Database schema reference
Tables are created by the migrations in database/migrations/, loaded automatically (toggle with
iam.run_migrations). All are prefixed iam_. The migrations are the source of truth for exact columns and
indexes; this page lists them by feature. The grouped view is in the Data model.
Migrations, in order
| # | Migration | Creates / changes |
|---|---|---|
| 1 | create_iam_core_tables |
users, organizations and core identity tables |
| 2 | create_iam_authz_catalog |
permissions, roles, grants (the authorization catalog) |
| 3 | create_iam_data_keys |
envelope-encryption data keys |
| 4 | create_iam_signing_keys |
ES256 token-signing keys (rotating) |
| 5 | create_iam_oauth_clients |
OAuth clients |
| 6 | create_iam_oauth_grant_tables |
auth codes, access/refresh tokens, scopes |
| 7 | create_iam_sessions |
server-side, revocable sessions |
| 8 | create_iam_step_up_challenges |
step-up (AAL2) challenges |
| 9 | create_iam_federated_identities |
upstream-provider identity links |
| 10 | add_session_to_oauth_auth_codes |
binds auth codes to a session sid |
| 11 | create_iam_applications_and_manifests |
Application Registry + manifests |
| 12 | create_iam_audit_tables |
hash-chained events, checkpoints, outbox, PII envelopes |
| 13 | create_iam_review_tables |
access-review campaigns + items |
| 14 | create_iam_access_requests |
access requests |
| 15 | create_iam_idempotency_keys |
idempotency keys for writes |
| 16 | create_iam_relations_table |
ReBAC tuples (subject, relation, object) |
| 17 | add_relation_to_iam_permissions |
optional relation binding on permissions |
| 18 | create_iam_groups_tables |
groups + membership (writes the member tuple) |
| 19 | create_iam_directory_sources |
directory-source configuration |
| 20 | create_iam_approval_steps |
approver-chain steps for access requests |
By subsystem
iam_core_tables, iam_sessions, iam_step_up_challenges, iam_federated_identities. See
Sessions & step-up.
iam_authz_catalog (+ relation column), iam_relations, iam_groups_tables. See
Authorization models and ReBAC.
iam_data_keys, iam_signing_keys, iam_oauth_clients, iam_oauth_grant_tables. See
OAuth2 & OIDC.
iam_applications_and_manifests, iam_audit_tables. See Manifests and
Tamper-evident audit.
iam_review_tables, iam_access_requests, iam_approval_steps, iam_idempotency_keys,
iam_directory_sources. See Access reviews.
Never UPDATE/DELETE iam_audit_tables rows out of band — it breaks the
hash-chain and the tamper-evidence for every later event. Use
crypto-shredding for PII erasure, and go through the Admin API for everything else.
Next
- Data model — the grouped, relational view.
- Tamper-evident audit — the audit tables’ guarantees.
- Configuration —
run_migrationsand related settings.