---
lang: en
title: 'API docs: security'
keywords: LoopBack 4.0, LoopBack 4, Node.js, TypeScript, OpenAPI
sidebar: lb4_sidebar
editurl: https://github.com/loopbackio/loopback-next/tree/master/packages/security
permalink: /doc/en/lb4/apidocs.security.html
---

<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [@loopback/security](./security.md)

## security package

Common types/interfaces for LoopBack 4 security including authentication and authorization.

## Remarks

- Subject - It's the "who" for security - contains a set of Principles, a set of Credentials, and a set of Permissions - Principle - Represent a user, an application, or a device - Credential - Security attributes used to authenticate the subject. Such credentials include passwords, Kerberos tickets, and public key certificates. - Permission - It's the what for security.

## Classes

<table><thead><tr><th>

Class


</th><th>

Description


</th></tr></thead>
<tbody><tr><td markdown="1">

[DefaultSubject](./security.defaultsubject.md)


</td><td markdown="1">

Default implementation of `Subject`


</td></tr>
<tr><td markdown="1">

[Permission](./security.permission.md)


</td><td markdown="1">

`Permission` defines an action/access against a protected resource. It's the `what` for security.

There are three levels of permissions

- Resource level (Order, User) - Instance level (Order-0001, User-1001) - Property level (User-0001.email)


</td></tr>
<tr><td markdown="1">

[TypedPrincipal](./security.typedprincipal.md)


</td><td markdown="1">


</td></tr>
</tbody></table>

## Interfaces

<table><thead><tr><th>

Interface


</th><th>

Description


</th></tr></thead>
<tbody><tr><td markdown="1">

[ClientApplication](./security.clientapplication.md)


</td><td markdown="1">


</td></tr>
<tr><td markdown="1">

[Credential](./security.credential.md)


</td><td markdown="1">

Security attributes used to authenticate the subject. Such credentials include passwords, Kerberos tickets, and public key certificates.


</td></tr>
<tr><td markdown="1">

[Organization](./security.organization.md)


</td><td markdown="1">


</td></tr>
<tr><td markdown="1">

[Principal](./security.principal.md)


</td><td markdown="1">

Represent a user, an application, or a device


</td></tr>
<tr><td markdown="1">

[Role](./security.role.md)


</td><td markdown="1">


</td></tr>
<tr><td markdown="1">

[Scope](./security.scope.md)


</td><td markdown="1">

oAuth 2.0 scope


</td></tr>
<tr><td markdown="1">

[Subject](./security.subject.md)


</td><td markdown="1">

`Subject` represents both security state and operations for a single request. It's the `who` for security.

Such operations include: - authentication (login) - authorization (access control) - session access - logout


</td></tr>
<tr><td markdown="1">

[Team](./security.team.md)


</td><td markdown="1">


</td></tr>
<tr><td markdown="1">

[UserProfile](./security.userprofile.md)


</td><td markdown="1">

The minimum set of attributes that describe a user.


</td></tr>
</tbody></table>

## Namespaces

<table><thead><tr><th>

Namespace


</th><th>

Description


</th></tr></thead>
<tbody><tr><td markdown="1">

[SecurityBindings](./security.securitybindings.md)


</td><td markdown="1">

Binding keys for security related metadata


</td></tr>
</tbody></table>

## Variables

<table><thead><tr><th>

Variable


</th><th>

Description


</th></tr></thead>
<tbody><tr><td markdown="1">

[securityId](./security.securityid.md)


</td><td markdown="1">

A symbol for stringified id of security related objects


</td></tr>
</tbody></table>