pocketbase-best-practices

⚠Review·Scanned 2/18/2026

Provides PocketBase development and production best practices for schema, auth, SDK use, file handling, and deployment. Contains examples that run shell commands (./pocketbase serve, curl), reference external services (http://127.0.0.1:8090, s3.amazonaws.com, smtp.sendgrid.net), and use env vars like PB_ENCRYPTION_KEY.

by greendesertsnow·v1.1.0·331.3 KB·76 installs

Scanned from main at 49491e4 · Transparency log ↗

$ vett add greendesertsnow/pocketbase-skills/pocketbase-best-practicesReview findings below

PocketBase Best Practices

42 rules across 8 categories for PocketBase v0.36+, prioritized by impact.

Categories by Priority

Priority	Category	Impact	Rules
1	Collection Design	CRITICAL	coll-field-types, coll-auth-vs-base, coll-relations, coll-indexes, coll-view-collections, coll-geopoint
2	API Rules & Security	CRITICAL	rules-basics, rules-filter-syntax, rules-request-context, rules-cross-collection, rules-locked-vs-open
3	Authentication	CRITICAL	auth-password, auth-oauth2, auth-token-management, auth-mfa, auth-impersonation
4	SDK Usage	HIGH	sdk-initialization, sdk-auth-store, sdk-error-handling, sdk-auto-cancellation, sdk-filter-binding, sdk-field-modifiers, sdk-send-hooks
5	Query Performance	HIGH	query-pagination, query-expand, query-field-selection, query-batch-operations, query-n-plus-one, query-first-item, query-back-relations
6	Realtime	MEDIUM	realtime-subscribe, realtime-events, realtime-auth, realtime-reconnection
7	File Handling	MEDIUM	file-upload, file-serving, file-validation
8	Production & Deployment	MEDIUM	deploy-backup, deploy-configuration, deploy-reverse-proxy, deploy-sqlite-considerations, deploy-rate-limiting

Quick Reference

Collection Design (CRITICAL)

coll-field-types: Use appropriate field types (json for objects, select for enums)
coll-auth-vs-base: Extend auth collection for users, base for non-auth data
coll-relations: Use relation fields, not manual ID strings
coll-indexes: Create indexes on frequently filtered/sorted fields
coll-view-collections: Use views for complex aggregations
coll-geopoint: Store coordinates as json field with lat/lng

API Rules (CRITICAL)

rules-basics: Always set API rules; empty = public access
rules-filter-syntax: Use @request.auth, @collection, @now in rules
rules-request-context: Access request data via @request.body, @request.query
rules-cross-collection: Use @collection.name.field for cross-collection checks
rules-locked-vs-open: Start locked, open selectively

Authentication (CRITICAL)

auth-password: Use authWithPassword for email/password login
auth-oauth2: Configure OAuth2 providers via Admin UI
auth-token-management: Store tokens securely, refresh before expiry
auth-mfa: Enable MFA for sensitive applications
auth-impersonation: Use impersonation for admin actions on behalf of users

SDK Usage (HIGH)

sdk-initialization: Initialize client once, reuse instance
sdk-auth-store: Use AsyncAuthStore for React Native/SSR
sdk-error-handling: Catch ClientResponseError, check status codes
sdk-auto-cancellation: Disable auto-cancel for concurrent requests
sdk-filter-binding: Use filter binding to prevent injection

Query Performance (HIGH)

query-expand: Expand relations to avoid N+1 queries
query-field-selection: Select only needed fields
query-pagination: Use cursor pagination for large datasets
query-batch-operations: Batch creates/updates when possible

Realtime (MEDIUM)

realtime-subscribe: Subscribe to specific records or collections
realtime-events: Handle create, update, delete events separately
realtime-auth: Realtime respects API rules automatically
realtime-reconnection: Implement reconnection logic

File Handling (MEDIUM)

file-upload: Use FormData for uploads, set proper content types
file-serving: Use pb.files.getURL() for file URLs
file-validation: Validate file types and sizes server-side

Deployment (MEDIUM)

deploy-backup: Schedule regular backups of pb_data
deploy-configuration: Use environment variables for config
deploy-reverse-proxy: Put behind nginx/caddy in production
deploy-sqlite-considerations: Optimize SQLite for production workloads

Example Prompts

Try these with your AI agent to see the skill in action:

Building a new feature:

"Design a PocketBase schema for an e-commerce app with products, orders, and reviews"
"Implement OAuth2 login with Google and GitHub for my app"
"Build a real-time notification system with PocketBase subscriptions"
"Create a file upload form with image validation and thumbnail previews"

Fixing issues:

"My list query is slow on 100k records -- optimize it"
"I'm getting 403 errors on my batch operations"
"Fix the N+1 query problem in my posts list that loads author data in a loop"
"My realtime subscriptions stop working after a few minutes"

Security review:

"Review my API rules -- users should only access their own data"
"Set up proper access control: admins manage all content, users edit only their own"
"Are my authentication cookies configured securely for SSR?"
"Audit my collection rules for IDOR vulnerabilities"

Going to production:

"Configure Nginx with HTTPS, rate limiting, and security headers for PocketBase"
"Set up automated backups for my PocketBase database"
"Optimize SQLite settings for a production workload with ~500 concurrent users"
"Deploy PocketBase with Docker Compose and Caddy"

Detailed Rules

Load the relevant category for complete rule documentation with code examples:

Collection Design - Schema patterns, field types, relations, indexes
API Rules & Security - Access control, filter expressions, security patterns
Authentication - Password auth, OAuth2, MFA, token management
SDK Usage - Client initialization, auth stores, error handling, hooks
Query Performance - Pagination, expansion, batch operations, N+1 prevention
Realtime - SSE subscriptions, event handling, reconnection
File Handling - Uploads, serving, validation
Production & Deployment - Backup, configuration, reverse proxy, SQLite optimization