alepha@docs:~/docs/reference/primitives$
cat $secure.md2 min read
#$secure
#Import
typescript
1import { $secure } from "alepha/security";#Overview
Restrict to specific issuers (realms).
- User must belong to one of the listed issuers. */ issuers?: string[];
/**
- Required roles. User must have at least one of the listed roles. */ roles?: string[];
/**
- Required permissions. All must be satisfied. */ permissions?: (string | Permission)[];
/**
- Custom guard function. Runs after all other checks.
- Return
falseto deny access. */ guard?: (user: UserAccountToken) => boolean; }
/** Middleware that enforces authentication and authorization.
Resolves the user from the request context, currentUserAtom, or authorization headers.
Throws UnauthorizedError if no user is resolved, ForbiddenError if checks fail.
Stores the resolved user in currentUserAtom and request.user for downstream access.
Works across all transports (atom-first resolution):
currentUserAtom— set byaction.run()fork, MCP transport, pipelines, jobsrequest.user— set by previous middleware- HTTP headers — JWT/API key resolution
typescript
1class OrderController { 2 getOrders = $action({ 3 use: [$secure()], 4 handler: async ({ query }) => { ... }, 5 }); 6 7 deleteOrder = $action({ 8 use: [$secure({ permissions: ["orders:delete"] })], 9 handler: async ({ params }) => { ... },10 });11}#Options
| Option | Type | Required | Description |
|---|---|---|---|
issuers |
string[] |
No | Restrict to specific issuers (realms) |
roles |
string[] |
No | Required roles |
permissions |
Object |
No | Required permissions |
guard |
Object |
No | Custom guard function |