Skip to main content
create_crud_router generates five standard REST endpoints for any SQLModel table class and returns them as a FastAPI APIRouter. The generated router is the entire API layer for the common case — a database table with list, get, create, update, and delete operations. Each generated module’s api.py uses this function, and the module auto-loader registers the router with the FastAPI application automatically.

Generated endpoints

The URL prefix defaults to /<tablename> based on the model’s __tablename__ attribute.

List endpoint

Query parameters

Column filters

Any query parameter whose name matches a column name on the model is applied as an exact equality filter:
Append __ilike to a column name for a case-insensitive contains match:
Parameters whose names begin with _ are reserved for pagination and are not interpreted as column filters.

Response headers

List responses include two headers required by the Refine data provider pagination convention: These headers are exposed via CORS (expose_headers in the middleware configuration) so the frontend can read them cross-origin.

Example list response

Every record in list and get responses includes a _label field — a human-readable string computed by the model’s build_model_str_label method. The frontend uses this for relation selectors and breadcrumbs.

Authentication

When auth_enabled is True (the default), all generated endpoints require a valid JWT Bearer token in the Authorization header. Unauthenticated requests receive a 401 response. Requests with a valid token but insufficient role permissions receive 403.
Disable auth enforcement for development by setting VELOIQ_AUTH_DISABLED=1.

Access control integration

The CRUD router integrates with all three access control layers automatically:
  • Layer 1 (global roles): The RBAC middleware checks whether the user’s roles permit the HTTP method before the endpoint handler runs. Unauthorized methods return 403.
  • Layer 2 (model-level): @model_access exceptions are enforced per-model. A Viewer that has read-only global permissions and is further restricted on a specific model via @model_access will receive 403 on forbidden actions.
  • Layer 3 (field-level): veloiq_field(read_roles=…, write_roles=…) restrictions are applied at runtime. Read-restricted fields are silently omitted from responses; write-restricted fields are silently dropped from create/update payloads.
  • ReBAC (row-level): If the model carries a @rebac decorator, the list query and single-record fetch both apply the row-level filter. Inaccessible rows return 404.

Usage

You can add custom endpoints to the generated router without editing api.py. Import router from api.py in your custom_api.py:
The framework loader imports both api.py and custom_api.py automatically. See Custom Endpoints for the full guide.

Python API

create_crud_router signature, base models, and access control decorators.

Configuration

Configure auth, CORS, and database connection.