[hucker]

There's nothing in PostgREST that stops you from limiting control so that even anonymous users can use it safely. I've used PostgREST for user-facing APIs with success, but it requires some knowledge about the postgres access control model.

EDIT: And "Just point Postgrest at your PostreSQL database" is rarely a good idea in my experience, I usually have (versioned) API-schemas containing views, so that I can change my underlying data schema at will without borking the API.

[icebraining]

Anonymous seems easier, since you can treat them as a single user. But could you do something like HN as a frontend app talking directly to a Postgrest API?

[hucker]

Good point, that's true. But yes you could, using row-level security. See https://www.postgresql.org/docs/current/static/ddl-rowsecuri... and https://postgrest.org/en/v4.4/auth.html#users-and-groups