Auth and access rules, built in.
Magic-link email, 25+ OAuth providers, generic OIDC for any IdP, guest sessions, and API keys — all built in. Then gate every row with policy expressions that live next to your schema and run in the hot path.
import { policy } from "@pylonsync/sdk";
const messagePolicy = policy({
name: "message_access",
entity: "Message",
allowRead: "true",
allowInsert: "auth.userId != null and data.authorId == auth.userId",
allowUpdate: "false",
allowDelete: "data.authorId == auth.userId",
});- Magic-link, Google / GitHub / Apple / Microsoft / Discord / Slack and 20+ more
- Generic OIDC discovery for any enterprise IdP; SAML SSO on Cloud
- Guest sessions and API keys for public apps and machine clients
- Row-level policies compiled to bytecode — evaluated on every read and write
Every provider, one config
Turn on magic-link and a wall of OAuth providers from the same auth() block. Generic OIDC discovery means any IdP that publishes a discovery document works without a bespoke integration. Guest sessions let anonymous users interact before they sign up; API keys authenticate scripts and machine clients.
Policies that can't be bypassed
Access rules are string expressions — auth.userId == data.authorId, auth.tenantId == data.orgId — declared next to the entity they protect. They're enforced on the hot path of every read and write, including sync subscriptions, so a client can never see or change a row it isn't allowed to. The policy linter flags entities with no policy at dev startup; unguarded entities are default-denied.
Multi-tenant without the footguns
Sessions carry an active tenant. Scope reads with auth.tenantId == data.orgId and the engine filters every subscription, list route, and export by tenant automatically — the cross-tenant leaks that bite hand-rolled row-level security are closed by construction.
Build it on Pylon.
One framework for your schema, sync, auth, functions, realtime, and SSR. Free to start.