DocsAuthentication

Authentication

Secure your API with JWT authentication and PostgreSQL Row-Level Security.

JWT Authentication

Postrust validates JWT tokens and extracts role claims to determine database access.

JWT Payload

{
  "role": "authenticated_user",
  "sub": "user_123",
  "email": "user@example.com",
  "exp": 1704067200
}

Request with JWT

curl http://localhost:3000/users \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

Configuration

PGRST_JWT_SECRET

Secret key for HS256/384/512 validation

PGRST_JWT_SECRET_IS_BASE64

Set true if secret is base64 encoded

PGRST_JWT_AUD

Required audience claim (optional)

PGRST_JWT_ROLE_CLAIM_KEY

Claim key containing role (default: role)

Row-Level Security

PostgreSQL RLS policies are enforced on every request. JWT claims are available as session variables.

SQL - RLS Policy

-- Enable RLS on table
ALTER TABLE orders ENABLE ROW LEVEL SECURITY;

-- Policy: users can only see their own orders
CREATE POLICY user_orders ON orders
  FOR ALL
  USING (
    user_id = current_setting('request.jwt.claims')::json->>'sub'
  );

-- Policy: admins can see all orders
CREATE POLICY admin_orders ON orders
  FOR ALL
  USING (
    current_setting('request.jwt.claims')::json->>'role' = 'admin'
  );

Accessing JWT Claims in SQL

-- Get full claims object
current_setting('request.jwt.claims')::json

-- Get specific claim
current_setting('request.jwt.claims')::json->>'sub'
current_setting('request.jwt.claims')::json->>'email'
current_setting('request.jwt.claims')::json->>'role'

-- Use in function
CREATE FUNCTION get_current_user_id() RETURNS TEXT AS $$
  SELECT current_setting('request.jwt.claims')::json->>'sub';
$$ LANGUAGE SQL STABLE;

API Reference Configuration