtures, a stubbed transport and gated live tests, and fail loudly on a bad token. Treat a first live scan as one to check.
SQL databases
One connector serves four drivers. Each reads a standard connection string from an env var:
| Database | Default env var | Connection string |
|---|---|---|
| Postgres | DATABASE_URL | postgres://user:pass@host:5432/db (or postgresql://) |
| Redshift | REDSHIFT_URL | redshift://user:pass@host:5439/db |
| MySQL | MYSQL_URL | mysql://user:pass@host:3306/db (one database per string) |
| SQL Server | SQLSERVER_URL | sqlserver://user:pass@host:1433/db (or mssql://) |
Set the env var, then add the source (this example is Postgres):
“Add my Postgres database to Regixo.”
Your agent fills in everything except the token — you put that in .env yourself.
Show the commandHide the commandShow the sentenceHide the sentence
$ export DATABASE_URL='postgres://readonly:••••@db.internal:5432/app' $ regixo add postgres --ref DATABASE_URL --label "App DB" --region eu-central-1
The source lands in regixo.yml with only the env-var NAME — never the value.
Nothing is scanned yet; adding and scanning are separate acts.
Check it worked: the source appears in regixo sources, and
regixo test connects to it and reads nothing. If your agent asked you to paste the
connection string into the chat, that is a bug — it belongs in .env, and only you
put it there (why).
Show what it prints in the terminalHide the terminal outputShow what your agent reportsHide what your agent reports
✓ added source app-db (postgres) — reads from $DATABASE_URL Regixo stores only the variable NAME — your secret never touches regixo.yml. Scan it in now? [Y/n]
The resulting regixo.yml entry:
version: 1
sources:
- id: app-db
kind: sql
driver: postgres
label: Application database
connectionRef: DATABASE_URL # the env-var NAME, never the secret
region: eu-central-1 # feeds the "transfers outside the EU" suggestion
role: controllerSQL Server encryption & other options
SQL Server connections default to encryption on with trustServerCertificate
on. Override in the connection string with ?encrypt=false (and
?trustServerCertificate=false). Redshift rides the Postgres driver, so
redshift://… and redshift+postgresql://… both work.
Snowflake
Snowflake is reached over the SQL REST API — there's no TCP driver — and it's
metadata-only: Regixo reads information_schema for tables, columns and types, never
row values. One env var carries the whole connection, with the token as its only secret:
| Default env var | Connection string |
|---|---|
SNOWFLAKE_URL | snowflake://<account>/<DATABASE>?warehouse=<WH>&role=<ROLE>&token=<TOKEN> |
“Add my Snowflake warehouse to Regixo.”
Your agent fills in everything except the token — you put that in .env yourself.
Show the commandHide the commandShow the sentenceHide the sentence
$ export SNOWFLAKE_URL='snowflake://ab12345/ANALYTICS?warehouse=WH_XS&role=REGIXO_RO&token=••••' $ regixo add snowflake --ref SNOWFLAKE_URL
The token is a Programmatic Access Token by default; for an OAuth token add
&token_type=OAUTH. A read-only role with USAGE on the database and
warehouse is enough. As with every source, regixo.yml stores only the variable
name — the token lives in your environment, never in the file (Hard Rule #6).
BigQuery
BigQuery is a metadata-only REST source: Regixo lists datasets and tables and reads each
table's schema (nested RECORD fields are flattened), never row values. The env var
holds a bigquery:// URL with your project id and one of two credentials:
| Default env var | Connection string |
|---|---|
BIGQUERY_URL | bigquery://<project-id>?token=<OAUTH_TOKEN>— or — bigquery://<project-id>?key_file=/path/to/service-account.json |
“Add my BigQuery project to Regixo.”
Your agent fills in everything except the token — you put that in .env yourself.
Show the commandHide the commandShow the sentenceHide the sentence
$ export BIGQUERY_URL="bigquery://my-project?token=$(gcloud auth print-access-token)" $ regixo add bigquery --ref BIGQUERY_URL
A short-lived OAuth token (token=) is easiest for a one-off scan; a service-account
key file (key_file=) is durable, so it suits a scheduled regixo watch. A
key-file path is not a secret, so it may sit in the URL — the token is, so it stays in the
env var only, never in regixo.yml.
Stripe
Stripe is metadata-only: Regixo pings /v1/balance to check the key works, then maps a
curated object schema (customer, charge, invoice, payment_method, subscription) so the classifier
can flag fields like email and card_last4. It never fetches customer
objects. Use a test-mode key.
“Add our Stripe account to Regixo.”
Your agent fills in everything except the token — you put that in .env yourself.
Show the commandHide the commandShow the sentenceHide the sentence
$ export STRIPE_API_KEY='sk_test_••••' $ regixo add stripe --ref STRIPE_API_KEY
Stripe is added with role: processor by default — it processes on your behalf.
dbt (lineage)
dbt isn’t a data source — it’s a lineage provider. Point Regixo at your compiled
manifest.json and the warehouse source its models map onto, and Regixo adds the
model-to-model ref graph as lineage. It reads no warehouse rows.
“Add our dbt models to Regixo so the map shows lineage.”
Show the commandHide the commandShow the sentenceHide the sentence
$ regixo add dbt --from target/manifest.json --target app-dbDescribe a source by hand (CSV)
Can’t reach a system, or want to document one Regixo can’t connect to yet? Describe its schema in a CSV — no live system, no secret. This is the “never a dead end” path.
dataset,column,type,nullable legacy_crm.contacts,email,varchar,false legacy_crm.contacts,full_name,varchar,true legacy_crm.orders,amount,decimal,false
“Describe my unreachable source to Regixo from a CSV of its schema.”
Show the commandHide the commandShow the sentenceHide the sentence
$ regixo add manual --from schema.csv--from schema.json.Bring your own connector (any SaaS or internal API)
Don’t see your tool in the list? For any SaaS, or your organisation’s own internal API, you can stand up a connector with a coding agent. Unlike the CSV above it’s live:
- Re-scanned by
regixo start/watch. - Checkable with
regixo test. - Flags drift when the schema moves.
Open your agent (e.g. Claude Code) in the project and say “add <your tool> to Regixo”; it reads the playbook and wires it up:
“Write a Regixo connector for our HubSpot data and register it.”
Your agent fills in everything except the token — you put that in .env yourself.
Show the commandHide the commandShow the sentenceHide the sentence
$ regixo connectors --skillThe playbook’s core is an interview: a private/internal API has no public docs the model knows, so the agent asks you how it authenticates and what its objects/fields are (or reads an internal OpenAPI spec / a sample response) — then authors the connector. Everything runs out-of-process: Regixo never imports or runs the authored code inside itself. How it works:
- A generator script (
script) — works for any source - The agent writes a small script in
regixo-connectors/that prints your schema (the same CSV/JSON as above). Regixo runs it as a subprocess each scan and ingests only the printed schema — never row values. Name the token env var after the tool (HUBSPOT_TOKEN), not a generic name.say“Write a Regixo connector for our orders API and register it.”
Your agent fills in everything except the token — you put that in
.envyourself.Show the commandHide the commandShow the sentenceHide the sentence
run$ regixo connectors new orders-api # scaffold regixo-connectors/orders-api.mjs $ regixo add script --generator regixo-connectors/orders-api.mjs --id orders-api --ref ORDERS_API_TOKEN
The connector files live in regixo-connectors/ at your project root (next to
.env, committed to your repo — a rm -rf .regixo never deletes them). The token
stays in .env; config keeps only the variable name.
These connectors are best-effort: labelled user-authored on the map and excluded from the freshness guarantee. They fail loudly, never stale silently.
Metadata-only is a documented expectation, not a sandbox — Regixo runs your generator as a subprocess with your resolved env. See AI agents for the full authoring flow.
regixo add — the flags
| Flag | Meaning |
|---|---|
--ref <ENV_VAR> | Name of the env var holding the secret (live sources). Defaults per type (DATABASE_URL, MYSQL_URL, …). |
--from <file> | File path for manual (CSV) and dbt (manifest.json). |
--target <id> | dbt only — the warehouse source id the models map onto (required). |
--generator <file> | script (BYOC) only — the generator script Regixo runs each scan (scaffold one with regixo connectors new). |
--role controller|processor | Your GDPR role for this source. Default controller (Stripe defaults processor). |
--region <region> | SQL sources — the host region; feeds the transfers-outside-EU suggestion. |
--id <slug> · --label <text> | Override the source id / display label. |
--skill | Prints the agent playbook for connecting a source (no config, no scan) — pipe it into your AGENTS.md. |
--yes · --json | Non-interactive; machine-readable output. |
On a terminal, regixo add with no type opens a picker (Databases · SaaS ·
Import from a file). Headless, pass the type and flags. It writes config only — the headless path
never scans; run regixo start after.
Remove a source
Two built-in ways, depending on whether you want to drop one source or wipe everything. Both are Regixo’s own commands. Neither touches your database — the scan only ever read metadata — and neither deletes your secret.
Remove one source
regixo sources remove <id> is the exact undo of an add: it drops the
source from regixo.yml and clears its datasets, personal-data flags and lineage from the
map, so the map stays honest. Because that erases mapped data, it asks first — confirm with
--yes:
“Remove the source myfintech1 from Regixo — I added it by mistake.”
Show the commandHide the commandShow the sentenceHide the sentence
$ regixo sources remove myfintech1 --yesThe source drops out of regixo.yml and its datasets clear from the map. Your
.env is left alone — removing a source never touches a secret.
Check it worked: it is gone from regixo sources, and the coverage meter on the
dashboard counts one fewer source. The map itself refreshes on the next scan.
Show what it prints in the terminalHide the terminal outputShow what your agent reportsHide what your agent reports
✓ removed source "myfintech1"
cleared its datasets from the map
the map refreshes on the next regixo startWithout --yes it prints what would happen and stops — a scanned source warns that its
mapped tables + personal-data flags will be erased; a never-scanned source says it’s safe (nothing is
mapped yet).
- Don’t know the id?
regixo sourceslists them (it works before any scan too). - Removing your last source is fine — the next
regixo startsimply offers to connect one again, like a fresh folder. - To undo a removal, re-add the source and run
regixo start; nothing about your database changed.
regixo.yml and the map, but it does not touch your
.env — that’s your secret file, and Regixo never deletes your secrets (it only ever
stored the variable name, never the value). If you want the connection string gone too, delete
that line in .env yourself.Start over — wipe everything
To remove every source, the whole map and the draft record in one motion, delete the local folder Regixo wrote in this project:
$ rm -rf .regixo.regixo/ holds the catalog (index.db), the drafts, and the auto-generated
regixo.yml. Deleting it is a clean slate: the next regixo start is a brand-new
first run.
Your .env sits outside .regixo/, so it survives — delete it by hand
if you want the connection string gone. Same for a regixo.yml you keep at the project root
yourself: that one is outside .regixo/ too, so remove it separately.
regixo open is still running (serving on :4319), press Ctrl+C to
stop it, or run the remove in a new terminal — a running server keeps showing the old map until you
restart it.Auto-detect
On a first run with no regixo.yml, regixo start looks for these env
vars and offers to add what it finds: DATABASE_URL, MYSQL_URL,
REDSHIFT_URL, SQLSERVER_URL, STRIPE_API_KEY. It also reads the
variable names (never the values) from a local .env, so a source shows up even
if the value is only exported at runtime. File sources (CSV, dbt) are never auto-detected — add
those by hand.
How secrets are resolved
At scan time Regixo resolves each source’s connectionRef in order:
- The env var named exactly by
connectionRef(e.g.DATABASE_URL). REGIXO_SECRET_<REF>as a fallback.- Otherwise a
SECRET_UNRESOLVEDerror naming the variable to set.
regixo.yml. Commit
regixo.yml freely — it contains only variable names and non-secret config.When a database can’t be reached
A partial scan is fine — an unreachable source is marked and coverage stays honest (“4 of 6 reachable”). To bring the rest in, there are three real routes:
- Bring the key — set up your own VPN or SSH tunnel, then give Regixo a connection string
that reaches through it in the normal
DATABASE_URL. There is no--tunnelflag — Regixo just needs a reachable host. - Bring Regixo inside — run
regixo starton a machine inside the network and merge the maps. - Describe it — import a CSV of the schema.
Verify & troubleshoot
Dry-run every connection (checks credentials + reachability, no scan):
“Check that my Regixo source connections still work.”
Show the commandHide the commandShow the sentenceHide the sentence
$ regixo testIt connects to each source and reads nothing — no scan, no schema, no rows. A ✓ means the credentials work and the host is reachable from here.
Check it worked: an ✗ names the reason — a 401, a refused connection, a bad host.
regixo doctor turns that reason into a runnable fix. A source on a network your agent
is not on will never connect from here, and no amount of retrying changes that.
Show what it prints in the terminalHide the terminal outputShow what your agent reportsHide what your agent reports
✓ app-db — connected ✗ stripe — Stripe rejected the API key (401) → fix: regixo doctor 1/2 source(s) failed
Turn any problem into a fix:
“One of my sources won’t connect — find out why and fix it.”
Show the commandHide the commandShow the sentenceHide the sentence
$ regixo doctorIt resolves each env var and actually probes the connection (the same probe as
regixo test, so they never disagree), then prints a specific fix.
| Error | What it means & the fix |
|---|---|
SECRET_UNRESOLVED | The env var isn’t set. export <REF>='postgres://…' and retry. |
SOURCE_UNREACHABLE | Host/port/network. Check the route (VPN, firewall) then regixo test <id>. |
DRIVER_MISSING | Unknown connection scheme or source kind — check the :// scheme is one of the supported drivers. |
NO_SOURCE_DETECTED | Nothing to scan and no regixo.yml yet. Set an env var or regixo add. |
SOURCE_NOT_FOUND | Unknown source id — list them with regixo sources. |
Full list: Errors & fixes.
The read-only access Regixo needs
The scanner only ever issues SELECT against information_schema.tables
and .columns, and (Postgres/Redshift) reads catalog tables
(pg_class, pg_depend, pg_rewrite) for row-count estimates
and view lineage. A read-only role with catalog visibility is enough. A restricted role
simply loses the estimates and auto-lineage — the scan never breaks. No writes, no DDL, and it
never SELECTs your row data.