What you will learn:

  • How the Data API uses Row-Level Security

Row-Level Security (RLS) is a Postgres feature that controls access to individual rows in a table based on the current user. Here's a simple example that limits the notes a user can see by matching rows where their user_id matches the session's auth.user_id():

-- Enable RLS on a table
ALTER TABLE notes ENABLE ROW LEVEL SECURITY;

-- Create a policy that only allows users to access their own notes
CREATE POLICY "users_can_only_access_own_notes" ON notes
  FOR ALL USING (auth.user_id() = user_id);

When using the Data API for client-side querying, RLS policies are required to secure your data.

Data API with RLS

The Data API turns your database tables on a given branch into a REST API, and it requires RLS policies on all tables to ensure your data is secure.

How it works

  • The Data API handles JWT validation and provides the auth.user_id() function.
  • Your RLS policies use auth.user_id() to control access.
  • All tables accessed via the Data API must have RLS enabled.

RLS with Drizzle ORM

Drizzle makes it simple to write RLS policies that work with the Data API. We highly recommend using its crudPolicy helper to simplify common RLS patterns.

Postgres RLS Tutorial

To learn the fundamentals of Row-Level Security in Postgres, including detailed concepts and examples, see the Postgres tutorial: