Skip to main content


In many cases, applications require access control rules to be defined per user. To make this easier, Warrant comes with a built-in user object type. This object type has one parent relation which makes it easy to associate users to a parent object such as a tenant, a parent user or an account (in a B2B context). The full representation of the user object type is:

"type": "user",
"relations": {
"parent": {
"inheritIf": "parent",
"ofType": "user",
"withRelation": "parent"

Using this object type, we can create warrants for individual users like:

[user:7] is a [parent] of [user:84]
[tenant:A] is a [parent] of [user:1]

Data Integrity

By default, Warrant operates with 'strict data integrity' with respect to users. This means that you can only create warrants for users that also exist in Warrant. So before we can create user-specific warrants, we need to 'register' our application users by a unique id. This can be done using the Users API.

For convenience, users can either be created with a provided ID (easier if your app already tracks userIds) or Warrant-generated IDs (require storage on the application-side).

Provided IDs

One way to create users in Warrant is to create them using the same id you use to identify them in your system. This id should be a unique id generated by your database or an id given to the user by a third-party authentication provider.

This approach is easy to implement because you don't need to track a separate Warrant-specific user id for each of your users. For example, if you have a user named Tony Stark with id d6ed6474-784e-407e-a1ea-42a91d4c52b9 in your system, you can create a user in Warrant with the same userId.

Warrant-generated IDs

If you don't provide a userId on user creation, Warrant will generate a userId for that user.

In this case, you will need to store this userId as a new field in your system and include it in all authorization requests for that user. We recommend creating a warrantId field or column in your database to store this id per user for future calls to Warrant.

Dealing with Existing Users

If you're integrating Warrant into a live system, chances are that you already have existing users. The simplest way to create these existing users in Warrant is to add the Warrant user creation logic to your login flow. This way, your existing users will onboard into Warrant the next time they login.

To onboard all of your users at once, you can bulk-create them in Warrant using the Users API. The easiest way to do this is via a script that calls the create user API for each of your existing users.

We'll be adding a CLI tool in the future to make this process easier.