Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.turso.tech/llms.txt

Use this file to discover all available pages before exploring further.

Fine-grained permissions let you control access at the table and action level. They work with both CLI-generated tokens and JWKS-issued tokens.

Permission Format

Permissions follow the format <table-name|all>:<action1>,<action2>: 
# Read-only access to all tables
turso db tokens create mydb -p all:data_read

# Specific actions on a specific table
turso db tokens create mydb -p users:data_read,data_update

# Multiple permission rules
turso db tokens create mydb \
  -p all:data_read \
  -p comments:data_add,data_update \
  -p posts:data_add,data_update,data_delete
Use all as the table name to apply permissions to every table.

Available Actions

ActionDescription
data_readRead data from tables
data_addInsert new rows
data_updateUpdate existing rows
data_deleteDelete rows
schema_addCreate new tables
schema_updateModify table schemas
schema_deleteDrop tables
data_read is allowed on SQLite system tables (e.g., sqlite_master, sqlite_schema) by default, allowing users to query database metadata.

Role-Based Access Example

You can configure your JWT template to grant different permissions based on user roles:
RolePermissions
Adminall:data_read,data_add,data_update,data_delete,schema_add,schema_update,schema_delete
Moderatorall:data_read,data_update
Userall:data_read
With JWKS, these permissions are embedded in the JWT token based on user metadata (e.g., role, group membership) from your auth provider.