---
meta:
  title: "Permissions"
  parentTitle: "Authentication"
  description: "Learn how Liveblocks permissions work."
---

Permissions define what an authenticated user can do with Liveblocks resources
such as rooms, comments, and feeds.

With [ID tokens](/docs/authentication#id-token), permissions live on the room
and Liveblocks checks them when a user connects. With
[access tokens](/docs/authentication/access-token), you grant permissions when
you prepare a session.

## Permission format [#permission-format]

A user’s access to a room is defined by a list of permissions.

Each permission uses the format `resource:scope`. The resource can be `*` for
the whole room, with `read` or `write` scope. Specific resources such as
`storage`, `comments`, and `feeds` can use `read`, `write`, or `none`.

### Base permissions [#base-permissions]

By setting the permission for the resource `*`, you define the base scope for
all the resources of the room. You can choose between read or write access:

- `*:read` → the user will have read access to everything in the room.
- `*:write` → the user will have write access to everything in the room.

<Banner title="Legacy naming convention">

The legacy names `room:read` and `room:write` are still supported. They’re
equivalent to `*:read` and `*:write`, but we recommend using the new naming
convention.

</Banner>

### More granular permissions [#granular-permissions]

You can opt into or opt out of access to specific room resources:

- **Storage** with `storage:read`, `storage:write`, or `storage:none`.
- **Comments** with `comments:read`, `comments:write`, or `comments:none`.
- **Feeds** with `feeds:read`, `feeds:write`, or `feeds:none`.

Here’s an example giving write access to everything except read-only access to
storage:

```ts
[
  "*:write",
  "storage:read", // Lower storage access from write to read
];
```

Here’s an example giving read access to everything, except write access to
comments and no access to feeds:

```ts
[
  "*:read",
  "comments:write", // Raise comments access to write
  "feeds:none", // Remove access to feeds
];
```

### List of all permissions

<Table columns={["22%", "18%", "auto"]}>

| Permission       | Resource | Description                                           |
| ---------------- | -------- | ----------------------------------------------------- |
| **`*:read`**     |          | **Read access to everything.**                        |
| **`*:write`**    |          | **Write access to everything.**                       |
| `storage:read`   | Storage  | Read access to storage (Liveblocks Storage and Yjs).  |
| `storage:write`  | Storage  | Write access to storage (Liveblocks Storage and Yjs). |
| `storage:none`   | Storage  | No access to storage (Liveblocks Storage and Yjs).    |
| `comments:read`  | Comments | Read access to comments.                              |
| `comments:write` | Comments | Write access to comments.                             |
| `comments:none`  | Comments | No access to comments.                                |
| `feeds:read`     | Feeds    | Read access to feeds.                                 |
| `feeds:write`    | Feeds    | Write access to feeds.                                |
| `feeds:none`     | Feeds    | No access to feeds.                                   |

</Table>

## Where to use permissions [#where-to-use-permissions]

With ID tokens, use permissions in `defaultAccesses`, `groupsAccesses`, and
`usersAccesses` when you
[create or update rooms](/docs/authentication#id-token-room-permissions). With
access tokens, use permissions when you
[allow access to rooms](/docs/authentication/access-token#room-permissions) in
an authentication endpoint.

---

For an overview of all available documentation, see [/llms.txt](/llms.txt).