> ## Documentation Index
> Fetch the complete documentation index at: https://docs.edgespark.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# EdgeSpark platform security
> Learn how EdgeSpark enforces auth, validates runtime SQL, and isolates storage access before your handler code runs in production.
EdgeSpark validates database access, enforces authentication, and isolates storage access before your handler sees the request.
## SQL validation
Only runtime CRUD-style operations are allowed:
| Allowed | Blocked |
| ------------- | -------------- |
| `SELECT` | `CREATE TABLE` |
| `INSERT` | `ALTER TABLE` |
| `UPDATE` | `DROP TABLE` |
| `DELETE` | `CREATE INDEX` |
| `REPLACE` | Other DDL |
| `WITH` (CTEs) | |
Schema changes do not happen through runtime SQL. Update `server/src/defs/db_schema.ts`, then use `edgespark db generate` and `edgespark db migrate`.
## Authentication enforcement
Before your code runs, EdgeSpark evaluates the route prefix and the session state. Protected routes receive a valid `auth.user` or the request is rejected.
See [path-based auth](/concepts/path-based-auth) for the route rules.
## Storage isolation
Storage access is scoped to the current project and the buckets you declared in `server/src/defs/storage_schema.ts`. Projects cannot read each other's files.
For large uploads and downloads, use presigned URLs and review [platform limits](/reference/limits).
## Batch queries
Use `db.batch()` for atomic multi-step operations:
```typescript server/src/index.ts theme={null}
import { db } from "edgespark";
import { posts, tags } from "@defs";
await db.batch([
db.insert(posts).values({ title: "Post 1", authorId: "user_1" }),
db.insert(tags).values({ postId: 1, name: "news" }),
]);
```
## See also
How URL path conventions control authentication for every route.
Database, storage, and runtime limits that shape safe app behavior.