Securely Access Prisma Postgres from the Frontend (Early Access)

Talking to your database from the frontend

In a typical software architecture, there's an API layer between the client (e.g. a mobile or web app) and the database:

This API layer takes care of several crucial responsibilities, such as:

• authentication and authorization
• integration with 3rd party systems (e.g. Stripe, Mailchimp, …)
• custom business logic (e.g. validation, heavy computations, …)

That being said, there are many use cases where an API layer adds an "unnecessary network hop" because all you need really is just the plain data from the database. This can be useful when you're prototyping, building internal tools or even in production applications where, for a certain part of the app, all you need is a piece of data.

However, exposing your database to a frontend application isn't a good idea because of the security risks that come with it: Browsers are making their network requests transparent, so a malicious party could figure out the credentials of your database and use it to gain direct access to your database — a situation you'll want to prevent at all costs!

Introducing: Security rules in Prisma Postgres (Early Access)

We're excited to share that Prisma Postgres now enables frontend applications to securely query data without exposing any secrets and opening your database up to malicious attacks.

In case you missed it: Prisma Postgres is the first serverless database without cold starts. It's built on a highly-efficient unikernel architecture, has a simple and intuitive query-based pricing model with a generous free tier, and is super easy to set up and configure! Try it here.

Security rules in Prisma Postgres allow you to:

• have an authenticated connection to your database
• define fine-grained permission rules in plain TypeScript

With Prisma Postgres' security rules, you can access your database directly from the frontend in a secure way, ensuring only authorized users get access to your data:

This week, we're opening up a private Early Access (EA) program to test out security rules in Prisma Postgres applications. If you're interested, you can apply to join the private EA program by filling out this form. If you're selected to join the private EA program, we'll reach out to you with docs and usage instructions so that you're well equipped to give us feedback.

How to define and enforce security rules

With the new security rules feature of Prisma Postgres, you can define access permissions in plain TypeScript:

You'll then need to run a deploy command provided by the Prisma CLI to make your rules take effect. The command also returns a public key that you need to pass to your database client instance which comes. This client is called AuthorizedClient and is lightweight, secure and compatible with browser environments so you can access your database from the frontend.

For database access, you need to instantiate AuthorizedClient which enables authorized database access according to the defined permission rules in the browser:

This instance of AuthorizedClient is akin to PrismaClient and exposes the same queries you're already familiar with:

Join the private Early Access program

If that made you curious and you're looking for a way to talk to your database directly from your frontend applications in a convenient and type-safe way, apply now to join:

Apply for Early Access

We'll reach out to all applicants by the end of the week. If you're selected, you'll receive access to usage documentation and a reference example to start using security rules in your own apps. We're aiming for a close collaboration with Early Access testers and are looking forward to your input. Your feedback will be crucial to help shape what security rules are going to look like when they are released in General Availability.

If you have any questions, ping us on X or join our Discord.