In Fluree, an auth record is the central component of identity. Every query and transaction is attributed to a particular auth record. If using a closed-API, the auth record is either the auth record that signed that query or transaction. If using a
fdb-api-open (see config options), you can still sign queries and transactions. However, if you do not sign them, queries and transactions are automatically connected to a default auth record with root access.
An auth record's
_auth/id is derived from a private key. There are many ways to generate a auth-public-private key trio.
An auth record can belong to a user. A user can have many auth records.
Auth records handle identity. Smart functions handle permissions. By default, when you create a new auth record, it has no permissions. In order to give an auth record permissions, you must give your auth record roles, which in turn have rules. Those rules in turn reference smart functions.
|(optional) A unique username for this user.|
|(optional) Reference to auth entities available for this user to authenticate. Note if no auth entities exist, the user will be unable to authenticate.|
|(optional) References to the default roles that apply to this user. If roles are specified via the |
|(optional) Globally unique id for this auth record.|
|(optional) A docstring for this auth record.|
|(optional) A unique lookup key for this auth record.|
|(optional) The type of authorization this is. Current type tags supported are: |
|(optional) The hashed secret. When using this as a |
|(optional) The type of hashing algorithm used on the |
|(optional) If the user is currently trying to reset a password/secret, an indexed reset token can be stored here allowing quick access to the specific auth record that is being reset. This predicate is not used anywhere in the ledger, but you can create an application using logins and passwords with the help of this predicate.|
|(optional) Multi-cardinality reference to roles to use if authenticated via this auth record. If not provided, this |
|(optional) Authorities for this auth record. References another _auth record. Any auth records referenced in |
|Fuel this auth record has. Fuel is used to meter usage in the hosted version of Fluree, but an application can use this predicate to meter fuel usage in the downloadable version as well.|
|(optional) A unique identifier for this role.|
|(optional) A docstring for this role.|
|(required) References to rule entities that this role aggregates.|
|(optional) A unique identifier for this rule.|
|(optional) A docstring for this rule.|
|(required) The collection name this rule applies to. In addition to a collection name, the special glob character |
|Indicates if this rule is a default rule for the specified collection. Use either this or |
|(optional) A multi-cardinality list of predicates this rule applies to. The special glob character |
|(required) Multi-cardinality reference to |
|(required) Multi-cardinality tag of action(s) this rule applies to. Current tags supported are |
|(optional) If this rule prevents a transaction from executing, this optional error message can be returned to the client instead of the default error message (which is intentionally generic to limit insights into the ledger configuration).|