Security
Security — Authentication, RBAC, and field-level authorization
Server-Side Injection
The inject parameter on @fraiseql.query and @fraiseql.mutation binds JWT claim values to SQL parameters server-side. The injected value is resolved from the verified JWT — the client never supplies it and cannot override it.
Why use inject?
Section titled “Why use inject?”Without injection, filtering by the current user requires either:
- Passing
owner_idas a client-visible GraphQL argument (user could supply any value) - Writing a separate SQL view per user context
With inject, the filter is invisible to GraphQL clients and cryptographically tied to the JWT:
# Without inject — owner_id is a client argument (insecure without extra validation)@fraiseql.query(sql_source="v_documents")def documents(owner_id: str) -> list[Document]: ...
# With inject — owner_id comes from jwt.sub, clients cannot influence it@fraiseql.query(sql_source="v_documents", inject={"owner_id": "jwt:sub"})def my_documents() -> list[Document]: ...Queries
Section titled “Queries”@fraiseql.query( sql_source="v_documents", inject={"owner_id": "jwt:sub"})def my_documents() -> list[Document]: ...The compiled SQL will include WHERE owner_id = <jwt.sub> using the value from the verified token. The owner_id column must exist in the view.
Mutations
Section titled “Mutations”@fraiseql.mutation( sql_source="fn_create_document", inject={"created_by": "jwt:sub"})def create_document(title: str) -> Document: ...Injected values are appended after the explicit GraphQL arguments when calling the SQL function.
Multi-tenant queries
Section titled “Multi-tenant queries”@fraiseql.query( sql_source="v_orders", inject={"tenant_id": "jwt:tenant_id"})def orders() -> list[Order]: ...Supported sources
Section titled “Supported sources”Only jwt:<claim_name> is supported. The claim name must be a valid identifier ([A-Za-z_][A-Za-z0-9_]*):
| Source string | Resolves from JWT claim | Typical use |
|---|---|---|
jwt:sub | sub (subject) | Current user ID |
jwt:tenant_id | tenant_id | Multi-tenant isolation |
jwt:org_id | org_id | Organisation scoping |
jwt:<any_claim> | Any claim present in the token | Custom attributes |
Rules and validation
Section titled “Rules and validation”Compile-time checks (fraiseql compile):
- Inject key must be a valid identifier:
^[A-Za-z_][A-Za-z0-9_]*$ - Source value must match
^jwt:[A-Za-z_][A-Za-z0-9_]*$— other formats (e.g.header:) are rejected - Inject key must not conflict with a declared GraphQL argument on the same query or mutation
Runtime:
- Unauthenticated requests to queries or mutations with
injectare rejected with a validation error. There is no anonymous bypass. - If the specified claim is absent from the JWT, the request is rejected.
Example: Row-Level Security without PostgreSQL RLS
Section titled “Example: Row-Level Security without PostgreSQL RLS”inject is an alternative to PostgreSQL ROW LEVEL SECURITY policies for simpler setups:
@fraiseql.query( sql_source="v_post", inject={"author_id": "jwt:sub"})def my_posts() -> list[Post]: ...-- v_post filters to the injected author_id automaticallyCREATE VIEW v_post AS SELECT jsonb_build_object('id', id, 'title', title, 'author_id', author_id) AS data FROM tb_post;The SQL layer receives author_id = '<value from jwt.sub>' appended to the query, equivalent to WHERE author_id = $1 with a parameterized value.
Next Steps
Section titled “Next Steps”Multi-Tenancy
Multi-Tenancy — Tenant isolation patterns
Decorators
Decorators — Full decorator reference