Field Attributes

This reference covers every supported field-level attribute. Model-level (@@) attributes live in their dedicated guides — see audit log for @@audit, soft delete for @@soft_delete, and auth support matrix for @@allow / @@deny.

Identity & Defaults

AttributeBehaviour
@idMarks the primary-key field. Required; exactly one per model.
@default(value)Server-side default applied when the create input omits the field.
@default(cuid())Macro-emitted CUID on create.
@default(auth().x)Pulls a value from the auth context. Supports nested paths (auth().organization.id).
@default(dbgenerated())Defers to the database default — the column must declare DEFAULT in SQL.
Auth-defaulted columns are limited to String/Cuid, Int, and Boolean and act as fallbacks: they fill the field only when the create input omits it. They are not enforcement.

Exposure controls

AttributeEffect on inputEffect on outputEffect on audit
@readonlyExcluded from Create + Update inputsVisible in responsesVisible in before/after
@server_onlyExcluded from Create + Update inputsStripped from responsesOmitted entirely from snapshots
@piiNo effectNo effectRedacted as "<redacted: pii>"
@sensitiveNo effectNo effectRedacted as "<redacted: sensitive>"
Use @readonly for columns the server writes but clients may read (audit timestamps, computed totals). Use @server_only for columns clients should never see (internal risk scores, raw token blobs). Use @pii or @sensitive to control audit redaction without changing input/output surfaces.

Optimistic locking

AttributeBehaviour
@versionMarks the optimistic-lock column. Required Int; one per model; not on the primary key.
See optimistic locking for the full contract. The macro excludes @version from both Create and Update inputs. The runtime seeds it to 0 on create and bumps it in the same statement as every update or soft-delete.

Validators

AttributeApplies toBehaviour
@length(min, max)String, CuidInclusive length check.
@range(min, max)Int, DecimalInclusive numeric range. Integer bounds promote to Decimal.
@emailStringPragmatic email shape check.
@regex(pattern)StringPattern compiled at macro time.
@uriStringMust parse as a URI.
@iso4217StringThree ASCII uppercase letters.
See validators for the full surface, including the PII-safe error message contract.

Type modifiers

SuffixMeaningExample
?Nullable / optionalnotes String?
[]Listtags String[]
Lists are supported only for a subset of scalars in the current slice; banks running JSON columns prefer @db.JsonB on a String for richer payloads.

Composition

Multiple attributes on one field are space-separated and additive: 
model Transfer {
  id Int @id
  amount Decimal @range(min: 0)
  notes String? @sensitive @length(max: 4000)
  reservationId String @server_only
  version Int @version
}
The macro applies them in this evaluation order:
  1. exclusion from inputs (@id, @readonly, @server_only, @version, @default(...))
  2. validation on whatever survives (@length, @range, @regex, @email, @uri, @iso4217)
  3. policy evaluation (model-level @@allow / @@deny)
  4. SQL execution
  5. response projection (server_only stripped here)
  6. audit snapshot (pii / sensitive redacted here)