Managed MongoDB
A managed MongoDB instance — a NoSQL document database for flexible, schema-less data. MongoDB is one of the managed database services Temps runs as a container on your own infrastructure.
Provision and manage MongoDB three ways: the dashboard, the @temps-sdk/cli command-line tool (Manage from the CLI), or the REST API. If you use an AI coding agent (Claude Code, Cursor, Windsurf), install the temps-cli skill and just describe what you want.
Creating a MongoDB Instance
Via Dashboard:
- Navigate to Services → Create Service.
- Select MongoDB.
- Choose the image:
- MongoDB 8 (Managed + WAL-G) — the recommended default (
gotempsh/mongodb-walg:8.0). This image archivesmongodumpsnapshots to S3. - Custom image — bring your own (e.g.
mongo:7.0). Custom images support local dumps only.
- MongoDB 8 (Managed + WAL-G) — the recommended default (
- Optionally enable replica set mode (see below).
- Click Create Service.
On creation Temps auto-assigns a host port starting from 27017, creates a dedicated Docker volume at /data/db, and generates a root user with an auto-generated password.
Replica set mode runs a single-node replica set (which unlocks transactions and change streams). Temps auto-generates the authentication keyfile when you enable it. This choice is made at creation and cannot be changed afterward. Standalone mode is the default.
Manage from the CLI
Provision and manage MongoDB from the terminal with the @temps-sdk/cli tool — the same flow worked end-to-end for PostgreSQL.
Create
# Log in once (stores credentials in ~/.temps)
bunx @temps-sdk/cli login
# Create the service. Set parameters with repeatable -s key=value flags;
# if a required one is missing the CLI fails fast and names it, so you
# can add it and re-run.
bunx @temps-sdk/cli services create -t mongodb -n my-mongo -y
Inspect, link & manage
# List services and grab the numeric ID
bunx @temps-sdk/cli services list
# Full details, including the connection string
bunx @temps-sdk/cli services show --id 10
# Link to a project so MONGODB_URL (and friends) are injected on deploy
bunx @temps-sdk/cli services link --id 10 --project-id 5
bunx @temps-sdk/cli services env --id 10 --project-id 5 # see injected vars
bunx @temps-sdk/cli services unlink --id 10 --project-id 5
# Lifecycle
bunx @temps-sdk/cli services stop --id 10
bunx @temps-sdk/cli services start --id 10
bunx @temps-sdk/cli services upgrade --id 10 -v mongo:7.0
bunx @temps-sdk/cli services remove --id 10 -f # destroys data
Prefer natural language? With the temps-cli skill installed, ask your AI agent to "create a MongoDB service and link it to my project" and it runs these commands for you. The same services create -t <type> flow covers every managed database — see Managed PostgreSQL for the fully worked, parameter-by-parameter example.
Connecting to MongoDB
Node.js with the MongoDB driver
import { MongoClient } from 'mongodb';
// MONGODB_URL is injected automatically when the service is linked
const client = new MongoClient(process.env.MONGODB_URL);
await client.connect();
const db = client.db(process.env.MONGODB_DATABASE);
const user = await db.collection('users').findOne({ id: userId });
Python with pymongo
import os
from pymongo import MongoClient
client = MongoClient(os.environ['MONGODB_URL'])
db = client[os.environ['MONGODB_DATABASE']]
user = db['users'].find_one({'id': user_id})
Connection string format: mongodb://<user>:<password>@<host>:27017/<database> (with ?replicaSet=<name> appended when replica-set mode is enabled).
Connections happen over the Temps internal network using the container name as the host — the port is not exposed to the public internet.
Linking to Projects
When you link a MongoDB service to a project, Temps injects these variables into the environment:
| Variable | Description |
|---|---|
MONGODB_URL | Full connection string |
MONGODB_HOST | Container hostname |
MONGODB_PORT | Port (27017) |
MONGODB_DATABASE | Database name |
MONGODB_USERNAME | Username |
MONGODB_PASSWORD | Password |
Common Use Cases
- Name
Flexible Documents- Description
Store records whose shape varies between entries without migrations:
await db.collection('events').insertOne({ type: 'signup', payload: { plan: 'pro', referrer: 'docs' }, at: new Date(), });
- Name
Content & Catalogs- Description
Model nested, hierarchical data (product catalogs, CMS content) as a single document instead of joining across tables.
- Name
Aggregation Pipelines- Description
Compute analytics in the database with the aggregation framework:
const topPlans = await db.collection('events').aggregate([ { $match: { type: 'signup' } }, { $group: { _id: '$payload.plan', count: { $sum: 1 } } }, { $sort: { count: -1 } }, ]).toArray();
Backups & Durability
The managed gotempsh/mongodb-walg image archives mongodump snapshots to your configured S3 destination on a schedule you set; each backup schedule has its own retention window (in days). Custom images fall back to local dumps only. Unlike PostgreSQL, MongoDB restore is snapshot-based (latest) — there is no point-in-time recovery.
Restores are driven from the CLI:
Restore via the Temps CLI
temps services restore capabilities
temps services restore list-backups
temps services restore start
For higher availability, enable replica set mode at creation so the instance runs as a replica set rather than a single standalone node.
Monitoring
View live metrics and health in the dashboard's Services section — CPU & memory usage, connection count, disk usage, and uptime. Service-level monitoring is not yet exposed through the CLI.
Resource Limits
You can cap how much memory, swap, and CPU the service's container is allowed to use, and inspect what it's actually consuming. A service with no limits set runs unconstrained (the default). The same controls apply to every managed service type — PostgreSQL (standalone and cluster), MongoDB, Redis, RustFS, and S3.
The service detail page shows a Resources card that polls runtime status every 30 seconds and live usage every 5 seconds, plus an Edit limits dialog.
Editing limits
Open Services → select the service → Resources card → Edit limits. The dialog has independent Memory and CPU toggles:
| Field | Meaning | Empty / off |
|---|---|---|
| Memory | Hard memory cap, in MiB | Unlimited |
| Swap | Extra swap above the memory cap, in MiB | No extra swap |
| CPU | CPU cap, in cores | Unlimited |
The Swap input means swap in addition to the memory limit — Memory = 512 and Swap = 256 lets the container use 512 MiB of RAM plus 256 MiB of swap. Internally Temps submits memory + swap to Docker. When a memory cap is set and the working set exceeds it, the kernel OOM killer terminates the container — that kill never reaches the app's own logs, so the oom_killed flag on the runtime endpoint is often the only signal.
Endpoints
All served under the /api prefix:
GET /api/external-services/{id}/runtime
GET /api/external-services/{id}/stats
PATCH /api/external-services/{id}/resources
GET …/runtime(ExternalServicesRead) — a per-containerdocker inspectsnapshot:status,restart_count(a steady climb signals a crash loop),oom_killed, lastexit_code, image, and the limits actually applied (so you can detect drift between configured and live caps).GET …/stats(ExternalServicesRead) — a one-shot CPU/memory usage sample per container, cheap enough to poll every 5–10s.memory_percentis measured against the memory limit when one is set, or against host RAM otherwise.PATCH …/resources(ExternalServicesWrite) — persists the caps to the service's encrypted config and live-applies them via Docker's update API (no restart needed). A request where every field isnullremoves all limits.
Security
- Name
Network Isolation- Description
- Reachable only from containers on the same Temps internal network — the port is never exposed to the public internet
- Apps connect using the container name as the host, over private networking
- Credentials are auto-generated at creation; you never have to choose a password
- Name
Credential Handling- Description
- Temps injects credentials as environment variables when the service is linked — never hard-code them
- Credentials are stored encrypted at rest (see Encryption below)
- Rotate them from Services → select service → Rotate Credentials; linked projects update automatically
Encryption
Credentials (passwords, access keys) are encrypted with AES-256-GCM before being written to the Temps database. The key lives at ~/.temps/encryption_key — protect this file and back it up separately from the database.
Database contents are not encrypted at the application layer by default. For encryption at rest, enable it at the infrastructure level — encrypted volumes or LUKS on bare metal; Temps does not manage disk encryption. In transit, traffic stays on the internal Docker network and is never exposed to the public internet.
Deleting the Service
Deleting the service permanently destroys all data and backups associated with it. This cannot be undone.
- Download a backup — Services → select the service → Backups → download the latest.
- Unlink all projects so no running app still holds a reference to the credentials.
- Delete the service from its settings page and confirm.
Pricing & Ownership
Because the service runs on your own infrastructure, there are no per-GB storage charges, connection caps, or metered bandwidth fees. A recommended starting allocation:
| Tier | Allocation |
|---|---|
| Small | 1 GB RAM, 10 GB storage |
| Medium | 2 GB RAM, 50 GB storage |
| Large | 4 GB+ RAM, 200 GB+ storage |
MongoDB is built in — Vercel and Netlify are external-only, while Railway includes it. Your data never leaves your server; Temps (the company) has no access to it. See Data Ownership & Privacy for the full policy, including GDPR.