Remember that "simple" Express server?
We’ve all been there. You just want a user to be able to update their own profile. So you:
- Write an /api/update-profile endpoint.
- Validate the JWT (and pray the library doesn't have a new CVE).
- Fetch the data from the DB.
- Manually check if the user_id from the token matches the owner_id in the DB (because you don't want me changing your profile picture).
- Save it and send a 200 OK.
Congratulations, you just wrote 50 lines of boilerplate that we’ve been writing since 2015. It’s 2026-we should be over this. As a freelancer and working with AI, I’ve realized one thing: The best code is the code I don’t have to maintain.
Enter SurrealDB and its "Backend Killer" mode.
The Secret Sauce: Row-Level Security (RLS)
SurrealDB isn't just a bucket for your data; it’s an intelligent layer. Instead of writing logic in Node.js or Python, you define permissions directly in the database schema. It looks like this:
-- Define the 'post' table
DEFINE TABLE post SCHEMAFULL
PERMISSIONS
-- Anyone can see public posts
FOR select WHERE public = true
-- Only the author can edit or delete their own posts
FOR update, delete WHERE author = $auth.id;
See that $auth.id? That’s the magic. The database already knows who is logged in. You don't need a custom middleware to check ownership for every single request.
Connecting from the Frontend? (Don't Panic!)
This is the part where senior architects usually have a mini-heart attack: "You want to connect to the DB directly from the browser?! That’s a security nightmare!"
Actually, it’s not. With SurrealDB Scopes, you define exactly how users authenticate (Email/Password, OAuth, etc.). Once they’re in, the database enforces the PERMISSIONS globally.
The "Lazy Developer" result:
- Zero CRUD API code: No more writing boring REST or GraphQL wrappers.
- No ORM headaches: No more mapping objects to tables.
- Frontend Power: Your React/Svelte app just calls db.update('post:1', data) and the DB handles the rest.
Why this matters for the AI-heavy stack
I spend a lot of time merging design with functional AI tools. I'm currently building a tool that monitors how much we actually trust AI (ironic, since I probably trust it too much myself).
When you're building AI-driven apps, complexity is your enemy. By offloading the "plumbing" (auth and permissions) to SurrealDB, I have more brainpower left to focus on the AI logic and the UI. It’s about being efficiently lazy.
What’s next?
In the final part of this series, we’ll look at the "Surreal" part of SurrealDB: Mixing Graphs and Documents. I’ll show you how to run a "friends-of-friends" query without your brain melting from SQL JOINs.
Stay tuned, and go delete some unnecessary backend code today!
Top comments (2)
Part1
Part3