PocketBase Best Practices
42 rules across 8 categories for PocketBase v0.36+, prioritized by impact.
When to Apply
- •Designing collections and schema structures
- •Implementing API rules for access control
- •Setting up authentication (password, OAuth2, MFA)
- •Using the PocketBase JavaScript SDK
- •Optimizing queries with filtering, sorting, and expansion
- •Implementing realtime subscriptions
- •Handling file uploads and storage
- •Deploying PocketBase to production
Categories by Priority
| Priority | Category | Impact | Rules |
|---|---|---|---|
| 1 | Collection Design | CRITICAL | coll-field-types, coll-auth-vs-base, coll-relations, coll-indexes, coll-view-collections, coll-geopoint |
| 2 | API Rules & Security | CRITICAL | rules-basics, rules-filter-syntax, rules-request-context, rules-cross-collection, rules-locked-vs-open |
| 3 | Authentication | CRITICAL | auth-password, auth-oauth2, auth-token-management, auth-mfa, auth-impersonation |
| 4 | SDK Usage | HIGH | sdk-initialization, sdk-auth-store, sdk-error-handling, sdk-auto-cancellation, sdk-filter-binding, sdk-field-modifiers, sdk-send-hooks |
| 5 | Query Performance | HIGH | query-pagination, query-expand, query-field-selection, query-batch-operations, query-n-plus-one, query-first-item, query-back-relations |
| 6 | Realtime | MEDIUM | realtime-subscribe, realtime-events, realtime-auth, realtime-reconnection |
| 7 | File Handling | MEDIUM | file-upload, file-serving, file-validation |
| 8 | Production & Deployment | MEDIUM | deploy-backup, deploy-configuration, deploy-reverse-proxy, deploy-sqlite-considerations, deploy-rate-limiting |
Quick Reference
Collection Design (CRITICAL)
- •coll-field-types: Use appropriate field types (json for objects, select for enums)
- •coll-auth-vs-base: Extend auth collection for users, base for non-auth data
- •coll-relations: Use relation fields, not manual ID strings
- •coll-indexes: Create indexes on frequently filtered/sorted fields
- •coll-view-collections: Use views for complex aggregations
- •coll-geopoint: Store coordinates as json field with lat/lng
API Rules (CRITICAL)
- •rules-basics: Always set API rules; empty = public access
- •rules-filter-syntax: Use @request.auth, @collection, @now in rules
- •rules-request-context: Access request data via @request.body, @request.query
- •rules-cross-collection: Use @collection.name.field for cross-collection checks
- •rules-locked-vs-open: Start locked, open selectively
Authentication (CRITICAL)
- •auth-password: Use authWithPassword for email/password login
- •auth-oauth2: Configure OAuth2 providers via Admin UI
- •auth-token-management: Store tokens securely, refresh before expiry
- •auth-mfa: Enable MFA for sensitive applications
- •auth-impersonation: Use impersonation for admin actions on behalf of users
SDK Usage (HIGH)
- •sdk-initialization: Initialize client once, reuse instance
- •sdk-auth-store: Use AsyncAuthStore for React Native/SSR
- •sdk-error-handling: Catch ClientResponseError, check status codes
- •sdk-auto-cancellation: Disable auto-cancel for concurrent requests
- •sdk-filter-binding: Use filter binding to prevent injection
Query Performance (HIGH)
- •query-expand: Expand relations to avoid N+1 queries
- •query-field-selection: Select only needed fields
- •query-pagination: Use cursor pagination for large datasets
- •query-batch-operations: Batch creates/updates when possible
Realtime (MEDIUM)
- •realtime-subscribe: Subscribe to specific records or collections
- •realtime-events: Handle create, update, delete events separately
- •realtime-auth: Realtime respects API rules automatically
- •realtime-reconnection: Implement reconnection logic
File Handling (MEDIUM)
- •file-upload: Use FormData for uploads, set proper content types
- •file-serving: Use pb.files.getURL() for file URLs
- •file-validation: Validate file types and sizes server-side
Deployment (MEDIUM)
- •deploy-backup: Schedule regular backups of pb_data
- •deploy-configuration: Use environment variables for config
- •deploy-reverse-proxy: Put behind nginx/caddy in production
- •deploy-sqlite-considerations: Optimize SQLite for production workloads
Detailed Rules
For complete rule documentation with code examples, see AGENTS.md.