Security

JWT authentication, authorization, RLS, and the request context.

dbrest reproduces the PostgREST security model: a request carries a JWT, the token resolves to a role, and that role's privileges and Row Level Security policies decide what it may read and write. On engines without native roles or RLS, dbrest emulates them so the observable behavior matches. These pages cover authentication, authorization, and the request context a policy or function sees.

Authentication Stateless JWT verification and role resolution. Authorization and RLS Table and column privileges, and Row Level Security that a client cannot bypass. Request context The claims, headers, and metadata a policy or function can read, and the response controls it can set.