Permissions
Last updated
Last updated
Copyright © 2023 Deskree Technologies Inc.
Deskree Permissions allow you to define the rules for accessing your database and integrations data by API endpoint. For a practical example, visit How to use permissions? guide.
Note that by default all permissions are set to Public
. Meaning that they are accessible via API without user Authentication. For more information, go to Permission Types.
You can customize each individual endpoint permission as well as apply the same permission to all endpoints via Apply to all
the selector in the top right corner of the page. Below are the permission types we offer.
Authorization Header Required
Available for Database APIs
Available for Integrations APIs
Admin token required
Endpoints with permission type set to public are available for anyone to access without providing an authorization header.
CAUTION: having endpoints' permissions set to public means that anybody on the internet can access this endpoint.
Only registered users of the platform can access endpoints set to this type by providing a valid authorization header. You can learn more on the Authentication page.
To get Admin Token, visit the Access Token page inside the Settings of your project. Learn more about Admin Token by visiting the Admin Token page.
If an endpoint has permission set to "admin", it means it will only be accessible when a valid deskree-admin
token is provided in the header of the request.
Deskree Admin Token allows skipping all the set permission. This is a great tool when you want endpoints to be only accessed from a specific front-end implementation, such as admin panels.
Few important considerations:
The system does not track the author's property when using an admin token.
You can use Admin permission as a way to "disable" certain endpoints and make them inaccessible to anyone other than yourself or your Deskree teammates.
You can provide a Deskree Admin token regardless of the permissions set by an endpoint to completely skip the middleware part. In the other words, it overwrites the permissions.
DANGER: Always keep your Deskree Admin token secure as it is a very powerful token that may allow unwanted access to your data if compromised. If you believe that is the case, you can always refresh your token.
For each entry in the database, Deskree tracks the author of the objects based on the provided token in the authorization header.
If permission is set to "author", only the user who created the object will be able to access it, which is determined by the token provided in the authorization header.
In case a token is not provided when creating an objectt, the author property is null.
Author permission is only available for GET_UID, PATCH, and DELETE requests. It is also only applicable to database permissions and, hence, is not present in integration permission since we cannot track the creator of objects in third-party APIs.
You can add an unlimited number of roles in the Roles tab of the Middleware page
To access endpoints where permission is set for certain roles, a user must have this role when making the request.
We fetch user data based on the authorization token provided when making the request.
If the endpoint permission is set to multiple roles, a user must have any one of those roles to be able to access the data.
For example: if the endpoint permission is set to roles of "buyer" and "admin", the user that has either "buyer" or "admin" or both roles will be able to access it.
The role of the user is stored in the roles
column of the Users
table as an array of role UIDs.
To add a new role to a user, you can need to update the user object via , or APIs and include the UID of the role you would like to add to the user.
To get a list of roles and their UIDs, you need to use the Get Roles
endpoint of or .