Skip to main content

Documentation Index

Fetch the complete documentation index at: https://datost.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Datost connects to Microsoft SQL Server (2016+) and Azure SQL using the official mssql driver. Once connected, Datost can list schemas, inspect tables, and run read-only queries on your behalf when teammates ask questions in Slack.

What you’ll need

  • A SQL Server host reachable by Datost (public) or a Tunnel Agent host (private)
  • TCP port (default 1433)
  • Database name (defaults to master)
  • A SQL Authentication user and password
Datost uses SQL Authentication. Windows / Integrated Authentication is not supported — create a dedicated SQL login for Datost.

1. Create a read-only user

Run these statements as an admin against the database you want Datost to read. Replace the password before running. 
-- Server-level login
CREATE LOGIN datost_readonly WITH PASSWORD = 'REPLACE_ME_STRONG_PASSWORD';

-- Database-level user
USE your_database;
CREATE USER datost_readonly FOR LOGIN datost_readonly;

-- Read-only access
ALTER ROLE db_datareader ADD MEMBER datost_readonly;

-- Required for INFORMATION_SCHEMA introspection
GRANT VIEW DEFINITION TO datost_readonly;
Never reuse an application or admin account. Datost executes SQL generated by an LLM — a db_datareader-only role is the guardrail that keeps that safe.

2. Connect from the admin panel

1

Open Data sources

In the Datost admin, go to Data sources and click Add data source.
2

Pick SQL Server

Choose SQL Server from the warehouse list. The form will prefill port 1433.
3

Enter connection details

Provide the host, port, database, username, and password for datost_readonly. Give the connection a name your team will recognize in Slack.
4

Test the connection

Datost runs SELECT @@VERSION against your server using an ephemeral pool and reports the server version on success. Fix any reported error before saving.
5

Save

On save, Datost introspects INFORMATION_SCHEMA.TABLES and INFORMATION_SCHEMA.COLUMNS to build its schema index. This usually takes a few seconds.

Public vs. private instances

If your SQL Server is publicly reachable, allowlist Datost’s egress IPs on your firewall and connect directly. TLS is on by default; set SSL mode to verify-full if you want full certificate validation. For servers inside a VPC or on-prem, install the Datost Tunnel Agent on a host that can reach your database. The agent opens an outbound connection to Datost — no inbound firewall rules, no public exposure. After the agent is online, enter the private host/port in the connection form and select your tunnel.

Azure SQL

Azure SQL Database and Azure SQL Managed Instance both work with this integration. A few specifics:
  • Host looks like your-server.database.windows.net
  • Port is always 1433
  • Username must include the server for contained users: datost_readonly@your-server
  • Add Datost’s egress IPs to your Azure SQL firewall under Networking → Public access

Troubleshooting

  • Login failed — user exists at server level but not in the target database, or the db_datareader role was not granted.
  • TLS / certificate errors — lower SSL mode to require, or install a trusted cert on the server for verify-full.
  • Timeouts from a private host — confirm the Tunnel Agent is online and the host is resolvable from the agent’s network.