website/src/content/docs/actors/access-control.mdx
Use access control to decide what authenticated clients are allowed to do.
This is authorization, not authentication:
RivetKit authorization is explicit per surface:
onBeforeConnect rejects unauthenticated or malformed connections.actions.*) enforce action permissions.queues.<name>.canPublish allows or denies inbound queue publishes.events.<name>.canSubscribe allows or denies event subscriptions.Use deny-by-default rules everywhere:
onBeforeConnect strict and reject invalid credentials.forbidden otherwise.canPublish and canSubscribe, return true only for allowed roles and end with return false.canPublish and canSubscribe must return a boolean:
true: allowfalse: deny with forbiddenReturning undefined, null, or any non-boolean throws an internal error.
canPublish only applies to queue names defined in queues.canSubscribe only applies to event names defined in events.events still publishes to subscribers.