[icot]

Yes, we found the same issue. We worked around this by organizing our application (an admittedly basic REST API) in two layers. The external one exposed to API consumers, developed in a language/framework you may like (Python/Tornado for us), and the internal data access layer which uses Postgrest, and is only accessed locally from within the REST API application servers

[rubber_duck]

Why not just query the database using standard drivers then ? What am I missing here ?

[spdionis]

Maybe the the exposed application acts like a proxy for the internal apis, only check authentication info and pass on the request to the postgrest servers.

[ruslan_talpa]

I know the docs are lacking but have you guys looked into how roles + RLS + views can work together to solve authorization?