Skip to main content

Authorizing Users

Now that you have Object Types, Users, and Warrant set up, you can start authorizing user access to your system. We recommend that you implement both server-side and client-side authorization. At a minimum, you should protect access to your server endpoints using server-side authorization.

Server-side Authorization#

At a high-level, server-side authorization involves making a POST /v1/authorize request to Warrant for the given object type, object id, and relation your users are attempting to access through each endpoint. For example, if your server implements a PUT /stores endpoint, you may want to only allow users with the editor relation on stores the ability to perform that action. You can authorize a user's access by making a request to Warrant:

Authorizing a User
curl "https://api.warrant.dev/v1/authorize" \    -X GET \    -H "Authorization: ApiKey YOUR_KEY" \    --data-raw \    '{        "objectType": "store",        "objectId": "7",        "relation": "editor",        "user": {            "userId": "d6ed6474-784e-407e-a1ea-42a91d4c52b9"        }    }'

This call will return a 401 Unauthorized if user d6ed6474-784e-407e-a1ea-42a91d4c52b9 does not have the editor relation on store 7 either directly or indirectly through another relationship. It will return a 200 OK if they do have the relation.

Server Middleware#

Coming soon! Easily integrate Warrant into popular back-end frameworks like Express (Node.js) and Flask.

Client-side Authorization#

If your client application is a Single Page App (SPA) or a native mobile application (iOS/Android), implementing client-side authorization using Warrant will further secure your application and help you more cleanly display different UI/UX for users with different levels of access. We currently provide an SDK for client-side authorization in applications built using React. Refer to our guide on using Warrant with React for a step-by-step tutorial.