Use when configuring public vs authenticated access in Bknd. Covers anonymous role setup, unauthenticated data access, public/private entity patterns, mixed access modes, and protecting sensitive entities while exposing public ones.
npx claudepluginhub cameronapak/bknd-expert --plugin bknd-research-skillsThis skill uses the workspace's default tool permissions.
Configure which data and endpoints are publicly accessible vs require authentication.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Checks Next.js compilation errors using a running Turbopack dev server after code edits. Fixes actionable issues before reporting complete. Replaces `next build`.
Configure which data and endpoints are publicly accessible vs require authentication.
auth: { enabled: true })guard: { enabled: true })UI steps: Admin Panel > Auth > Roles
Note: Access configuration requires code mode.
Bknd uses the default role to determine what unauthenticated users can access:
User makes request → Has token? → Yes → Use user's role
→ No → Use default role (is_default: true)
→ No default? → ACCESS DENIED
Allow unauthenticated users to read all data:
import { serve } from "bknd/adapter/bun";
import { em, entity, text } from "bknd";
const schema = em({
posts: entity("posts", { title: text().required() }),
});
serve({
connection: { url: "file:data.db" },
config: {
data: schema.toJSON(),
auth: {
enabled: true,
guard: { enabled: true },
roles: {
// Public role - anyone can read
anonymous: {
is_default: true,
implicit_allow: false,
permissions: ["data.entity.read"],
},
// Authenticated users can create/update
user: {
implicit_allow: false,
permissions: [
"data.entity.read",
"data.entity.create",
"data.entity.update",
],
},
},
},
},
});
Result:
GET /api/data/posts - Works without authPOST /api/data/posts - Requires authPATCH /api/data/posts/1 - Requires authRequire authentication for all access:
{
auth: {
enabled: true,
guard: { enabled: true },
allow_register: true,
default_role_register: "user",
roles: {
admin: { implicit_allow: true },
user: {
implicit_allow: false,
permissions: [
"data.entity.read",
"data.entity.create",
"data.entity.update",
],
},
// NO default role - unauthenticated users get nothing
},
},
}
Result: All /api/data/* endpoints return 403 without authentication.
Make some entities public, others private:
{
auth: {
enabled: true,
guard: { enabled: true },
roles: {
anonymous: {
is_default: true,
implicit_allow: false,
permissions: [
// Only posts are public
{
permission: "data.entity.read",
effect: "allow",
policies: [{
condition: { entity: "posts" },
effect: "allow",
}],
},
],
},
user: {
implicit_allow: false,
permissions: [
"data.entity.read", // Read all entities
"data.entity.create",
"data.entity.update",
],
},
},
},
}
Result:
GET /api/data/posts - PublicGET /api/data/users - Requires authGET /api/data/comments - Requires authExpose several entities publicly:
{
roles: {
anonymous: {
is_default: true,
implicit_allow: false,
permissions: [
{
permission: "data.entity.read",
effect: "allow",
policies: [{
condition: { entity: { $in: ["posts", "categories", "tags"] } },
effect: "allow",
}],
},
],
},
},
}
Make only published/public records accessible:
{
roles: {
anonymous: {
is_default: true,
implicit_allow: false,
permissions: [
{
permission: "data.entity.read",
effect: "allow",
policies: [
// Posts: only published
{
condition: { entity: "posts" },
effect: "filter",
filter: { status: "published" },
},
// Products: only visible
{
condition: { entity: "products" },
effect: "filter",
filter: { visible: true },
},
],
},
],
},
},
}
Result: Anonymous users only see filtered records; authenticated users see all.
Public can read published; owners can read their own drafts:
{
roles: {
anonymous: {
is_default: true,
implicit_allow: false,
permissions: [
{
permission: "data.entity.read",
effect: "allow",
policies: [{
condition: { entity: "posts" },
effect: "filter",
filter: { status: "published" },
}],
},
],
},
user: {
implicit_allow: false,
permissions: [
// Read: published OR own posts
{
permission: "data.entity.read",
effect: "allow",
policies: [{
condition: { entity: "posts" },
effect: "filter",
filter: {
$or: [
{ status: "published" },
{ author_id: "@user.id" },
],
},
}],
},
// Create allowed
"data.entity.create",
// Update own only
{
permission: "data.entity.update",
effect: "allow",
policies: [{
effect: "filter",
filter: { author_id: "@user.id" },
}],
},
],
},
},
}
No public access, no self-registration:
{
auth: {
enabled: true,
guard: { enabled: true },
allow_register: false, // Disable self-registration
roles: {
admin: { implicit_allow: true },
member: {
implicit_allow: false,
permissions: [
"data.entity.read",
"data.entity.create",
"data.entity.update",
],
},
// No default role
},
},
options: {
seed: async (ctx) => {
// Admin creates users manually
await ctx.app.module.auth.createUser({
email: "admin@company.com",
password: "admin-password",
role: "admin",
});
},
},
}
Common REST API pattern:
{
roles: {
anonymous: {
is_default: true,
implicit_allow: false,
permissions: ["data.entity.read"], // Read anything
},
api_user: {
implicit_allow: false,
permissions: [
"data.entity.read",
"data.entity.create",
"data.entity.update",
"data.entity.delete",
],
},
},
}
import { serve } from "bknd/adapter/bun";
import { em, entity, text, boolean, relation } from "bknd";
const schema = em(
{
posts: entity("posts", {
title: text().required(),
content: text(),
published: boolean().default(false),
}),
comments: entity("comments", {
body: text().required(),
approved: boolean().default(false),
}),
users: entity("users", {}),
},
({ posts, comments, users }) => [
relation(posts, "author").manyToOne(users),
relation(comments, "post").manyToOne(posts),
relation(comments, "user").manyToOne(users),
]
);
serve({
connection: { url: "file:data.db" },
config: {
data: schema.toJSON(),
auth: {
enabled: true,
guard: { enabled: true },
allow_register: true,
default_role_register: "commenter",
roles: {
// Public: read published posts + approved comments
anonymous: {
is_default: true,
implicit_allow: false,
permissions: [
{
permission: "data.entity.read",
effect: "allow",
policies: [
{
condition: { entity: "posts" },
effect: "filter",
filter: { published: true },
},
{
condition: { entity: "comments" },
effect: "filter",
filter: { approved: true },
},
],
},
],
},
// Registered users: read all, create comments
commenter: {
implicit_allow: false,
permissions: [
"data.entity.read",
{
permission: "data.entity.create",
effect: "allow",
policies: [{
condition: { entity: "comments" },
effect: "allow",
}],
},
],
},
// Authors: full post access, manage own comments
author: {
implicit_allow: false,
permissions: [
"data.entity.read",
{
permission: "data.entity.create",
effect: "allow",
policies: [{
condition: { entity: { $in: ["posts", "comments"] } },
effect: "allow",
}],
},
{
permission: "data.entity.update",
effect: "allow",
policies: [{
condition: { entity: "posts" },
effect: "filter",
filter: { author_id: "@user.id" },
}],
},
],
},
// Admin: everything
admin: { implicit_allow: true },
},
},
},
});
{
auth: {
enabled: true,
guard: { enabled: true },
allow_register: true,
default_role_register: "free_user",
roles: {
// Landing page data only
anonymous: {
is_default: true,
implicit_allow: false,
permissions: [
{
permission: "data.entity.read",
effect: "allow",
policies: [{
condition: { entity: { $in: ["plans", "features"] } },
effect: "allow",
}],
},
],
},
// Free tier: limited access
free_user: {
implicit_allow: false,
permissions: [
"data.entity.read",
{
permission: "data.entity.create",
effect: "allow",
policies: [{
condition: { entity: "projects" },
effect: "allow",
}],
},
],
},
// Paid tier: full access to own data
pro_user: {
implicit_allow: false,
permissions: [
"data.entity.read",
"data.entity.create",
{
permission: "data.entity.update",
effect: "allow",
policies: [{
effect: "filter",
filter: { owner_id: "@user.id" },
}],
},
{
permission: "data.entity.delete",
effect: "allow",
policies: [{
effect: "filter",
filter: { owner_id: "@user.id" },
}],
},
],
},
admin: { implicit_allow: true },
},
},
}
# Should succeed (anonymous read)
curl http://localhost:7654/api/data/posts
# Should fail (anonymous create)
curl -X POST http://localhost:7654/api/data/posts \
-H "Content-Type: application/json" \
-d '{"title": "Test"}'
# Returns 403
# Login
TOKEN=$(curl -s -X POST http://localhost:7654/api/auth/password/login \
-H "Content-Type: application/json" \
-d '{"email": "user@test.com", "password": "pass123"}' | jq -r '.token')
# Should succeed (authenticated create)
curl -X POST http://localhost:7654/api/data/posts \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"title": "Test"}'
# Public entity - should succeed
curl http://localhost:7654/api/data/posts
# Private entity - should fail
curl http://localhost:7654/api/data/users
# Returns 403
# Anonymous: only sees published
curl http://localhost:7654/api/data/posts
# Returns: [{ status: "published" }, ...]
# Authenticated: sees all including drafts
curl http://localhost:7654/api/data/posts \
-H "Authorization: Bearer $TOKEN"
# Returns: [{ status: "draft" }, { status: "published" }, ...]
import { useApp, useAuth } from "bknd/react";
function DataDisplay() {
const { api } = useApp();
const { user } = useAuth();
const [posts, setPosts] = useState([]);
useEffect(() => {
// Works for both anonymous and authenticated
api.data.readMany("posts").then((res) => {
if (res.ok) setPosts(res.data);
});
}, []);
return (
<div>
{posts.map((post) => (
<article key={post.id}>
<h2>{post.title}</h2>
{/* Show edit only for authenticated users */}
{user && <button>Edit</button>}
</article>
))}
{/* Show create only for authenticated */}
{user ? (
<button>New Post</button>
) : (
<a href="/login">Login to create posts</a>
)}
</div>
);
}
function useProtectedData(entity: string) {
const { api } = useApp();
const { user, isLoading } = useAuth();
const [data, setData] = useState(null);
const [error, setError] = useState(null);
useEffect(() => {
if (isLoading) return;
api.data.readMany(entity).then((res) => {
if (res.ok) {
setData(res.data);
} else {
setError(res.error);
}
});
}, [entity, user, isLoading]);
return { data, error, isAuthenticated: !!user };
}
// Usage
function ProtectedPage() {
const { data, error, isAuthenticated } = useProtectedData("projects");
if (error?.status === 403 && !isAuthenticated) {
return <LoginPrompt />;
}
return <DataList items={data} />;
}
Problem: Permission not granted for unauthenticated requests
Fix: Add a default role:
{
roles: {
anonymous: {
is_default: true, // Required for public access!
permissions: ["data.entity.read"],
},
},
}
Problem: Everyone can access everything
Fix: Enable the guard:
{
auth: {
enabled: true,
guard: { enabled: true }, // Required!
},
}
Problem: Anonymous users see all records, not just filtered
Fix: Use effect: "filter" not effect: "allow":
// WRONG - allows all
{
condition: { entity: "posts" },
effect: "allow",
filter: { published: true }, // Ignored!
}
// CORRECT - applies filter
{
condition: { entity: "posts" },
effect: "filter",
filter: { published: true },
}
Problem: Users entity publicly readable
Fix: Use entity conditions:
{
permissions: [
{
permission: "data.entity.read",
effect: "allow",
policies: [{
// Only allow specific entities
condition: { entity: { $in: ["posts", "comments"] } },
effect: "allow",
}],
},
],
}
Problem: User authenticated but still gets public data
Fix: Include credentials in fetch:
// Browser with cookies
fetch("/api/data/posts", { credentials: "include" });
// Token-based
fetch("/api/data/posts", {
headers: { Authorization: `Bearer ${token}` },
});
| Scenario | Anonymous Role | User Role | Result |
|---|---|---|---|
| Public Read | data.entity.read | All CRUD | Anon: read; User: CRUD |
| Private Only | None/No default | All CRUD | Anon: 403; User: CRUD |
| Entity-Specific | Read posts only | Read all | Anon: posts; User: all |
| Filtered | Filter published | Read all | Anon: published; User: all |
DO:
is_default: true on exactly one role for public accessDON'T:
guard: { enabled: true })implicit_allow: true on anonymous/default roleeffect: "allow" and effect: "filter"