Persistence Layer — PostgreSQL

All WebStream state lives in PostgreSQL, organised as three logical databases with clear ownership: the IAM control plane owns webstream_iam, and the Metrics Engine owns webstream_metrics and webstream_activity. A single-server deployment runs a bundled local PostgreSQL; scaled deployments point the same connection strings at a shared or managed cluster such as RDS/Aurora.

The three databases

DatabaseOwner (writer)Also read byContents
webstream_iamAccess Management (standalone, or built into the Gateway)Gateway, session hosts (auth routes), CLI commands, Metrics Engine (licence resolution at startup)Organizations, users, groups, applications, workspaces, policies, credentials, tokens, leases, IAM audit trail.
webstream_metricsMetrics Engine (sole writer)Admin console via the query APINode registry and time-series performance data.
webstream_activityMetrics Engine (sole writer)Admin console reports; billing rollup serviceUser activity audit trail and usage-metering records.

Streamers, session hosts, and gateways never write metrics or activity data directly — they POST JSON to the Metrics Engine, which buffers and persists it. This keeps database credentials off the app tier and means the database can be moved or upgraded without touching any streamer.

Schema overview

webstream_iam

AreaTables
Tenancy & directoryorganisations, users, groups, user_group_memberships
Publishing & entitlementsapplications, workspaces, workspace_apps, workspace_rights, policy_sets
Authenticationauth_users, auth_tokens, password_history, password_reset_tokens, sso_sessions
Sessions & limitsuser_workspace_leases, workspace_session_limits, recording_settings
Audit & systemactivity_log (IAM admin audit), system_settings
Session persistenceuser_registry_hive, user_filesystem_hive, user_filesystem_hive_blob
Auto-scalingami_catalog, org_ami_assignments, managed_instances, backend_tag_overrides

webstream_metrics

TablePurpose
nodesEvery streamer/gateway/backend node that has reported in.
metrics_rawTime-series performance snapshots: FPS, latency, CPU, bandwidth, session context.
eventsAggregated event counts by type.
workspace_sessionsOne row per session with the IAM/workspace context captured at start.

webstream_activity

TablePurpose
session_activity_logSession lifecycle and file/print events (the end-user audit trail).
input_activity_blocks10-second batched input activity blocks.
clipboard_activity_logCopy/paste audit records.
meter_slice, meter_hour_rollup, meter_submit_log15-minute billing slices, hourly rollups, and billing submission audit.
Note

Two similarly named tables serve different purposes: activity_log in the IAM database is the administrative audit (who changed which org/user/policy), while session_activity_log in the activity database is end-user session telemetry.

Connections and credentials

Each database section in app.config.xml carries a connection string without a password, plus a <passwordRef> resolved at runtime — passwords are never stored in plaintext:

Config sectionDefault connection
accessManagement.databaseHost=127.0.0.1;Port=5432;Database=webstream_iam;Username=webstream_iam;Pooling=true
metricsEngine.database.metricsHost=127.0.0.1;Port=5432;Database=webstream_metrics;Username=webstream_metrics;Pooling=true
metricsEngine.database.activityHost=127.0.0.1;Port=5432;Database=webstream_activity;Username=webstream_activity;Pooling=true

passwordRef supports two schemes: dpapi:<base64> (Windows DPAPI ciphertext that decrypts only on that host — the installer's default) and env:<VARNAME> (an environment variable, useful with a secrets manager). Pool sizes are capped per section with maxPoolSize.

Schema management, backup and restore

Upgrading from earlier versions

Configurations from pre-PostgreSQL releases may still show SQLite paths such as ./data/iam.db or ./metrics/metrics.db. Those settings are ignored by current releases — the <connectionString>/<passwordRef> blocks shown above are authoritative, and built-in authentication now lives in webstream_iam rather than a separate users database.