Check
Check if a specific relation exists between a particular subject and object. Use this endpoint to enforce access to the resources and actions available to users (or other types of subjects) in your application.
For example, you may want to check if user:5djfs6 (subject) is viewer (relation) of report:avk2837 (object). A Check for this relation will yield an Authorized response if user:5djfs6 is explicitly a viewer of report:avk2837 via a warrant or implicitly via the inheritance rules specified by its object type. Otherwise, the Check will yield a Not Authorized response.
This endpoint also supports checking for a logical combination (e.g. && and ||) of multiple warrants (returning a single result) and checking for multiple warrants separately (returning one result per warrant).
POST /v2/check
Request
Headers
Warrant-Token string, optional
A valid Warrant-Token from a previous write operation or latest. Used to specify desired consistency for this read operation.
Body
op string, required if warrants contains more than one warrant
The operator to use when warrants contains a list of more than one warrant. Supported values are allOf, anyOf, and batch. See the table below for a description of the check endpoint's behavior given each value of op.
| Value | Description |
|---|---|
allOf | If op is allOf, the check endpoint returns a single check result. The result is Authorized if all of the specified warrants are matched. Otherwise, the result is Not Authorized. |
anyOf | If op is anyOf, the check endpoint returns a single check result. The result is Authorized if any of the specified warrants are matched. Otherwise, the result is Not Authorized. |
batch | If op is batch, the check endpoint returns a list of check results (one for each warrant provided in warrants). The order of this list will match the order of warrants. This operation is only available in Warrant Cloud. |
warrants array
A list of relations (between a subject and an object) to check for. Each element should contain the parameters specified in the table below.
| Parameter | Type | Description | Required |
|---|---|---|---|
| objectType | string | The type of object. Must be one of your system's existing object types. | yes |
| objectId | string | The id of the specific object. | yes |
| relation | string | The relation to check for. Must be a valid relation in objectType's object type. | yes |
| subject | object | The specific subject that must have the relation. Can be a specific subject (objectType + objectId) or a group of subjects (objectType + objectId + relation). | yes |
| context | object | Contextual data to use for resolving the access check. This data will be used when evaluating warrant policies. | no |
- cURL
- CLI
- Go
- Java
- Node.js
- PHP
- Python
- Ruby
curl "https://api.warrant.dev/v2/check" \
-X POST \
-H "Authorization: ApiKey YOUR_KEY" \
--data-raw \
'{
"warrants": [
{
"objectType": "report",
"objectId": "avk2837",
"relation": "viewer",
"subject": {
"objectType": "user",
"objectId": "5djfs6"
}
}
]
}'
warrant check user:5djfs6 viewer report:avk2837
isAuthorized, err := warrant.Check(warrant.WarrantCheckParams{
WarrantCheck: warrant.WarrantCheck{
Object: warrant.Object{
ObjectType: "report",
ObjectId: "avk2837",
},
Relation: "viewer",
Subject: warrant.Subject{
ObjectType: "user",
ObjectId: "5djfs6",
},
}
})
if err != nil {
// Handler error
}
// May also pass in objects that implement the `WarrantObject` interface
isAuthorized, err := warrant.Check(warrant.WarrantCheckParams{
Object: someReport,
Relation: "viewer",
Subject: someUser,
})
Report report = new Report("avk2837"); // assuming 'Report' implements the 'WarrantObject' interface
boolean isAuthorized = client.check(report, "viewer", new WarrantSubject("user", "5djfs6"));
if (isAuthorized) {
// Proceed if authorized
}
const isAuthorized = await warrantClient.Authorization.check({
warrants: [
{
object: {
objectType: "report",
objectId: "avk2837",
},
relation: "viewer",
subject: {
objectType: "user",
objectId: "5djfs6",
},
},
],
});
if (isAuthorized) {
// Proceed if authorized
}
$warrants_to_check = [
new \Warrant\Warrant(
"report",
"avk2837",
"viewer",
new \Warrant\Subject("user", "5djfs6")
)
];
$is_authorized = $warrant->isAuthorized(new \Warrant\WarrantCheck(\Warrant\WarrantCheckOp::ALL_OF, $warrants_to_check));
user_subject = warrant.Subject("user", "5djfs6")
is_authorized = warrant.Authz.check("report", "avk2837", "viewer", user_subject)
is_authorized = Warrant::Warrant.check({ object_type: "report", object_id: "avk2837" }, "viewer", { object_type: "user", object_id: "5djfs6" })
Response
Body
- Single Warrant
- AllOf
- AnyOf
- Batch
code number
The HTTP response code that can be used to represent the result of the check request. 200 if the check request resulted in a match and 403 otherwise.
result string
The result of the check request. Authorized if the check request matched a warrant and Not Authorized otherwise.
{
"code": 200,
"result": "Authorized"
}
code number
The HTTP response code that can be used to represent the result of the check request. 200 if the check request resulted in a match and 403 otherwise.
result string
The result of the check request. Authorized if the check request matched a warrant and Not Authorized otherwise.
{
"code": 200,
"result": "Authorized"
}
code number
The HTTP response code that can be used to represent the result of the check request. 200 if the check request resulted in a match and 403 otherwise.
result string
The result of the check request. Authorized if the check request matched a warrant and Not Authorized otherwise.
{
"code": 200,
"result": "Authorized"
}
The batch op type returns a list of check results (matching the order of the checks in the request), each containing the following attributes:
code number
The HTTP response code that can be used to represent the result of the check request. 200 if the check request resulted in a match and 403 otherwise.
result string
The result of the check request. Authorized if the check request matched a warrant and Not Authorized otherwise.
[
{
"code": 403,
"result": "Not Authorized"
},
{
"code": 200,
"result": "Authorized"
}
]