OperaDB includes access control mechanisms to manage who can perform what actions on which data.

Each actor has one or more roles:

• guest, user, admin, system, or custom roles

Reducers and schemas can define role-based permission checks:

if (!actor.roles.includes("admin")) {
  throw new Error("Unauthorized");
}

You can authenticate using tokens sent in HTTP headers:

Authorization: Bearer <token>

Sessions can be managed with:

• JWT
• Server-side memory/session store
• Third-party auth providers (coming soon)

Events can be signed (future feature):

• To ensure authenticity
• Prevent tampering
• Enable audit trails

Entities and schemas are isolated per account:

• Each tenant/org has its own namespace
• Access to data is scoped by accountId

Next: Deployment Guide