How to use CanActivate guard in Angular

Łukasz Holeczek Follow Łukasz Holeczek on GitHub Connect with Łukasz Holeczek on LinkedIn Follow Łukasz Holeczek on X (Twitter)

Tuesday, December 2, 2025

#angular #canactivate #guard #routing #security

CanActivate guards provide route-level protection in Angular applications by controlling access based on authentication, authorization, or custom business logic. As the creator of CoreUI with extensive Angular experience since 2014, I’ve implemented CanActivate guards in countless enterprise applications for security and access control. The most robust approach implements the CanActivate interface with conditional logic that returns boolean, Observable, or Promise values. This pattern enables fine-grained route protection while maintaining clean separation between routing and business logic.

Implement the CanActivate interface in a guard service and apply it to routes in your routing configuration.

import { Injectable } from '@angular/core'
import { CanActivate, Router, ActivatedRouteSnapshot } from '@angular/router'
import { Observable } from 'rxjs'
import { AuthService } from './auth.service'

@Injectable({
  providedIn: 'root'
})
export class AdminGuard implements CanActivate {
  constructor(
    private authService: AuthService,
    private router: Router
  ) {}

  canActivate(route: ActivatedRouteSnapshot): Observable<boolean> {
    return this.authService.hasRole('admin').pipe(
      map(hasAdminRole => {
        if (hasAdminRole) {
          return true
        } else {
          this.router.navigate(['/unauthorized'])
          return false
        }
      })
    )
  }
}

// In routing configuration
{
  path: 'admin',
  component: AdminComponent,
  canActivate: [AdminGuard]
}

This code creates a CanActivate guard that checks if the user has admin role before allowing route access. The guard returns an Observable from the auth service, automatically handling async role verification. If authorization fails, it redirects to an unauthorized page and blocks access. The guard is applied to routes using the canActivate property in the route configuration.

Best Practice Note:

This is the authorization pattern we use in CoreUI Pro admin templates for role-based access control. CanActivate guards can return boolean, Observable, or Promise for synchronous and asynchronous authorization scenarios.

Speed up your responsive apps and websites with fully-featured, ready-to-use open-source admin panel templates—free to use and built for efficiency.

Angular

Bootstrap

React.js

Vue.js

About the Author

Follow Łukasz Holeczek on GitHub Connect with Łukasz Holeczek on LinkedIn Follow Łukasz Holeczek on X (Twitter)

Łukasz Holeczek, Founder of CoreUI, is a seasoned Fullstack Developer and entrepreneur with over 25 years of experience. As the lead developer for all JavaScript, React.js, and Vue.js products at CoreUI, they specialize in creating open-source solutions that empower developers to build better and more accessible user interfaces.

With expertise in TypeScript, JavaScript, Node.js, and modern frameworks like React.js, Vue.js, and Next.js, Łukasz combines technical mastery with a passion for UI/UX design and accessibility. CoreUI’s mission is to provide developers with tools that enhance productivity while adhering to accessibility standards.

Łukasz shares its extensive knowledge through a blog with technical software development articles. It also advises enterprise companies on building solutions from A to Z. Through CoreUI, it offers professional services, technical support, and open-core products that help developers and businesses achieve their goals.

Learn more about CoreUI’s solutions and see how your business can benefit from working with us.