At some point in every growing project, the “just share the key in Slack” approach to vector database access stops being acceptable. Maybe it already broke once when someone rotated a key without telling everyone. Maybe a contractor left and you are not sure what they still have access to. Maybe the team has grown to the point where nobody knows who has what credentials anymore.
Getting internal team access right is not a complicated problem, but it does require a few deliberate decisions early. The choices you make about how credentials are created, stored, and distributed determine whether adding a new teammate is a five-minute process or a half-day of debugging why their connection is not working.
The Problems That Come From Unstructured Access
When a team shares credentials informally, several problems tend to develop in parallel.
No isolation between people. When everyone uses the same key, you cannot tell from logs or audit trails which team member or service took a particular action. Debugging unexpected behavior becomes difficult because any of several people could be responsible.
Painful offboarding. When a developer leaves the team and you need to revoke their access, you have to rotate the shared key and update every service and developer that was using it. The coordination cost is high enough that teams often skip it, leaving former employees with indefinite access.
Unintended permission spread. A key created for an admin task gets shared with a developer who only needed read access, and now that developer has write permissions they do not need and were not supposed to have.
Brittle credential distribution. Keys passed over chat, email, or shared documents are hard to track and easy to lose. When someone cannot connect, they ask for the key again, and it gets shared through another untracked channel.
None of these problems is catastrophic on its own. Together, they create a slow accumulation of access debt that is difficult to unwind.
The Right Structure for Team Access
A well-structured approach to internal team access has three components.
Individual credentials per person. Each team member gets their own API key, not a copy of a shared key. This makes revocation clean and auditing possible. When someone leaves, you disable their key. When you need to understand who ran a particular operation, you check which key was used.
Scoped permissions per role. Not everyone needs the same level of access. Developers building features need read and write access to specific collections. Analysts running queries need read access. Administrators setting up infrastructure need full access. Matching the permission level to the actual need limits the damage if any one credential is compromised.
Secure, systematic credential distribution. Keys should reach team members through a proper channel — a secrets manager, an internal vault, or an encrypted handoff — not through a chat message. Each team member stores their key as an environment variable, not in source code.
Onboarding a New Team Member
The onboarding process for a new team member’s vector database access should be reproducible enough that anyone can do it in a few minutes. A rough template:
- Create a new API key for that person, named with their identity
- Assign the role appropriate to their responsibilities
- Share the key and the cluster endpoint through a secure channel
- The team member stores both as environment variables
- They verify the connection works before starting any actual work
This process takes about five minutes. The alternative — waiting until the person needs access and then scrambling to figure out what they need and how to give it to them — consistently takes longer and produces worse results.
Managing Access at Scale
For small teams, manual key creation and assignment is manageable. As teams grow, the manual overhead starts to accumulate. A team of twenty people with regular hiring and departures means access management becomes a recurring maintenance task rather than a one-time setup.
Two approaches help at scale. The first is programmatic key creation — using the vector database’s management API to create keys as part of an automated onboarding workflow rather than doing it manually through the console. The second is integrating with an identity provider (Okta, Azure AD, Auth0), where group membership in the IdP automatically maps to roles in the vector database. New team members get access when they are added to the right group in the IdP; departing members lose access when they are removed.
The IdP integration approach is the cleanest at scale because it eliminates the vector database as a separate system to keep in sync with your organization’s access records.
Weaviate: Setting Up Internal Team Access in Practice
Here is how the above structure maps to Weaviate.
Creating Individual Keys Per Team Member
For v1.30+ clusters, use the user management API to create a key for each team member programmatically:
user_api_key = client.users.db.create(user_id="teammate-name")
client.users.db.assign_roles(
user_id="teammate-name",
role_names=["searchApplication"]
)
Or do it through the Weaviate Cloud console: Cluster details → API Keys → New key. Give each key a name that identifies the person, assign the appropriate role, and copy the key to share through a secure channel.
Roles to Match Actual Needs
Assign the minimum role needed for each person’s work:
| Team function | Role | Access level |
|---|---|---|
| Developers | Custom read/write role | Read + write on specific collections |
| Analysts | Built-in viewer |
Read-only across all resources |
| Admins | Built-in root |
Full access |
| External / limited services | Custom scoped role | Read from specific collections only |
Secure Credential Distribution
Share the REST endpoint URL and API key through a proper channel. Each team member stores them as environment variables:
export WEAVIATE_URL="https://your-cluster-url"
export WEAVIATE_API_KEY="your-api-key"
Verifying the Connection
Each team member confirms their setup works before starting any work:
import weaviate
from weaviate.classes.init import Auth
import os
client = weaviate.connect_to_weaviate_cloud(
cluster_url=os.environ["WEAVIATE_URL"],
auth_credentials=Auth.api_key(os.environ["WEAVIATE_API_KEY"]),
)
print(client.is_ready()) # True means connected and ready
client.close()
True confirms the credential is valid, the endpoint is correct, and the connection is working. If it fails, the most common causes are a missing or incorrectly set environment variable, or a key that was not yet created in the console.
When the Team Grows
For larger teams using an identity provider, Weaviate supports mapping IdP groups directly to roles. Adding someone to the right group in your IdP automatically grants them the corresponding Weaviate access — no separate step required in the vector database console.