This is the direct connector — it points Evidence at a ClickHouse instance you own. It’s distinct from Evidence’s built-in managed warehouse (which also runs on ClickHouse under the hood).
Connecting
You only need three things: the host, a username, and a password (or a JWT access token for ClickHouse Cloud).Find your connection details
ClickHouse Cloud: open your service in the Cloud console and click Connect. Copy the host (e.g.
abc123.us-east-1.aws.clickhouse.cloud) and the password for the default user. Use port 8443 (HTTPS).Self-hosted: use the host and port configured for your instance. The HTTP interface defaults to port 8123, or 8443 when TLS is enabled.Configure the connector in Evidence
Go to Connectors in the sidebar, choose ClickHouse in the Warehouse card, and fill in the form. Leave Use TLS on for Cloud; turn it off only for a plain-HTTP self-hosted instance.
(Optional) Restrict the schema browser
Add database names to Databases to limit which ones appear in the schema browser. Leave empty to show just the connection’s default database.
Create a dedicated read-only user
The setup above will work with thedefault user, but for production you should give Evidence its own credentials with SELECT-only access. In the SQL console (or via clickhouse-client):
Configuration reference
- Studio
- CLI (connection.yaml)
Credentials
ClickHouse HTTP(S) interface hostname, e.g. abc123.us-east-1.aws.clickhouse.cloud.
HTTP(S) interface port — 8443 for TLS (the ClickHouse Cloud default), 8123 for plain HTTP. Default:
8443.Connect over HTTPS. Leave on for ClickHouse Cloud; turn off for a plain-HTTP self-hosted instance. Default:
true.ClickHouse user to connect as. Default:
"default".Password for the ClickHouse user.
JWT access token. Supported by ClickHouse Cloud only; mutually exclusive with password.
Default database for unqualified table references. Default:
"default".Visibility
Allowlist of databases exposed to the editor and schema browser. Defaults to the connection database when empty. Default:
[].Row-Level Security
Any row policies defined in your ClickHouse instance apply to queries issued by Evidence. Policies evaluate against the connection-level user — the credentials configured for the warehouse — rather than the individual Evidence viewer.Per-viewer row-level security is planned for an upcoming release. Evidence will propagate each viewer’s identity to ClickHouse, allowing row policies to filter results on a per-user basis. To discuss your requirements or request early access, contact support@evidence.dev.
Security Considerations
Evidence executes queries against your ClickHouse instance. Take pragmatic steps to protect it against misuse, whether accidental or malicious.- Use a dedicated user with
SELECT-only grants (see above). Avoid reusing thedefaultaccount in production. - Scope
GRANT SELECTto the specific databases (or tables) Evidence should see — not*.*. - Cap query cost via a settings profile on the user —
max_execution_time,max_memory_usage,max_rows_to_readare a good baseline. Avoidreadonly = 1; it blocks the per-query setting Evidence uses for number formatting. Usereadonly = 2if you want a read-only enforcement at the profile level (it still allows the client to override session settings). - For ClickHouse Cloud, restrict the service’s IP access list to Evidence’s egress IPs plus your team’s networks.
- Monitor the query log and alert on non-
SELECTstatements issued by the Evidence user (there shouldn’t be any).