Access Control
Set per-operation access rules in the schema:
| Level | Meaning | Required header |
|---|
public | Anyone (with public key) | X-Public-Key |
authenticated | Valid user JWT | Authorization: Bearer |
owner | Only own rows | Authorization: Bearer |
admin | Admin key only | X-Admin-Key |
"access": {
"read": "public",
"create": "authenticated",
"update": "owner",
"delete": "admin"
},
"owner_field": "user_id"
When any access rule is "owner", you must set owner_field to a ref column pointing to the auth table (e.g. "user_id"). How it works:
• Read/Update/Delete: MoonDB compares the owner_field value with the user id from the JWT — users can only access their own rows.
• Insert: if the user is authenticated and doesn't provide the owner_field value, MoonDB auto-fills it from the JWT.
• For the auth table itself, use "owner_field": "id" (a user owns their own row).
Common patterns
| Use case | Access config |
|---|
| Public blog | read: public, create/update/delete: admin |
| Social feed | read: public, create: authenticated, update/delete: owner |
| Private notes | all: owner |
| Admin-only config | all: admin |