Users and Permissions: Secure APIs Ready to Use

Building a secure authentication and authorization system from scratch is complex. OAuth flows, password hashing, permission checks, role management, session handling... it's a lot of work that every application needs but doesn't make your product unique.

RESTHeart Cloud provides a complete user management and permissions system that's production-ready from day one.

Security You Can Trust

Your APIs are secure by default. No configuration needed, no security vulnerabilities to patch, no authentication code to write and maintain.

RESTHeart Cloud handles secure password storage with industry-standard hashing, OAuth integration with Google and GitHub, and role-based access control. Fine-grained permissions work at the resource level, with session management and token handling built in. Protection against common security vulnerabilities is part of the platform, not something you need to add later.

Users: Built-In, Not Built From Scratch

Users are fundamental to almost every application. RESTHeart Cloud makes user management straightforward.

Email Authentication lets users register and log in with email and password. The system handles email validation, secure password hashing, password reset flows, and account verification automatically.

OAuth Integration enables social login with simple configuration. Google OAuth and GitHub OAuth work seamlessly, providing a great user experience without redirect complexity to manage.

You can store custom user data alongside authentication. User profiles, preferences, and any application-specific data live right in your user documents:

{
  "_id": "user@example.com",
  "roles": ["user", "editor"],
  "profile": {
    "name": "Jane Developer",
    "preferences": { ... }
  }
}
content_copy

Permissions: Fine-Grained Control

RESTHeart Cloud's permission system is both powerful and flexible. Define exactly who can access what, at any level of granularity.

Role-Based Access Control lets you assign roles to users and define permissions by role. The system supports read and write filters based on user identity, dynamic permissions using MongoDB queries, and conditional access based on data content:

{
  "role": "editor",
  "predicate": "path-prefix[/api/posts]",
  "priority": 100,
  "mongo": {
    "readFilter": "{'status': 'published'}",
    "writeFilter": "{'author': '@user._id'}"
  }
}
content_copy

Resource-Level Permissions give you control at the collection, document, or even field level. You can implement complex access patterns that perfectly match your application's needs.

Example: Multi-Tenant Application

Building a SaaS where users should only see their own data? Define the permission once:

{
  "role": "user",
  "predicate": "path-prefix[/api/data]",
  "mongo": {
    "readFilter": "{'tenant': '@user.tenant'}",
    "writeFilter": "{'tenant': '@user.tenant'}"
  }
}
content_copy

Done. Every query automatically filters by tenant. No middleware to write, no query modifications to remember, no risk of data leaks.

Secure by Design

The platform follows a default deny approach. Unless explicitly permitted, access is denied. This secure-by-default pattern prevents accidental exposure of data.

Permissions have access to the full request context, including user identity and roles, request method and path, query parameters, and request body content. This means you can create sophisticated permission rules that respond to the exact situation.

An audit trail logs all access for security monitoring and compliance. You know who accessed what and when.

Start Building Secure Apps Immediately

With users and permissions ready to use, your timeline compresses dramatically. Day one, users can register, log in, and access their data. Day two, multi-tenant isolation is working perfectly. Day three, role-based features for admins and editors are live. Day four, you're fine-tuning permissions for your specific workflows.

You're not spending weeks writing authentication code or months security-hardening your implementation. You're not constantly worrying about vulnerabilities in code you wrote.

Real-World Examples

Collaborative Editing App - Editors can modify their team's documents, but only unlocked ones:

{
  "role": "editor",
  "mongo": {
    "readFilter": "{'team': '@user.team'}",
    "writeFilter": "{'team': '@user.team', 'locked': false}"
  }
}
content_copy

Content Management System - Authors can edit their own drafts but see all published content:

{
  "role": "author",
  "mongo": {
    "readFilter": "{'$or': [{'status': 'published'}, {'author': '@user._id'}]}",
    "writeFilter": "{'author': '@user._id', 'status': 'draft'}"
  }
}
content_copy

Admin Dashboard - Admins see everything, users see only their own data:

{
  "role": "admin",
  "predicate": "path-prefix[/api/]",
  "mongo": {
    "readFilter": "{}",
    "writeFilter": "{}"
  }
}
content_copy

Focus on What Matters

Every hour you don't spend building authentication infrastructure is an hour you can spend on smart features users love, better user experience, business logic that differentiates your product, and innovation that drives your success.

Learn More

The RESTHeart Cloud permission system is powerful and flexible. For complete documentation and advanced patterns, visit:

Users and Permissions Documentation

Ready to Build?

Create a free RESTHeart Cloud service and start building secure applications immediately. No credit card required.

Start Building Now

---

RESTHeart Cloud: Secure APIs, ready to use. Focus your expertise on features that matter.