What you will learn:
How the Data API uses Row-Level Security
Row-Level Security (RLS) is a Postgres feature that controls access to individual rows in a table based on the current user. Here's a simple example that limits the notes
a user can see by matching rows where their user_id
matches the session's auth.user_id()
:
-- Enable RLS on a table
ALTER TABLE notes ENABLE ROW LEVEL SECURITY;
-- Create a policy that only allows users to access their own notes
CREATE POLICY "users_can_only_access_own_notes" ON notes
FOR ALL USING (auth.user_id() = user_id);
When using the Data API for client-side querying, RLS policies are required to secure your data.
Data API with RLS
The Data API turns your database tables on a given branch into a REST API, and it requires RLS policies on all tables to ensure your data is secure.
How it works
- The Data API handles JWT validation and provides the
auth.user_id()
function. - Your RLS policies use
auth.user_id()
to control access. - All tables accessed via the Data API must have RLS enabled.
Get started
Learn how to enable and use the Data API with RLS policies
Building a note-taking app
See a complete example of the Data API with RLS in action
RLS with Drizzle ORM
Drizzle makes it simple to write RLS policies that work with the Data API. We highly recommend using its crudPolicy
helper to simplify common RLS patterns.
Postgres RLS Tutorial
To learn the fundamentals of Row-Level Security in Postgres, including detailed concepts and examples, see the Postgres tutorial: