Are you an LLM? You can read better optimized documentation at /api/authorization.md for this page in Markdown format
Authorization
This page is the canonical authorization reference for Zeptoz collection and file routes.
Roles
Roles in Zeptoz:
owneradminmember
Default role on user registration is member.
Authorization order (canonical)
For collection CRUD routes, Zeptoz evaluates authorization in this order:
- authenticate request
- role bypass (
ownerandadmin) - collection Access Policy for the requested operation (
list,view,create,update,delete) when policy is set - legacy fallback behavior when policy is unset
Access model in place
| Area | owner | admin | member |
|---|---|---|---|
| Collection access policy bypass | allowed | allowed | not allowed |
| Collection op with policy set | bypass policy | bypass policy | evaluated by policy |
Collection POST/PATCH/DELETE with unset policy | allowed | allowed | forbidden |
Collection GET/list with unset policy | allowed | allowed | allowed |
| File access to any file | allowed | allowed | not allowed |
| File access to own file | allowed | allowed | allowed |
Access policy expression context
Access Policy expressions can reference:
@request.auth.id@request.auth.roles@request.data.<field>(create/update)@request.query.<field>(list)@record.<field>(view/update/delete)
Supported operators include =, !=, &&, ||, contains, is null, and is not null.
Notes
- Collection operations evaluate Access Policies (
list/view/create/update/delete) when configured. - Unset collection policies fall back to legacy behavior from the table above.
- File authorization is separate from collection policies;
membercan only download/delete files whereowner_idmatches the user. - Policy parse/evaluation failures are deny-safe and return forbidden responses.