← Reference

Reference

Generated interfaces fail closed

Generated routes require an authenticated principal unless public access is explicitly declared, and field policy is applied before data leaves or enters the application.

Authentication is the default

When api.public is not set, generated reads and writes require a resolved principal. Use public: "read" to open only reads or public: true when every generated action is intentionally public.

Invoice.ts
typescript
@smrt({
  api: { include: ['list', 'get', 'create', 'update'] }
})
class Invoice extends SmrtObject {
  amount = 0;
}

// No api.public declaration: generated routes require authentication.

Sensitive fields close both read paths

A sensitive field is removed from public serialization and rejected in collection filters. Both protections matter: hiding output alone would still allow a caller to probe a secret value through repeated where clauses.

Write policy blocks mass assignment

Generated create and update handlers strip read-only fields, IDs, timestamps, tenant IDs, underscore-prefixed keys, and anything outside an optional writable allowlist before the model sees the request body.

Application code still owns its boundary

Generated routes enforce these defaults. Custom actions, jobs, direct collection calls, external callbacks, and product-specific threat models still need deliberate principal, tenant, permission, and input checks.