GET /api/v1/admin/rls
Check RLS status on all tenant-scoped tables. Returns which tables have RLS enabled, forced, and which have the tenant_isolation policy.
Response
{
"summary": {
"totalTables": 28,
"rlsEnabled": 28,
"rlsForced": 28,
"withPolicy": 28,
"missingRLS": []
},
"tables": [
{
"table": "offers",
"rlsEnabled": true,
"rlsForced": true,
"policies": ["tenant_isolation"]
},
{
"table": "interaction_history",
"rlsEnabled": true,
"rlsForced": true,
"policies": ["tenant_isolation"]
}
],
"timestamp": "2026-03-30T12:00:00.000Z"
}
Summary Fields
| Field | Type | Description |
|---|
totalTables | integer | Total number of tenant-scoped tables |
rlsEnabled | integer | Tables with RLS enabled |
rlsForced | integer | Tables with FORCE RLS (applies even to table owners) |
withPolicy | integer | Tables with the tenant_isolation policy |
missingRLS | string[] | Table names missing RLS or the isolation policy |
Roles
admin only
POST /api/v1/admin/rls
Enable RLS on all tenant-scoped tables. This is idempotent and safe to call multiple times. For each table, it:
- Enables RLS (
ALTER TABLE ... ENABLE ROW LEVEL SECURITY)
- Forces RLS for table owners (
ALTER TABLE ... FORCE ROW LEVEL SECURITY)
- Creates a
tenant_isolation policy (CREATE POLICY ... USING ("tenantId" = current_setting('app.tenant_id')))
Response
{
"success": true,
"enabled": ["offers", "interaction_history", "decision_traces"],
"failed": [],
"totalTables": 28,
"timestamp": "2026-03-30T12:00:00.000Z"
}
Response Fields
| Field | Type | Description |
|---|
success | boolean | true if no tables failed |
enabled | string[] | Tables where RLS was successfully enabled |
failed | string[] | Tables where RLS enablement failed |
totalTables | integer | Total number of tenant-scoped tables |
Roles
admin only
RLS enforcement depends on the PostgreSQL session variable app.tenant_id being set correctly for each connection. The platform’s Prisma client handles this automatically, but direct database connections must set this variable manually.
