Security model

This section describes Fauna authentication and access control security features.

The Fauna security design makes it easy to query your databases from any network-connected context, including a web browser.

Connections to the database are secured using HTTPS. Authentication and access control are implemented using HTTP bearer tokens in the request header for each query.

The Fauna access control logic uses attribute-based access control (ABAC) roles or the key-based permission system.

If a resource is a member of an ABAC role, the ABAC role specifies all privileges for that resource. Otherwise, the key-based permission system determines if read/write/execute privileges are enabled.

What you’ll find here


Built-in and user-defined roles provide a way to allow database access to membership groups with different access permissions.


Keys are typically used by database owners or administrators to manage database structure and contents with few restrictions and by background tasks that automate various database procedures at regular intervals.


An identity or token typically represents a user but can also be used to identify any service, system, or process that needs to run queries with given privileges.


A credential document is part of the Fauna identity-based access control and is used to store a cryptographic hash of a password that can be used to authenticate an identity stored in Fauna.

ABAC privileges and membership

Attribute-based access control is a flexible, fine-grained strategy for managing identity-based operations in Fauna. ABAC extends the default authentication and authorization mechanisms.

External identity providers

This section describes the elements, functions, and operations required to use an identity provider (IdP) to authenticate users who can then query Fauna.

Is this article helpful? 

Tell Fauna how the article can be improved:
Visit Fauna's forums or email

Thank you for your feedback!