Shared instances
pocketPG uses an owner-pays model. The instance owner pays the subscription; invited members get access at no extra cost.
Roles
| Capability | Viewer | Admin | Owner |
|---|---|---|---|
| All monitoring dashboards | Yes | Yes | Yes |
| Performance history sync | Yes | Yes | Yes |
| Cloud metrics | Yes | Yes | Yes |
| Webhook configuration | No | Yes | Yes |
| Provider credential updates | No | Yes | Yes |
| Maintenance (VACUUM/ANALYZE/REINDEX) | No | Yes | Yes |
| Invite / remove members | No | No | Yes |
| Query Runner / Explain Analyze | No | No | Yes |
| View raw credentials | No | No | Yes |
| Delete instance | No | No | Yes |
Invite flow
- Owner clicks MEMBERS on an instance card.
- Enter the invitee's email and select a role (viewer or admin).
- The invitee must already have a pocketPG account.
- An email is sent with an accept link containing a unique token.
- Invitee clicks the link, signs in, and the instance appears in their dashboard.
info
The invite token identifies the instance_members row directly — no instance ID is needed in the accept URL. The backend verifies the authenticated user matches the invited user to prevent token theft.
Access control
- Members never see the raw connection string, SSH private key, or provider credentials. The backend resolves credentials server-side via the instance ID.
- Member access is gated on the owner having an active subscription. If the owner cancels, members lose access.
- Query Runner and Explain Analyze are owner-only because they execute user-supplied SQL against the target database.
Legacy connection string path
When connecting via a raw connection string (before saving the instance), every user is treated as the effective owner. RBAC only applies to saved instances where multiple users share a single set of credentials.