Access Rules
Control who can read, write, and delete records at the collection level. Rules are enforced server-side on every request.
The three rules
Each collection has three independent rules: read, write, and delete. Each rule can be set to one of three values:
Anyone can perform this operation — even unauthenticated users. Use for read-only public content like blog posts or product listings.
Applies to: Read only (not recommended for write or delete)
The user must be logged in with a valid session token. Any authenticated user can operate on any record, regardless of who created it.
Applies to: Read, Write, Delete
The user must be logged in AND must be the creator of the record (created_by == user.id). For read, only the user's own records are returned. For write/delete, only the creator can modify the record.
Applies to: Read, Write, Delete
Common patterns
Public blog
publicauthenticatedownerAnyone can read posts. Logged-in users can create posts. Only the author can delete.
Private notes
ownerownerownerUsers can only see and modify their own notes. Other users cannot see anything.
Shared workspace
authenticatedauthenticatedauthenticatedAll logged-in users have full access. Suitable for team-internal data.
Read-only feed
publicownerownerContent is public. Only the creator can add or remove their own items.
How owner read works
When a collection's read rule is owner, the server automatically scopes all queries to records where created_by = current_user.id. You don't need to add this filter yourself.
Owner rule requires authentication
public, authenticated, owner — require the user to be logged in when the rule is owner. An unauthenticated request against an owner-rule collection always returns a 401 error.