Access Rules
EdgeBase uses access functions to control product surfaces that accept client input.
Overview
| Feature | Operations | Config Location |
|---|---|---|
| Database table | read, insert, update, delete | databases[ns].tables[name].access |
| Database block | canCreate, access | databases[ns].access |
| Storage bucket | read, write, delete | storage.buckets[name].access |
| Realtime namespace | subscribe, publish | realtime.namespaces[pattern].access |
| Room | metadata, join, action | rooms[namespace].access |
| Push | send | push.access |
| KV | read, write | kv[namespace].rules |
Use auth.handlers.hooks.enrich when access checks need request-scoped metadata.
Table Access
export default defineConfig({
databases: {
shared: {
tables: {
posts: {
access: {
read: () => true,
insert: (auth) => auth !== null,
update: (auth, row) => auth?.id === row.authorId,
delete: (auth, row) => auth?.role === 'admin',
},
},
},
},
},
});
Storage Access
export default defineConfig({
storage: {
buckets: {
photos: {
access: {
read: () => true,
write: (auth) => auth !== null,
delete: (auth, file) => auth?.id === file.uploadedBy,
},
},
},
},
});
Default Behavior
release: false- configured resources are open during development unless the feature overrides this
release: true- missing
accessmeans deny-by-default
- missing
- rooms are stricter:
- in release mode,
metadata,join, andactionare denied unless you configureaccessor opt intopublic.*
- in release mode,
Service Keys
Server-side service keys bypass access checks for trusted backend operations.
That bypass is exposed across all Admin SDKs.
const admin = createAdminClient(process.env.EDGEBASE_URL!, {
serviceKey: process.env.EDGEBASE_SERVICE_KEY!,
});
Notes
- Access functions receive
authasAuthContext | null. - Row/file arguments are only available on operations that target an existing entity.
- Throwing from
accessis treated as rejection.