After authentication how to change the key or role?

Hi, I’m new to faunadb and started with some simple tutorials. But now I got stuck… I achieved to create a collection with users and authenticate them. I did this with a GUEST key and a GUEST role, that have only rights for the loginFn

  Lambda(["data"], {
    response: Login(
      Match(Index("user_by_email"), Select("eMail", Var("data"))),
      { password: Select("password", Var("data")) }

const faunaClient = new faunadb.Client({
  secret: 'FAUNA_GUEST_KEY',

return await faunaClient
      .query(q.Call(q.Function('login_user'), { eMail, password }))
      .then(({ response }) => {
        console.log(response) // I get a secret

After authentication the user should get more rights, like creating an item in a collection.

I created for that another role “loggedIn”: Then I created a new key “FAUNA_LOOGEDIN_KEY” with the role “loogedIn”. But how can I change the current secret “FAUNA_GUEST_KEY” with the “FAUNA_LOOGEDIN_KEY”? Or is the secret from the response my new key and I don’t need to create a separate “FAUNA_LOOGEDIN_KEY”? But the question is the same how can I update the secret?

And if I need to use the secret from the response how can I link it to the role “loggedIn” or where I have to define an UDF that the role can get applied to that secret?


Hi @gregor and welcome!

Once you issue Login() with the right password for the user, you get back a secret.
You can then use this secret to login as the user.

To grant privileges to users, you have to create a role as documented here.

To access the database as a user, you have to create a new connection with the key returned by the Login() function.

Roles are linked to users (documents) through the membership field in role.

  name: "access_todos",
  membership: [
        resource: Collection("users") 
  privileges: [{
    resource: Collection("todos"),
    actions: {
      create: true,
      delete: true,
      write: true

In the example above, all users (documents) in collection “users” that are authenticated, are granted to create,delete and write on collection todos.

Hope this answer your question.
If you have any doubt, let me know.


Hi thanks for your replay :wink:

With “new connection” do you mean something like this

  return await faunaClient
    .query(q.Call(q.Function('login_user'), { eMail, password }))
    .then(({ secret }) => {
      //reasign new secret 
      faunaClient = new faunadb.Client({
        secret: secret

Where I don’t get my head around is the role thing. How does fauna know that it should apply this role with privileges only to authenticated users and not all users?


I got everything running.

But my question is still, does fauna check the identity for me automatically, if the user, who is bound to the new secret, exists in the collection “users” and if yes the new role gets applied?

And one more question when the new role is applied, do I have to set all privileges again from “public” for “loggedIn”? Because the initial key, which was bound to the role “public”, has been replaced by the new secret(key)?