Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/michael-tiger-2010/dragonjson/llms.txt

Use this file to discover all available pages before exploring further.

The Node.js reference server uses an authConfig object to define authorization rules at any level of your data tree. Rules cascade from the most specific matching node toward the root using a deepest-match-wins strategy: the $auth function closest to the requested path is the one that runs.

authConfig Structure

The authConfig object mirrors the shape of your data store. Attach a $auth function to any node to guard that path and everything beneath it. 
const authConfig = {
  users: {
    $auth(token, accessArray, operation) {
      // token       — Bearer token string (empty string if absent)
      // accessArray — path segments after this node
      // operation   — "get" | "get:batch" | "get:command" | "set" | "add" | "remove"
      if (operation.startsWith("get")) {
        return ["admin-secret", "readonly-token"].includes(token);
      }
      return token === "admin-secret";
    },

    user1: {
      $auth(token, accessArray, operation) {
        // accessArray = segments after "users.user1", e.g. ["name"]
        return token === "admin-secret";
      },
    },
  },

  meta: {
    $auth(token, accessArray, operation) {
      if (operation.startsWith("get")) return true; // reads open
      return token === "admin-secret";              // writes restricted
    },
  },

  posts: {
    $auth(token, accessArray, operation) {
      return true; // fully public
    },
  },
};
Each $auth function receives three arguments:
token
string
The Bearer token extracted from the Authorization header. An empty string if no Authorization header was sent.
accessArray
string[]
The path segments after the node where this $auth function is defined. For example, if $auth is on users and the request is for users.user1.name, then accessArray is ["user1", "name"].
operation
string
What the client is trying to do. See the Operation types table below.
Return true to allow the request or false to deny it (the server responds with 403 Forbidden).

Resolution Algorithm

1

Walk the authConfig tree

Starting from the root of authConfig, follow the path segments of the requested path one by one, descending into child nodes.
2

Collect every $auth function encountered

Each time a node along the way has a $auth function, record it along with the remaining path segments at that point.
3

Use the deepest match

The $auth function that was found furthest down the tree is called. It receives the path segments that come after its own node as accessArray.
4

Fall back to open access if no $auth is found

If no $auth function is found at any level along the path, the request is allowed without restriction.
Example — path users.user1.name:
  1. authConfig.users.user1.$auth is found → called with accessArray = ["name"](deepest — this one runs)
  2. authConfig.users.$auth → would be called with accessArray = ["user1", "name"] (fallback, skipped)
  3. Root authConfig.$auth → would be called with all segments (root fallback, skipped)
Because authConfig.users.user1.$auth is the deepest match, it is the only function that runs.

Operation Types

The operation argument tells your $auth function exactly which client action triggered the check.
OperationTriggered by
getSingle path read — GET ?path=
get:batchPath appeared in a batched read — GET ?paths=
get:commandFreeform query — GET ?path=&command=
set$set mutation — POST with no __op in the body
add$add mutation — POST with __op: "add"
remove$remove mutation — POST with __op: "remove"
Use operation.startsWith("get") to match all read operations at once.

Common Patterns

Fully public path

Allow everyone, no token required: 
posts: {
  $auth(token, accessArray, operation) {
    return true;
  },
},

Read-only path

Reads are open; all mutations are denied: 
meta: {
  $auth(token, accessArray, operation) {
    return operation.startsWith("get");
  },
},

Admin-only path

Only requests carrying the admin token are accepted, for any operation: 
users: {
  $auth(token, accessArray, operation) {
    return token === "admin-secret";
  },
},

Locking Down the Root

Add a $auth function directly on the root of authConfig to set a default rule that applies to any path not covered by a more specific node. Specific child rules always override it. 
const authConfig = {
  $auth(token, accessArray, operation) {
    return token === "admin-secret"; // default: admin only
  },

  posts: {
    $auth() { return true; }, // override: posts are fully public
  },
};
With this configuration, posts and everything beneath it is public, while every other path in the store requires the admin token.
The root $auth is checked last — it only runs if no more specific $auth is found for the requested path. It does not run in addition to a matching child $auth.
The accessArray parameter lets you build dynamic rules — for example, allowing users to read only their own data by comparing accessArray[0] to a user ID decoded from the token.

Build docs developers (and LLMs) love

Get started for freeTalk to us