Skip to main content
This guide shows you how to configure authorization for your Turso databases using JSON Web Key Sets (JWKS) and an authentication provider.

Overview

Turso supports authorization through JWT tokens issued by your authentication provider. You can either:
  • Create database or group tokens via Turso CLI
  • Let your authentication provider issue tokens using JWKS
This quickstart focuses on the JWKS approach, which allows you to leverage your existing authentication infrastructure.
During the Turso Beta, we only support Clerk & Auth0 as OIDC providers.
1

Setup Authentication Provider

First, configure your authentication provider to issue JWT tokens. This example uses Clerk.

Configure JWT Permissions

Use the Turso CLI to generate a JWT template with fine-grained permissions:
# Full access to all tables in a database
turso org jwks template --database <database-name> --scope full-access

# Read-only access to all tables in a group
turso org jwks template --group <group-name> --scope read-only

# Fine-grained permissions for specific tables in a database
turso org jwks template \
  --database <database-name> \
  --permissions all:data_read \
  --permissions comments:data_add \
  --permissions posts:data_add,data_update
Available flags:
  • --database or -d: Specify the database name (required if --group not specified)
  • --group or -g: Specify the group name (required if --database not specified)
  • --scope or -s: Set scope to full-access or read-only
  • --permissions or -p: Define table-level permissions in format <table-name|all>:<action1>,<action2>
Available actions for --permissions:
  • data_read - Read data from tables
  • data_update - Update existing data
  • data_add - Insert new data
  • data_delete - Delete data
  • schema_update - Modify table schemas
  • schema_add - Create new tables
  • schema_delete - Drop tables
data_read is allowed on SQLite system tables (e.g., sqlite_master, sqlite_schema) by default, allowing users to query database metadata.
Either --database or --group must be specified when generating a JWT template.

Configure JWT Template

Set up a JWT template in your auth provider to include permissions based on user metadata. This allows you to control access at the table and action level.For example, you can configure your JWT template to:
  • Grant admin users data_delete permissions
  • Grant moderator users data_update and data_read permissions
  • Grant regular users data_read permissions only
The permissions are based on user metadata (e.g., role, group membership) and embedded in the JWT token.
If you don’t setup a JWT template with specific permissions, the generated tokens will have access to all databases in all groups by default.
2

Add JWKS Endpoint to Turso

Add your authentication provider’s JWKS endpoint to your Turso organization.

Using the CLI

turso org jwks save <name> <url>
Example:
turso org jwks save clerk https://your-app.clerk.accounts.dev/.well-known/jwks.json

Using the Dashboard

Navigate to your organization settings in the Turso Dashboard and add the JWKS endpoint URL.
3

Use Tokens in Your Application

Pass the JWT token from your authentication provider when creating the database client:
import { createClient } from "@tursodatabase/serverless";

// Get the JWT token from your auth provider
const authToken = await getAuthToken(); // e.g., from Clerk, Auth0, etc.

const db = createClient({
  url: "https://<db>.turso.io",
  authToken, // Use the JWT from your auth provider
});

// Now all database operations use the authorization token
const result = await db.execute("SELECT * FROM users");
The authToken can be:
  • A JWT token issued by your authentication provider (via JWKS)
  • A database token created with turso db tokens create <db>
  • A group token for accessing multiple databases

Managing JWKS Endpoints

List JWKS Endpoints

turso org jwks list

Remove JWKS Endpoint

turso org jwks remove <name>
I