What you will learn:

  • How the Data API and Neon RLS use Row-Level Security

Row-Level Security (RLS) is a Postgres feature that controls access to individual rows in a table based on the current user. Here's a simple example that limits the notes a user can see by matching rows where their user_id matches the session's auth.user_id():

-- Enable RLS on a table
ALTER TABLE notes ENABLE ROW LEVEL SECURITY;

-- Create a policy that only allows users to access their own notes
CREATE POLICY "users_can_only_access_own_notes" ON notes
  FOR ALL USING (auth.user_id() = user_id);

Neon provides two ways to apply RLS for client-side querying:

Note, the Data API and Neon RLS are not compatible. If you are using the Data API on a given branch, make sure Neon RLS is disabled for your project.

Data API with RLS

The Data API turns your database tables on a given branch into a REST API, and it requires RLS policies on all tables to ensure your data is secure.

How it works

  • The Data API handles JWT validation and provides the auth.user_id() function.
  • Your RLS policies use auth.user_id() to control access.
  • All tables accessed via the Data API must have RLS enabled.

Neon RLS (JWT/JWKS Integration)

Neon RLS provides JWT/JWKS integration at the database level, exposing a single endpoint that accepts direct SQL queries over HTTP.

How it works

  • The pg_session_jwt extension provides the auth.user_id() function.
  • Your RLS policies use auth.user_id() to control access.
  • It works with the Neon HTTP driver for direct database queries.

RLS with Drizzle ORM

Drizzle makes it simple to write RLS policies that work with both the Data API and Neon RLS. We highly recommend using its crudPolicy helper to simplify common RLS patterns.

Postgres RLS Tutorial

To learn the fundamentals of Row-Level Security in Postgres, including detailed concepts and examples, see the Postgres tutorial: