Access Rules

Access rules define which roles can perform specific HTTP methods on your collections and views.

Structure

Access rules are defined per HTTP method with a list of allowed roles:

{
  "access": [
    { "method": "GET", "roleNames": ["_AUTHENTICATED_USER"] },
    { "method": "POST", "roleNames": ["manager", "editor"] },
    { "method": "PATCH", "roleNames": ["manager", "editor"] },
    { "method": "DELETE", "roleNames": ["manager"] }
  ]
}

Supported Methods

Method	Description
`GET`	Read items from the collection
`POST`	Create new items
`PUT`	Replace existing items
`PATCH`	Update existing items
`DELETE`	Remove items
`LISTEN`	Subscribe to real-time updates

note

The LISTEN method is required for real-time functionality. Without LISTEN access configured, clients cannot subscribe to changes on that collection. See Real Time for more details.

Role Names

Access rules accept both built-in and custom role names:

{ "method": "GET", "roleNames": ["_EVERYONE"] }
{ "method": "POST", "roleNames": ["_AUTHENTICATED_USER"] }
{ "method": "DELETE", "roleNames": ["manager", "moderator"] }

Multiple Roles

When multiple roles are specified, access is granted if the user has any of the listed roles:

{ "method": "PATCH", "roleNames": ["manager", "editor", "_CREATOR"] }

This allows managers, editors, or the record creator to update items.

Configuring Access Rules

In the Developer Portal

Navigate to your API
Open a collection or view
Go to the Access tab
Configure permissions for each method

In Schema JSON

Define access rules in your schema file:

{
  "collections": [
    {
      "name": "posts",
      "access": [
        { "method": "GET", "roleNames": ["_EVERYONE"] },
        { "method": "POST", "roleNames": ["_AUTHENTICATED_USER"] },
        { "method": "PATCH", "roleNames": ["_CREATOR", "manager"] },
        { "method": "DELETE", "roleNames": ["_CREATOR", "manager"] }
      ],
      "properties": [...]
    }
  ]
}

View-Level Access

Views can have their own access rules independent of the base collection:

{
  "collections": [
    {
      "name": "posts",
      "access": [
        { "method": "GET", "roleNames": ["_AUTHENTICATED_USER"] }
      ],
      "views": [
        {
          "name": "public-posts",
          "filter": "status eq \"published\"",
          "access": [
            { "method": "GET", "roleNames": ["_EVERYONE"] }
          ]
        }
      ]
    }
  ]
}

In this example:

The base posts collection requires authentication
The public-posts view is accessible to everyone

Common Patterns

Public Read, Authenticated Write

[
  { "method": "GET", "roleNames": ["_EVERYONE"] },
  { "method": "POST", "roleNames": ["_AUTHENTICATED_USER"] },
  { "method": "PATCH", "roleNames": ["_AUTHENTICATED_USER"] },
  { "method": "DELETE", "roleNames": ["manager"] }
]

Owner-Only Access

[
  { "method": "GET", "roleNames": ["_CREATOR"] },
  { "method": "PATCH", "roleNames": ["_CREATOR"] },
  { "method": "DELETE", "roleNames": ["_CREATOR"] }
]

Manager Full Control

[
  { "method": "GET", "roleNames": ["manager", "viewer"] },
  { "method": "POST", "roleNames": ["manager"] },
  { "method": "PUT", "roleNames": ["manager"] },
  { "method": "PATCH", "roleNames": ["manager"] },
  { "method": "DELETE", "roleNames": ["manager"] }
]

Access Denied Responses

When access is denied, the API returns:

401 Unauthorized — No valid authentication token
403 Forbidden — Authenticated but insufficient permissions

Structure​

Supported Methods​

Role Names​

Multiple Roles​

Configuring Access Rules​

In the Developer Portal​

In Schema JSON​

View-Level Access​

Common Patterns​

Public Read, Authenticated Write​

Owner-Only Access​

Manager Full Control​

Access Denied Responses​