allow: {
    authenticated: ((provider?) => Authorization<"private", undefined, false> & {
        to: typeof to;
    });
    custom: ((provider?) => Authorization<"custom", undefined, false> & {
        to: typeof to;
    });
    group: ((group, provider?) => Authorization<"groups", undefined, false> & {
        to: typeof to;
        withClaimIn: typeof withClaimIn;
    });
    groupDefinedIn: (<T>(groupsField, provider?) => Authorization<"groups", T, false> & {
        to: typeof to;
        withClaimIn: typeof withClaimIn;
    });
    groups: ((groups, provider?) => Authorization<"groups", undefined, false> & {
        to: typeof to;
        withClaimIn: typeof withClaimIn;
    });
    groupsDefinedIn: (<T>(groupsField, provider?) => Authorization<"groups", T, true> & {
        to: typeof to;
        withClaimIn: typeof withClaimIn;
    });
    guest: (() => Authorization<"public", undefined, false> & {
        to: typeof to;
    });
    owner: ((provider?) => Authorization<"owner", "owner", false> & {
        identityClaim: typeof identityClaim;
        to: typeof to;
    });
    ownerDefinedIn: (<T>(ownerField, provider?) => Authorization<"owner", T, false> & {
        identityClaim: typeof identityClaim;
        to: typeof to;
    });
    ownersDefinedIn: (<T>(ownersField, provider?) => Authorization<"owner", T, true> & {
        identityClaim: typeof identityClaim;
        to: typeof to;
    });
    publicApiKey: (() => Authorization<"public", undefined, false> & {
        to: typeof to;
    });
    resource: ((fn) => ResourceAuthorization & {
        to: typeof resourceTo;
    });
}

Defines an authorization rule for your data models and fields. First choose an authorization strategy (public, private, owner, group, or custom), then choose an auth provider (apiKey, identitypool, userPools, oidc, or function) and optionally use .to(...) to specify the operations that can be performed against your data models and fields.

Type declaration

  • Readonly authenticated: ((provider?) => Authorization<"private", undefined, false> & {
        to: typeof to;
    })

    Authorize authenticated users. By default, .authenticated() uses an Amazon Cognito user pool based authorization. You can additionally use .authenticated("identityPool") or .authenticated("oidc") to use identityPool or OIDC based authorization for authenticated users.

    Param: provider

    the authentication provider - supports "userPools", "identityPool", or "oidc"

    Returns

    an authorization rule for authenticated users

      • (provider?): Authorization<"private", undefined, false> & {
            to: typeof to;
        }
      • Authorize authenticated users. By default, .authenticated() uses an Amazon Cognito user pool based authorization. You can additionally use .authenticated("identityPool") or .authenticated("oidc") to use identityPool or OIDC based authorization for authenticated users.

        Parameters

        • Optional provider: PrivateProvider

          the authentication provider - supports "userPools", "identityPool", or "oidc"

        Returns Authorization<"private", undefined, false> & {
            to: typeof to;
        }

        an authorization rule for authenticated users

  • Readonly custom: ((provider?) => Authorization<"custom", undefined, false> & {
        to: typeof to;
    })
  • Readonly group: ((group, provider?) => Authorization<"groups", undefined, false> & {
        to: typeof to;
        withClaimIn: typeof withClaimIn;
    })

    Authorize a specific user group. Provide the name of the specific user group to have access.

    By default, .group() uses an Amazon Cognito user pool based authorization. You can additionally use .group("group-name", "oidc") to use OIDC based authentication to designate the user group.

    To change the specific claim that should be used as the user group identifier, chain the .withClaimIn(...) method.

    Param: group

    the name of the group to authorize

    Param: provider

    the authentication provider - supports "userPools" or "oidc"

    Returns

    an authorization rule to grant access by a specific group

      • (group, provider?): Authorization<"groups", undefined, false> & {
            to: typeof to;
            withClaimIn: typeof withClaimIn;
        }
      • Authorize a specific user group. Provide the name of the specific user group to have access.

        By default, .group() uses an Amazon Cognito user pool based authorization. You can additionally use .group("group-name", "oidc") to use OIDC based authentication to designate the user group.

        To change the specific claim that should be used as the user group identifier, chain the .withClaimIn(...) method.

        Parameters

        • group: string

          the name of the group to authorize

        • Optional provider: GroupProvider

          the authentication provider - supports "userPools" or "oidc"

        Returns Authorization<"groups", undefined, false> & {
            to: typeof to;
            withClaimIn: typeof withClaimIn;
        }

        an authorization rule to grant access by a specific group

  • Readonly groupDefinedIn: (<T>(groupsField, provider?) => Authorization<"groups", T, false> & {
        to: typeof to;
        withClaimIn: typeof withClaimIn;
    })

    Authorize if a user is part of a group defined in a data model field.

    By default, .groupDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .groupDefinedIn("field-name", "oidc") to use OIDC based authentication to designate the user group.

    To change the specific claim that should be used as the user group identifier within the groups field, chain the .withClaimIn(...) method.

    Param: groupsField

    the field that should store the authorized user group information

    Param: provider

    the authentication provider - supports "userPools" or "oidc"

    Returns

    an authorization rule to grant access by a specific group

      • <T>(groupsField, provider?): Authorization<"groups", T, false> & {
            to: typeof to;
            withClaimIn: typeof withClaimIn;
        }
      • Authorize if a user is part of a group defined in a data model field.

        By default, .groupDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .groupDefinedIn("field-name", "oidc") to use OIDC based authentication to designate the user group.

        To change the specific claim that should be used as the user group identifier within the groups field, chain the .withClaimIn(...) method.

        Type Parameters

        • T extends string

        Parameters

        • groupsField: T

          the field that should store the authorized user group information

        • Optional provider: GroupProvider

          the authentication provider - supports "userPools" or "oidc"

        Returns Authorization<"groups", T, false> & {
            to: typeof to;
            withClaimIn: typeof withClaimIn;
        }

        an authorization rule to grant access by a specific group

  • Readonly groups: ((groups, provider?) => Authorization<"groups", undefined, false> & {
        to: typeof to;
        withClaimIn: typeof withClaimIn;
    })

    Authorize multiple specific user groups. Provide the names of the specific user groups to have access.

    By default, .groups() uses an Amazon Cognito user pool based authorization. You can additionally use .groups(["group-a", "group-b"], "oidc") to use OIDC based authentication to designate the user group.

    To change the specific claim that should be used as the user group identifier, chain the .withClaimIn(...) method.

    Param: groups

    the names of the group to authorize defined as an array

    Param: provider

    the authentication provider - supports "userPools" or "oidc"

    Returns

    an authorization rule to grant access by a specific group

      • (groups, provider?): Authorization<"groups", undefined, false> & {
            to: typeof to;
            withClaimIn: typeof withClaimIn;
        }
      • Authorize multiple specific user groups. Provide the names of the specific user groups to have access.

        By default, .groups() uses an Amazon Cognito user pool based authorization. You can additionally use .groups(["group-a", "group-b"], "oidc") to use OIDC based authentication to designate the user group.

        To change the specific claim that should be used as the user group identifier, chain the .withClaimIn(...) method.

        Parameters

        • groups: string[]

          the names of the group to authorize defined as an array

        • Optional provider: GroupProvider

          the authentication provider - supports "userPools" or "oidc"

        Returns Authorization<"groups", undefined, false> & {
            to: typeof to;
            withClaimIn: typeof withClaimIn;
        }

        an authorization rule to grant access by a specific group

  • Readonly groupsDefinedIn: (<T>(groupsField, provider?) => Authorization<"groups", T, true> & {
        to: typeof to;
        withClaimIn: typeof withClaimIn;
    })

    Authorize if a user is part of a one of the groups defined in a data model field.

    By default, .groupsDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .groupsDefinedIn("field-name", "oidc") to use OIDC based authentication to designate the user group.

    To change the specific claim that should be used as the user group identifier within the groups field, chain the .withClaimIn(...) method.

    Param: groupsField

    the field that should store the list of authorized user groups

    Param: provider

    the authentication provider - supports "userPools" or "oidc"

    Returns

    an authorization rule to grant access by a specific group

      • <T>(groupsField, provider?): Authorization<"groups", T, true> & {
            to: typeof to;
            withClaimIn: typeof withClaimIn;
        }
      • Authorize if a user is part of a one of the groups defined in a data model field.

        By default, .groupsDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .groupsDefinedIn("field-name", "oidc") to use OIDC based authentication to designate the user group.

        To change the specific claim that should be used as the user group identifier within the groups field, chain the .withClaimIn(...) method.

        Type Parameters

        • T extends string

        Parameters

        • groupsField: T

          the field that should store the list of authorized user groups

        • Optional provider: GroupProvider

          the authentication provider - supports "userPools" or "oidc"

        Returns Authorization<"groups", T, true> & {
            to: typeof to;
            withClaimIn: typeof withClaimIn;
        }

        an authorization rule to grant access by a specific group

  • Readonly guest: (() => Authorization<"public", undefined, false> & {
        to: typeof to;
    })

    Authorize unauthenticated users by using IDENTITYPOOL based authorization.

    Returns

    an authorization rule for unauthenticated users

      • (): Authorization<"public", undefined, false> & {
            to: typeof to;
        }
      • Authorize unauthenticated users by using IDENTITYPOOL based authorization.

        Returns Authorization<"public", undefined, false> & {
            to: typeof to;
        }

        an authorization rule for unauthenticated users

  • Readonly owner: ((provider?) => Authorization<"owner", "owner", false> & {
        identityClaim: typeof identityClaim;
        to: typeof to;
    })

    Authorize access on a per-user (owner) basis. By setting owner-based authorization, a new owner: a.string() field will be added to the model to store which user "owns" the item. Upon item creation, the "owner field" is auto-populated with the authenticated user's information. If you want to specify which field should be used as the owner field, you can use the ownerDefinedIn builder function instead.

    By default, .owner() uses an Amazon Cognito user pool based authorization. You can additionally use .owner("oidc") to use OIDC based authentication to designate the owner.

    To change the specific claim that should be used as the user identifier within the owner field, chain the .identityClaim(...) method.

    Param: provider

    the authentication provider - supports "userPools", "identityPool", or "oidc"

    Returns

    an authorization rule for authenticated users

      • (provider?): Authorization<"owner", "owner", false> & {
            identityClaim: typeof identityClaim;
            to: typeof to;
        }
      • Authorize access on a per-user (owner) basis. By setting owner-based authorization, a new owner: a.string() field will be added to the model to store which user "owns" the item. Upon item creation, the "owner field" is auto-populated with the authenticated user's information. If you want to specify which field should be used as the owner field, you can use the ownerDefinedIn builder function instead.

        By default, .owner() uses an Amazon Cognito user pool based authorization. You can additionally use .owner("oidc") to use OIDC based authentication to designate the owner.

        To change the specific claim that should be used as the user identifier within the owner field, chain the .identityClaim(...) method.

        Parameters

        • Optional provider: OwnerProviders

          the authentication provider - supports "userPools", "identityPool", or "oidc"

        Returns Authorization<"owner", "owner", false> & {
            identityClaim: typeof identityClaim;
            to: typeof to;
        }

        an authorization rule for authenticated users

  • Readonly ownerDefinedIn: (<T>(ownerField, provider?) => Authorization<"owner", T, false> & {
        identityClaim: typeof identityClaim;
        to: typeof to;
    })

    Authorize access on a per-user (owner) basis with specifying which field should be used as the owner field.

    By default, .owner() uses an Amazon Cognito user pool based authorization. You can additionally use .ownerDefinedIn("owner", "oidc") to use OIDC based authentication to designate the owner.

    To change the specific claim that should be used as the user identifier within the owner field, chain the .identityClaim(...) method.

    Param: ownerField

    the field that contains the owner information

    Param: provider

    the authentication provider - supports "userPools", "identityPool", or "oidc"

    Returns

    an authorization rule for authenticated users

      • <T>(ownerField, provider?): Authorization<"owner", T, false> & {
            identityClaim: typeof identityClaim;
            to: typeof to;
        }
      • Authorize access on a per-user (owner) basis with specifying which field should be used as the owner field.

        By default, .owner() uses an Amazon Cognito user pool based authorization. You can additionally use .ownerDefinedIn("owner", "oidc") to use OIDC based authentication to designate the owner.

        To change the specific claim that should be used as the user identifier within the owner field, chain the .identityClaim(...) method.

        Type Parameters

        • T extends string

        Parameters

        • ownerField: T

          the field that contains the owner information

        • Optional provider: OwnerProviders

          the authentication provider - supports "userPools", "identityPool", or "oidc"

        Returns Authorization<"owner", T, false> & {
            identityClaim: typeof identityClaim;
            to: typeof to;
        }

        an authorization rule for authenticated users

  • Readonly ownersDefinedIn: (<T>(ownersField, provider?) => Authorization<"owner", T, true> & {
        identityClaim: typeof identityClaim;
        to: typeof to;
    })

    Authorize access for multi-user / multi-owner access. By setting multi-owner-based authorization, a new owners: a.string().array() field will be added to the model to store which users "own" the item. Upon item creation, the "owners field" is auto-populated with the authenticated user's information. To grant other users access to the item, append their user identifier into the owners array.

    You can specify which field should be used as the owners field by passing the ownersField parameter.

    By default, .ownersDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .ownersDefinedIn("owners", "oidc") to use OIDC based authentication to designate the owner.

    To change the specific claim that should be used as the user identifier within the owners field, chain the .identityClaim(...) method.

    Param: ownersField

    the field that contains the owners information

    Param: provider

    the authentication provider - supports "userPools", "identityPool", or "oidc"

    Returns

    an authorization rule for authenticated users

      • <T>(ownersField, provider?): Authorization<"owner", T, true> & {
            identityClaim: typeof identityClaim;
            to: typeof to;
        }
      • Authorize access for multi-user / multi-owner access. By setting multi-owner-based authorization, a new owners: a.string().array() field will be added to the model to store which users "own" the item. Upon item creation, the "owners field" is auto-populated with the authenticated user's information. To grant other users access to the item, append their user identifier into the owners array.

        You can specify which field should be used as the owners field by passing the ownersField parameter.

        By default, .ownersDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .ownersDefinedIn("owners", "oidc") to use OIDC based authentication to designate the owner.

        To change the specific claim that should be used as the user identifier within the owners field, chain the .identityClaim(...) method.

        Type Parameters

        • T extends string

        Parameters

        • ownersField: T

          the field that contains the owners information

        • Optional provider: OwnerProviders

          the authentication provider - supports "userPools", "identityPool", or "oidc"

        Returns Authorization<"owner", T, true> & {
            identityClaim: typeof identityClaim;
            to: typeof to;
        }

        an authorization rule for authenticated users

  • Readonly publicApiKey: (() => Authorization<"public", undefined, false> & {
        to: typeof to;
    })

    Authorize unauthenticated users by using API key based authorization.

    Returns

    an authorization rule for unauthenticated users

      • (): Authorization<"public", undefined, false> & {
            to: typeof to;
        }
      • Authorize unauthenticated users by using API key based authorization.

        Returns Authorization<"public", undefined, false> & {
            to: typeof to;
        }

        an authorization rule for unauthenticated users

  • Readonly resource: ((fn) => ResourceAuthorization & {
        to: typeof resourceTo;
    })