Skills

spacetimedb-auth

Installation
SKILL.md

Use this skill for identity, claims, access control, and authorization policy.

Core auth patterns

  • SpacetimeDB derives an Identity from the JWT sub and iss claims. Use identity for stable ownership; use JWT claims for provider, audience, role, and policy decisions.
  • Authenticated modules should reject unauthenticated clients in client_connected/clientConnected before they can subscribe or call reducers.
  • Always validate issuer and audience before trusting subject or custom claims. Claim names and expected values are deployment-specific.
  • Treat senderAuth/SenderAuth/sender_auth() as the source of JWT details, not the client-provided identity alone.
  • Use role or custom-claim helpers inside reducers for authorization checks; return sender-facing errors for expected denials.
  • RLS is experimental. Its rules are SQL filters, use :sender for the caller identity, return full rows from one table, and multiple rules for a table are ORed together. Module owners bypass RLS.

TypeScript connection rejection pattern:

import { SenderError } from "spacetimedb/server";

const OIDC_CLIENT_IDS = ["client_..."];
Installs
26
Repository
danmossa/spacet…b-skills
GitHub Stars
7
First Seen
May 7, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
spacetimedb-auth — danmossa/spacetimedb-skills