Security
RestAPI.com provides comprehensive security features to protect your data and control access at multiple levels.
Overview
Security in RestAPI.com is built on three core concepts:
| Concept | Description |
|---|---|
| Roles | Named groups that users belong to |
| Access Rules | Define which roles can perform which operations |
| Security Policies | Control access based on data relationships |
| Governance | Tenant-wide controls for Business tenants |
| Application Access | Gate an entire application to specific roles (Business tenants) |
| Cross-API Access | Authorize which APIs may call each other (Business tenants) |
| IP Allowlist | Restrict access by client IP address |
Built-in Roles
Every API includes these system roles:
| JSON Schema | Portal Name | Description |
|---|---|---|
_EVERYONE | Anonymous user | Public access — anyone can access, no authentication required |
_AUTHENTICATED_USER | Authenticated user | Any authenticated user can access |
_CREATOR | Owner | Only the creator of a record can access it |
How Access Control Works
Access is evaluated at multiple levels:
Request → Authentication → Role Check → Security Policy → Data
- Authentication — Is the user authenticated? (required for most operations)
- Role Check — Does the user have a role that permits this operation?
- Security Policy — Does the user have access through data relationships?
Sections
- Roles — Create and manage custom roles
- Access Rules — Configure method-level permissions
- Security Policies — Row-level security through relationships
- Business Tenant Governance — Tenant-wide controls for Business tenants
- Application Access — Gate an entire application to specific roles (Business tenants)
- Cross-API Access — Authorize which APIs may call each other (Business tenants)
- IP Allowlist — Restrict access by client IP address