---
title: Row-Level Security with Neon
subtitle: How Neon features use Postgres Row-Level Security
summary: >-
Covers the implementation of Row-Level Security (RLS) in Neon, detailing how
to secure data access through RLS policies when using the Data API and Drizzle
ORM.
enableTableOfContents: true
updatedOn: '2026-02-06T22:07:33.048Z'
---
How the Data API uses Row-Level Security
Data APISimplify RLS with DrizzlePostgres RLS Tutorial
Row-Level Security (RLS) is a Postgres feature that controls access to individual rows in a table based on the current user. Here's a simple example that limits the `notes` a user can see by matching rows where their `user_id` matches the session's `auth.user_id()`:
```sql
-- Enable RLS on a table
ALTER TABLE notes ENABLE ROW LEVEL SECURITY;
-- Create a policy that only allows users to access their own notes
CREATE POLICY "users_can_only_access_own_notes" ON notes
FOR ALL USING (auth.user_id() = user_id);
```
When using the Data API for client-side querying, RLS policies are required to secure your data.
## Data API with RLS
The **Data API** turns your database tables on a given branch into a REST API, and it requires RLS policies on all tables to ensure your data is secure.
### How it works
- The Data API handles JWT validation and provides the `auth.user_id()` function.
- Your RLS policies use `auth.user_id()` to control access.
- All tables accessed via the Data API must have RLS enabled.
Get startedBuilding a note-taking app
## RLS with Drizzle ORM
Drizzle makes it simple to write RLS policies that work with the Data API. We highly recommend using its `crudPolicy` helper to simplify common RLS patterns.
Simplify RLS with Drizzle
## Postgres RLS Tutorial
To learn the fundamentals of Row-Level Security in Postgres, including detailed concepts and examples, see the Postgres tutorial:
Postgres RLS Tutorial