All the features

Everything Lampion puts at your disposal, with concrete examples.

COMPUTE

Scale to zero

Your compute suspends automatically after 5 minutes without a connection. On the next psql, it wakes up in under a second. You only pay for active time.

  • Configurable auto-suspend (5 min by default)
  • Wake-on-connect via the TCP proxy
  • Metering precise to the second
$ psql "postgresql://[email protected]/ep-abc.postgres"
SSL connection (TLSv1.3)
-- compute was suspended, resumed in 0.8s
mydb=> SELECT now();
2026-04-22 10:42:01.234+00
DATA

Git-like branching

Create a copy of your database in under a second. Copy-on-write: the branch only consumes the delta. Test your migrations, then delete it.

  • Instant fork (copy-on-write)
  • Protected branches (blocks DROP on main)
  • TTL auto-delete (1h to 30 days)
  • Schema diff between branches
$ curl -X POST .../branches \
  -d '{"name":"staging","parent_id":"main"}'

{"id":"br-new","name":"staging",
  "compute_id":"ep-staging",
  "created_in":"0.4s"}

# La branche a sa propre base, isolée
# Supprimez-la quand vous avez fini
SECURITY

Zero-trust security

Every connection is authenticated and encrypted. Passwords generated per project, never reused. Public API with Bearer tokens scoped by organization.

  • SCRAM-SHA-256 on every connection
  • TLS required (auto-generated certificates)
  • Unique passwords per project (24 chars)
  • IP allowlists (paid plans)
  • Rate limiting (120 req/min/IP)
  • RBAC: owner / admin / developer / viewer / analyst
# Connexion chiffrée + authentifiée
$ psql "postgresql://cloud_admin:YaQY...
  @db.lampion.cloud:5432/ep-abc.postgres
  ?sslmode=require"

psql (17.5)
SSL connection (protocol: TLSv1.3,
  cipher: TLS_AES_256_GCM_SHA384)

# API avec Bearer token
$ curl -H "Authorization: Bearer lmp_live_xxx" \
  .../v1/projects
TOOLING

Advanced SQL Editor

A full SQL editor built into the console. Multiple tabs, history, saved queries, Explain Analyze, CSV export. Edit your data directly in the tables.

  • Multi-tab with history (last 100)
  • Autocomplete for tables + columns
  • Explain Analyze in one click
  • CSV export, SQL import
  • Inline data editing (double-click)
  • Column filters (=, LIKE, ILIKE, IS NULL...)
mydb=> EXPLAIN ANALYZE
  SELECT * FROM users WHERE email ILIKE '%@corp.com';

Seq Scan on users  (cost=0.00..1.52 rows=1)
  Filter: (email ~~* '%@corp.com'::text)
  Rows Removed by Filter: 42
Planning Time: 0.08 ms
Execution Time: 0.03 ms
OBSERVABILITY

Monitoring and alerts

Real-time dashboard with 24h history. CPU, memory, I/O, connections, cache ratio, size per database. Automatic email alerts on quotas.

  • Live graphs (CPU, RAM, I/O, connections)
  • Cache hit ratio with color-coded thresholds
  • Size per database
  • Email alerts at 80% and 100% of quota
  • Real-time PostgreSQL logs
GET /v1/projects/{id}/metrics

{"connections_total": 12,
  "connections_active": 3,
  "cache_hit_ratio": 98.5,
  "storage_logical_mb": 42.3,
  "compute_cpu_seconds": 1234.5,
  "compute_memory_mb": 256,
  "databases": [
    {"name":"myapp","size_mb":38.1}
  ]}
NETWORK

Connection pooling

Built-in PgBouncer in transaction pooling mode. The TCP proxy routes connections, handles multiplexing, and wakes up suspended computes on the first packet.

  • PgBouncer in transaction mode
  • Multiplexing: hundreds of clients over a handful of PG connections
  • Automatic wake-on-connect
  • Routing by endpoint ID
# Connexion directe (sans pooling)
$ psql "postgresql://[email protected]/ep-abc.postgres"

# Via pooling (parametre options)
$ psql "postgresql://[email protected]/postgres
  ?options=endpoint%3Dep-abc"

-- PgBouncer: transaction mode active
-- 200 clients → 5 PG connections
DURABILITY

Backup & PITR

Capture the exact state of your database at a point in time. Restore to a new branch without touching production. pg_dump export via the API.

  • Snapshots via the pageserver LSN
  • Restore to a new branch
  • pg_dump via the API (filter by table)
  • Zero impact on production
$ curl -X POST .../backups \
  -d '{"name":"before-migration","branch_id":"main"}'

{"id":"bk-42","lsn":"0/15A2C08","created_at":"..."}

# Restaurer vers une nouvelle branche
$ curl -X POST .../backups/bk-42/restore

{"branch":"restored-bk-42","compute_id":"ep-new"}

# Export SQL
$ curl .../endpoints/ep-abc/dump?table=users -o users.sql
INTEGRATION

Webhooks

Receive real-time HTTP notifications on 10+ event types. Each payload is signed with HMAC-SHA256 for server-side verification.

  • 10+ events: project.created, endpoint.suspended, etc.
  • HMAC-SHA256 signature with a dedicated secret
  • Filtering by event type
  • Enable/disable per webhook
$ curl -X POST .../webhooks \
  -d '{"url":"https://hook.me/lampion",
    "events":["project.created","endpoint.suspended"]}'

{"id":"wh-7f","secret":"a1b2c3..."}

# Payload recu :
{"event":"endpoint.suspended",
  "project_id":"abc123",
  "endpoint_id":"ep-abc",
  "timestamp":"2026-04-01T12:00:00Z"}
# Header: X-Lampion-Signature: sha256=...
COLLABORATION

Team & multi-org

Invite your colleagues by email, assign granular roles. Each user can belong to several organizations with instant switching.

  • Roles: owner, admin, developer, viewer, analyst
  • Email invitations with notification
  • Multi-organization with instant switching
  • Full audit log of every action
$ curl -X POST .../invitations \
  -d '{"email":"[email protected]","role":"developer"}'

{"id":"inv-9a","email":"[email protected]",
  "role":"developer","status":"pending"}

# Audit log
$ curl .../audit-log?limit=3

[{"action":"invitation.created","actor":"bob"},
  {"action":"project.created","actor":"bob"},
  {"action":"api_key.created","actor":"alice"}]
AUTOMATION

Database seeding

Attach up to 10 ordered SQL scripts to your project. They run automatically on every new branch — test data, fixtures, extensions.

  • Up to 10 ordered scripts per project
  • Automatic execution on every new branch
  • Enable/disable per script
  • Reorder on the fly
$ curl -X POST .../seeds \
  -d '{"name":"fixtures","sql":"
    CREATE TABLE users (
      id SERIAL PRIMARY KEY,
      name TEXT, email TEXT UNIQUE
    );
    INSERT INTO users (name, email) VALUES
      (\u0027Alice\u0027, \[email protected]\u0027),
      (\u0027Bob\u0027, \[email protected]\u0027);"}'

{"id":"seed-1","name":"fixtures","position":1}

# Chaque branche creee execute ce script
PERFORMANCE

Query Replay

Capture a branch's top queries via pg_stat_statements, replay them on another. Catch performance regressions before merging.

  • Capture via pg_stat_statements
  • Side-by-side replay, source vs target
  • Automatic regression detection
  • Performance ratio per query
$ curl -X POST .../replay -d '{
  "source_endpoint_id":"ep-main",
  "target_endpoint_id":"ep-staging",
  "limit":20}'

{"queries": [
  {"query":"SELECT * FROM orders WHERE...",
    "source_mean_ms": 1.2,
    "target_mean_ms": 3.8,
    "ratio": 3.17,
    "status": "regression"}
  ],
  "summary": {"regressions":2,
    "improvements":5,"stable":13}}
EXTENSIBILITY

PostgreSQL extensions

Install pgvector, PostGIS, pg_cron, and other extensions in one click. List available extensions, enable or disable them per database.

  • pgvector for AI and embeddings
  • PostGIS for geospatial data
  • pg_cron for scheduled tasks
  • hstore, uuid-ossp, and more
$ curl .../extensions

[{"name":"plpgsql","installed":true},
  {"name":"pgvector","installed":false},
  {"name":"postgis","installed":false}]

$ curl -X POST .../extensions \
  -d '{"name":"pgvector"}'

{"name":"pgvector","installed":true}

mydb=> CREATE TABLE docs (
  id SERIAL, embedding vector(1536)
);
TOOLING

Schema introspection

Explore the structure of your databases via the API or the console. Three-level hierarchical navigation: databases, schemas, tables with columns and types.

  • Level 1: list of databases
  • Level 2: schemas with table counts
  • Level 3: tables, columns, types, defaults
  • No SQL query needed
$ curl ".../schema?database=myapp&schema=public"

{"type":"tables","items":[
  {"name":"users","columns":[
    {"name":"id","type":"integer",
      "nullable":false,"default":"nextval()"},
    {"name":"email","type":"text",
      "nullable":false,"default":null},
    {"name":"created_at","type":"timestamptz",
      "nullable":true,"default":"now()"}
  ]},
  {"name":"orders","columns":[...]}
]}
COMPLIANCE

Data residency

Visual audit proving where your data resides. Region, physical datacenter, provider, certifications per layer. Exportable proof of compliance.

  • Location per layer (compute, storage, WAL)
  • Certifications: ISO 27001, HDS
  • Physical datacenter identified
  • Verifiable GDPR compliance
$ curl .../residency

{"region_id":"fr-par-1",
  "region":{
    "city":"Paris",
    "provider":"Scaleway",
    "datacenter":"DC2 — Vitry-sur-Seine",
    "certifications":["ISO 27001","HDS"]},
  "data_layers":[
    {"layer":"compute","location":"fr-par-1"},
    {"layer":"pageserver","location":"fr-par-1"},
    {"layer":"s3_storage","location":"fr-par"}
  ],
  "compliance":{"data_in_country":"France"}}
BILLING

Transparent billing

3 clear plans with real-time cost simulation. Precise metering of compute, storage, and transfer. No hidden costs.

  • Free: 3 projects, $0
  • Dev: $0.09/CU-hour, $0.35/GB-month
  • Pro: IP allowlist, configurable auto-suspend
  • Real-time monthly estimate
$ curl .../usage

{"plan":{"name":"dev"},
  "quotas":{"projects":{"used":4,"max":100}},
  "total":{
    "compute_hours": 25.3,
    "storage_gb": 1.2,
    "transfer_gb": 0.4},
  "estimated_cost":{
    "compute_usd": 2.28,
    "storage_usd": 0.42,
    "transfer_usd": 0.04,
    "total_usd": 2.74},
  "period":"2026-04"}
PRIVACY

PII Masking

Dynamically mask sensitive columns (email, name, IBAN, SIRET) on a branch. Ideal for sharing a copy of production with dev/staging without exposing real data. Built on postgresql_anonymizer with dynamic masking. Members with the analyst role only see anonymized branches and connect via a dedicated PostgreSQL role (lampion_analyst) that only sees masked data.

  • Enabled per branch (never in production)
  • 15+ functions: fake_email, fake_iban, hash, partial, REDACTED, NULL...
  • Strict allowlist (SQL injection protection)
  • Applied live without recreating the branch
  • Analyst role: restricted to anonymized branches only
  • Dedicated connection string (lampion_analyst) for analysts and external contractors
# 1. Activer le masking sur la branche staging
$ curl -X POST .../branches/staging/anonymization/enable

{"enabled":true}

# 2. Ajouter des règles de masquage
$ curl -X POST .../anonymization/rules -d '{
  "table_name":"users",
  "column_name":"email",
  "masking_function":"anon.fake_email()"
}'

{"id":"r-1","column_name":"email",
  "masking_function":"anon.fake_email()"}

staging=> SELECT email FROM users LIMIT 2;
  email
-------------------------
 [email protected]
 [email protected]
-- Toutes les valeurs sont fake
SCALING

Read Replicas

Add read-only replicas on any branch. Each replica has its own connection string and can be suspended independently.

  • Read-only replicas per branch
  • Dedicated connection string per replica
  • Independent suspend/resume
  • Ideal for analytics and dashboards
$ curl -X POST .../branches/main/replicas

{"id":"rep-1",
  "connection_string":"postgresql://...
    @db.lampion.cloud/rep-1.postgres
    ?sslmode=require",
  "status":"running",
  "read_only":true}

# Suspend quand plus necessaire
$ curl -X POST .../replicas/rep-1/suspend

{"id":"rep-1","status":"suspended"}
ENCRYPTION

Data encryption

Your data is encrypted at rest and in transit on every layer. Enterprise plans can bring their own encryption key (CMEK) via an external KMS.

  • TLS 1.3 required on all connections
  • SSE-S3 encrypted S3 storage (AES-256)
  • Encrypted console DB (Managed PostgreSQL)
  • Compute volumes encrypted at rest
  • CMEK via Scaleway KMS, AWS KMS, or Vault (Enterprise)
  • SSO SAML / OIDC (Enterprise)
# Connexion — TLS 1.3 obligatoire
$ psql "postgresql://[email protected]/...?sslmode=require"

SSL connection (protocol: TLSv1.3,
  cipher: TLS_AES_256_GCM_SHA384)

# Vérifier le chiffrement des données
$ curl .../residency

{"data_layers":[
  {"layer":"compute","encryption":"AES-256 (volume)"},
  {"layer":"s3_storage","encryption":"SSE-S3 AES-256"},
  {"layer":"console_db","encryption":"Managed (encrypted)"}
  ],
  "cmek":{"enabled":false,
    "available_on":"enterprise"}}

# Enterprise : CMEK via KMS
$ curl -X PATCH .../encryption \
  -d '{"kms_provider":"aws_kms",
    "key_arn":"arn:aws:kms:eu-west-1:..."}'
SOVEREIGNTY

Sovereign multi-cloud

Choose your cloud provider when you create the project: Paris (Scaleway) or Gravelines (OVH Cloud). Your data stays in France, on the provider of your choice. The console stays unified, the data plane (K8s + S3) is deployed on the selected cloud.

  • Provider choice at project creation
  • Scaleway: Paris (Vitry-sur-Seine, fr-par-1)
  • OVH Cloud: Gravelines (gra-1)
  • Centralized console, distributed data plane
  • No lock-in: migrate from one cloud to another
  • Admin panel: health monitoring per data plane
# Creer un projet sur Scaleway Paris
$ curl -X POST .../projects \
  -d '{"name":"my-app","region":"scw-fr-par-1"}'

{"id":"abc","region":"scw-fr-par-1",
  "provider":"scaleway"}

# Ou sur OVH Cloud Gravelines
$ curl -X POST .../projects \
  -d '{"name":"my-app","region":"ovh-gra-1"}'

{"id":"def","region":"ovh-gra-1",
  "provider":"ovhcloud"}

# Verifier la sante des data planes (admin)
$ curl .../admin/data-planes

[{"id":"scw-fr-par-1","healthy":true},
  {"id":"ovh-gra-1","healthy":true}]
DEVELOPER

Public REST API

Create a project and get the connection string in a single request. Easy to integrate into your CI/CD pipelines.

  • 40+ documented endpoints
  • Bearer tokens scoped by organization
  • Key format: lmp_live_xxx
  • Full reference at /docs
# Creer un projet en une requete
$ curl -X POST \
  -H "Authorization: Bearer lmp_live_xxx" \
  -d '{"name":"my-app","region":"fr-par-1"}' \
  api.lampion.cloud/v1/projects

{"id":"abc123",
  "endpoint_id":"ep-abc",
  "connection_string":"postgresql://
    cloud_admin:[email protected]
    :5432/ep-abc.postgres?sslmode=require",
  "pg_password":"YaQYfbg..."}

# Pret a utiliser immediatement
PORTABILITY

Cloud-to-cloud migration

Move a project from one provider to another, from one region to another, in a single command. Lampion replicates the data, switches traffic over via the TCP proxy, and removes the source. Zero application downtime.

  • Scaleway → OVHcloud (and vice versa)
  • Inter-region migration (fr-par → gra)
  • Full replication before cutover
  • Connection string unchanged on the application side
  • Automatic rollback on failure
# Migrer de Scaleway Paris vers OVHcloud Gravelines
$ curl -X POST .../projects/abc123/migrate \
  -d '{"target_region":"ovh-gra-1"}'

{"id":"mig-7f",
  "source":"scw-fr-par-1",
  "target":"ovh-gra-1",
  "status":"replicating",
  "eta_seconds":120}

# Suivre l'avancement
$ curl .../projects/abc123/migrate/mig-7f

{"status":"completed",
  "duration_seconds":98,
  "data_transferred_mb":1420,
  "downtime_ms":0}

# Le connection string n'a pas changé
# Le proxy reroute automatiquement

Ready to try it?

Get started for free with 3 projects.

Create an account API Documentation