authentication.md

Authentication and Authorization

Learn how to secure your ObjectQL APIs with authentication and authorization. This guide covers authentication methods, JWT tokens, role-based access control (RBAC), and permission enforcement strategies.

Authentication Methods

ObjectQL supports multiple authentication strategies:

1. JWT Tokens (Recommended)

POST /api/objectql
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Content-Type: application/json

2. API Keys

POST /api/objectql
X-API-Key: your_api_key_here
Content-Type: application/json

3. Session Cookies

POST /api/objectql
Cookie: session_id=abc123...
Content-Type: application/json

4. User Context in Request (Development Only)

For testing and development, you can pass user context directly in the request:

{
  "user": {
    "id": "user_123",
    "roles": ["admin"]
  },
  "op": "find",
  "object": "users",
  "args": {}
}

⚠️ Warning: In production, always authenticate via headers, not request body.

Permission System

ObjectQL enforces permissions at multiple levels:

1. Object-Level: Can the user access this object at all?
2. Operation-Level: Can they perform this operation (read/create/update/delete)?
3. Field-Level: Which fields can they see/edit?
4. Record-Level: Which specific records can they access?

Permission Check Flow:

Request → Authentication → Object Permission → Field Permission → Record Permission → Execute

Example Permission Config:

# user.object.yml
permissions:
  - profile: admin
    allow_read: true
    allow_create: true
    allow_edit: true
    allow_delete: true
    
  - profile: user
    allow_read: true
    allow_create: false
    allow_edit: true
    allow_delete: false
    record_filters:
      - ["owner", "=", "$current_user"]