Permissions
Permissions define what an authenticated user can do with Liveblocks resources such as rooms, comments, and feeds. When using ID token authentication, permissions are set on rooms. With access tokens, you permissions are granted when a user authenticates.
| Permission | Resource | Description |
|---|---|---|
*:read | Read access to everything. | |
*:write | Write access to everything. | |
storage:read | Storage | Read access to storage (Liveblocks Storage and Yjs). |
storage:write | Storage | Write access to storage (Liveblocks Storage and Yjs). |
storage:none | Storage | No access to storage (Liveblocks Storage and Yjs). |
comments:read | Comments | Read access to public and private threads. |
comments:write | Comments | Write access to public and private threads. |
comments:none | Comments | No access to public and private threads. |
comments:public:read | Public threads | Read access to public threads. |
comments:public:write | Public threads | Write access to public threads. |
comments:public:none | Public threads | No access to public threads. |
comments:private:read | Private threads | Read access to private threads. |
comments:private:write | Private threads | Write access to private threads. |
comments:private:none | Private threads | No access to private threads. |
feeds:read | Feeds | Read access to feeds. |
feeds:write | Feeds | Write access to feeds. |
feeds:none | Feeds | No access to feeds. |
Example usage
Permissions are set as an array of strings, in any order, and setting an empty array means no access. You can use these permissions with Liveblocks APIs, for example when creating a room.
Note that groupIds and userId are set when authenticating a user.
More information
A user’s access to a room is defined by a list of permissions.
Each permission uses the format resource:scope. The resource can be * for
the whole room, with read or write scope. Specific resources such as
storage, comments, and feeds can use read, write, or none.
Base permissions
By setting the permission for the resource *, you define the base scope for
all the resources of the room. You can choose between read or write access:
*:read→ the user will have read access to everything in the room.*:write→ the user will have write access to everything in the room.
The legacy names room:read and room:write are still supported. They’re
equivalent to *:read and *:write, but we recommend using the new naming
convention.
More granular permissions
You can opt into or opt out of access to specific room resources:
- Storage with
storage:read,storage:write, orstorage:none. - Comments with
comments:read,comments:write, orcomments:none. - Public threads with
comments:public:read,comments:public:write, orcomments:public:none. - Private threads with
comments:private:read,comments:private:write, orcomments:private:none. - Feeds with
feeds:read,feeds:write, orfeeds:none.
The comments:* permissions apply to public and private threads. Use
comments:public:* and comments:private:* to override one visibility.
Here’s an example giving write access to everything except read-only access to storage:
Here’s an example giving read access to everything, except write access to comments and no access to feeds:
Here’s an example giving write access to public threads, but no access to private threads:
Public and private threads
By default, threads are visible to all users that have permission to read the
room, but they can be marked as private by passing visibility: "private" when
the thread is created. Users then need private comments permissions to create or
read private threads. For more information, read
how to add private commenting to your app,
or find a summary of the APIs under
public and private threads.
Private threads are only available on Team and Enterprise plans.
Where to use permissions
With ID tokens, use permissions in defaultAccesses, groupsAccesses, and
usersAccesses when you
create or update rooms. With
access tokens, use permissions when you
allow access to rooms in
an authentication endpoint.