Authorization approach where access control is implicit in the query: for example, fetching a project scoped to the current user and rendering unauthorized if none is found. Simple to implement, but mixes business logic with authorization rules and becomes hard to manage as the app grows.