Authorization on Event writing to an Event stream

We have some requirement in our project to imply security level when writing to an event stream. Currently we are using TCP by .NET API and using CQRS method. Our events are getting appended to existing streams but there is no authorization options available to check for proper authentication before writing to any new events. I was wondering is there any option I am not aware of to implement the security before writing a new event to the Event Store stream? I was looking in documentation and there is some option via HTTP called “Authorization” while appending new events. It would be great if we can set authorization option to write events with TCP using .NET Client API. We are using the method showed in the pictures. If we don’t pass any User Credentials, it just treat as null values as default and appends the vents successfully. Is there any way to prevent this scenario?




To prevent anyone from writing events you would want to change the default ACL. Details of this are on What you would want to do is create a user (or use the built in admin account), and then set the default ACL in the $settings stream metadata for $userStreamAcl, $w to be $admin, or the user you created. You would probably want to set some of the other options to be this new user as well (especially $mw as this controls who can write the metadata, allowing rewrites of the acl).

When you are then using the .net api you would need to provide these credentials to authenticate to allow you to write to the stream.

Hope that helps.


Thanks Jon for the great explanation. I have tried to get the $settings stream in my event store. But I found out that it does not exist. After some research and based on other posts on Event Store Google group, I understand that if it does not exist I would need to create it manually. As some posts suggest, I tried to create it myself but having some issues with it and not getting it created the way I am expecting it to. Here I am attaching both the file by which I tried to create the $settings stream. I am also attaching a picture of my command prompt output using CURL to write an event to Event Store. I got it created successfully once but it was not displaying any metadata when I tried to access it so I hard deleted it and trying to create it again but always gives me “HTTP/1.1 410 Stream deleted” message on CMD.




$settings.json (408 Bytes)

$setting1.json (321 Bytes)

If you hard deleted it you can never get it back :frowning: (this is why soft
delete is the default). Well you can get it back but its not exactly