MySQL

Databases

system_type: "mysql"

PQC-seal MySQL credentials and proxy parameterized queries with column-level encryption for PII fields.

Overview#

The MySQL connector seals database credentials in QuantaVault and proxies parameterized queries. Supports MySQL 8.0+ and MariaDB 10.6+. Column-level tokenization can be applied to PII fields before insert.

Base URL: https://api.quantaseal.io/api/v2/proxy/outbound
Auth header: X-API-Key: qs_live_...

Prerequisites#

1MySQL 8.0+ or MariaDB 10.6+
2A dedicated MySQL user with appropriate table permissions
3Connection details: host, port, database, username, password
4A QuantaSeal API key

Configuration#

Follow these steps to connect MySQL to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.

1
Create a least-privilege MySQL user: CREATE USER 'qs_proxy'@'%' IDENTIFIED BY '...'; GRANT SELECT, INSERT, UPDATE ON mydb.* TO 'qs_proxy'@'%';
2
Seal the DSN: POST /api/v2/vault/seal with credential_type: database_dsn.
3
Create the integration: POST /api/v2/integrations with system_type: mysql.

Authentication Types#

Store connection details as a database_dsn in QuantaVault: mysql://user:pass@host:3306/dbname?ssl-mode=REQUIRED

DB DSN

All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.

Available Operations#

QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.

Operation	Description
`query`	Execute a parameterized SELECT.
`execute`	Execute a parameterized INSERT, UPDATE, or DELETE.
`transaction`	Execute multiple statements in a transaction.

Code Example#

Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.

bashCopy

curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
  -H "X-API-Key: qs_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "integration_id": "int_01HZ9X2K4MNPQRMYSQL000001",
    "operation": "query",
    "payload": {
      "sql": "SELECT id, name FROM products WHERE category = ? AND price < ?",
      "params": ["electronics", 500]
    }
  }'

# Response - HybridCryptoEnvelope
{
  "success": true,
  "encrypted": {
    "ciphertext_kem":  "<base64 - 1088 bytes ML-KEM-768>",
    "ciphertext_data": "<base64 - AES-256-GCM encrypted MySQL result>",
    "nonce":           "<base64 - 12 bytes>",
    "tenant_id":       "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
    "algorithm":       "ML-KEM-768"
  },
  "signature": {
    "pqc_signature":  "<base64 - ~3309 bytes ML-DSA-65>",
    "hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
    "tenant_id":      "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
    "algorithm":      "ML-DSA-65+HMAC-SHA-512"
  },
  "audit_event_id": "aud_01HZ9XABCDEF"
}

Decrypt the response using the QuantaSeal SDK: client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.

Troubleshooting#

Access denied for user

Verify the MySQL user has been granted the correct privileges on the target database and that the host wildcard (%) allows connections from QuantaSeal egress IPs.

Still stuck? Check the Security Events page in the Admin Console for detailed proxy error logs, or open a support ticket at quantaseal.io/support.

All Connectors API Reference