Skip to main content

Authorizing Users

Now that you have object types, users, and warrants set up, you can start authorizing user access to your system. We recommend that you implement both server-side and client-side authorization. At minimum, you should protect access to your server endpoints using server-side authorization.

Server-side Authorization

At a high-level, server-side authorization involves making a POST /v1/authorize request to Warrant for the given object type, object id, and relation your users are attempting to access through each endpoint. For example, if your server implements a PUT /stores endpoint, you may want to only allow users with the editor relation on stores the ability to perform that action. You can authorize a user's access by making a request to Warrant:

curl "" \
-X GET \
-H "Authorization: ApiKey YOUR_KEY" \
--data-raw \
"objectType": "store",
"objectId": "7",
"relation": "editor",
"user": {
"userId": "d6ed6474-784e-407e-a1ea-42a91d4c52b9"

This call will return a 401 Unauthorized if user d6ed6474-784e-407e-a1ea-42a91d4c52b9 does not have the editor relation on store 7 either directly or indirectly through another relationship. It will return a 200 OK if they do have the relation.

Client-side Authorization

If your client application is a Single Page App (SPA) or a native mobile application (iOS/Android), implementing client-side authorization using Warrant will further secure your application and help you more cleanly display different UI/UX for users with different levels of access. We currently provide SDKs for client-side authorization in applications built using React, NextJS, and VueJS. Refer to our guides on using Warrant with React, NextJS, VueJS for a step-by-step tutorial.