AUTHORIZE
Also known as
authorized, requires_authorization (with or without @ prefix)
Require authentication for the endpoint. Optionally restrict access by roles, user names, or user IDs.
Syntax
code
@authorize
@authorize <value1>, <value2>, <value3>, ...2
Values can be role names, user names, or user IDs. Space-separated lists are also valid: @authorize admin editor john
Examples
Require Any Authenticated User
sql
create function get_my_profile()
returns json
language sql
begin atomic;
select row_to_json(u) from users u where u.id = current_user_id();
end;
comment on function get_my_profile() is
'HTTP GET
@authorize';2
3
4
5
6
7
8
9
10
Equivalent as a SQL file endpoint (sql/get-my-profile.sql):
sql
-- HTTP GET
-- @authorize
select row_to_json(u) from users u where u.id = current_user_id();2
3
Unauthenticated requests receive 401 Unauthorized.
Alternative Keywords
sql
-- All of these are equivalent
comment on function func1() is 'HTTP
@authorize';
comment on function func2() is 'HTTP
@authorized';
comment on function func3() is 'HTTP
@requires_authorization';2
3
4
5
6
7
8
9
Require Specific Role
sql
create function delete_user(_id int)
returns void
language sql
begin atomic;
delete from users where id = _id;
end;
comment on function delete_user(int) is
'HTTP DELETE
@authorize admin';2
3
4
5
6
7
8
9
10
Only users with the admin role can access this endpoint.
Authorize by User Name
Available since version 3.11.1
sql
create function get_my_profile()
returns json
language sql
begin atomic;
select row_to_json(u) from users u where u.id = current_user_id();
end;
comment on function get_my_profile() is
'HTTP GET
@authorize john';2
3
4
5
6
7
8
9
10
Only the user with user name john can access this endpoint. Matches against the DefaultNameClaimType claim.
Authorize by User ID
Available since version 3.11.1
sql
create function get_account()
returns json
language sql
begin atomic;
select row_to_json(a) from accounts a where a.user_id = current_user_id();
end;
comment on function get_account() is
'HTTP GET
@authorize user123';2
3
4
5
6
7
8
9
10
Only the user with user ID user123 can access this endpoint. Matches against the DefaultUserIdClaimType claim.
Multiple Roles
sql
create function manage_content(_action text, _id int)
returns json
language sql
begin atomic;
...;
end;
comment on function manage_content(text, int) is
'HTTP POST
@authorize admin, editor, moderator';2
3
4
5
6
7
8
9
10
Users must have at least one of the specified roles.
Mix of Roles and User Identifiers
Available since version 3.11.1
sql
comment on function get_data() is
'HTTP GET
@authorize admin, user123, jane';2
3
Access is granted if the user matches any of the specified values — whether it's a role name, user name, or user ID. Each value is checked against all three claim types (DefaultRoleClaimType, DefaultNameClaimType, DefaultUserIdClaimType).
Authorize Before HTTP
The order of annotations doesn't matter:
sql
comment on function protected_func() is
'@authorize admin
HTTP GET';2
3
Authorize on Separate Line
sql
comment on function another_protected() is
'HTTP
@authorize';2
3
4
Behavior
- Returns
401 Unauthorizedfor unauthenticated requests - Returns
403 Forbiddenwhen values are specified and user lacks a matching role, user name, or user ID - Works with all configured authentication providers (JWT, Cookie, Basic, etc.)
Related
- Authentication configuration - Configure authentication providers
- Authentication Options configuration - Configure authentication behavior
- Comment Annotations Guide - How annotations work
- Configuration Guide - How configuration works
Related Annotations
- ALLOW_ANONYMOUS - Override to allow unauthenticated access
- LOGIN - Mark as authentication endpoint
- LOGOUT - Mark as sign-out endpoint
See Also
- Authentication - Configure authentication providers
- Authentication Options - Configure authentication behavior