Check
Check for the presence of relation(s) between specific subjects and objects in your access model (object types & warrants). This is the primary runtime 'check' API designed for use within your applications.
For example, you may want to check if the user (subject) identified by userId 5djfs6 can view (relation) the report (object) with id avk2837. A warrant check for this condition will return Authorized if the relation is valid as per the access model or Not Authorized if it is not valid.
POST /v2/authorize
Parameters
| Parameter | Description | Type | Required |
|---|---|---|---|
op | The logical operator to use when warrants contains more than one warrant. Valid values are allOf and anyOf. allOf will return “Authorized” only if all warrants are found, and anyOf will return “Authorized” if at least one of the warrants is found. | JSON body | no |
warrants | Array of warrants that you want to check. Each warrant should be formatted as below in the Warrant Parameters table. | JSON body | yes |
Warrant Parameters
| Parameter | Description | Type | Required |
|---|---|---|---|
objectType | The type of object. Must be one of your system's existing object types. | JSON body | yes |
objectId | The id of the specific object. | JSON body | yes |
relation | The relation to check for this object to subject association. The relation must be valid as per the object type definition. | JSON body | yes |
subject | The specific subject for which access will be checked. Can be a specific object by id or an objectType, objectId and relation set. | JSON body | yes |
context | Contextual data to use for resolving the access check. | JSON body | no |
Request
- Curl
- Go
- Java
- Node.js
- Python
- Ruby
- PHP
- CLI
curl "https://api.warrant.dev/v2/authorize" \
-X POST \
-H "Authorization: ApiKey YOUR_KEY" \
--data-raw \
'{
"warrants": [
{
"objectType": "report",
"objectId": "avk2837",
"relation": "viewer",
"subject": {
"objectType": "user",
"objectId": "5djfs6"
}
}
]
}'
isAuthorized, err := warrant.Check(warrant.WarrantCheckParams{
Object: warrant.Object{
ObjectType: "report",
ObjectId: "avk2837",
},
Relation: "viewer",
Subject: warrant.Subject{
ObjectType: "user",
ObjectId: "5djfs6",
},
})
if err != nil {
// Handler error
}
// May also pass in objects that implement the `WarrantObject` interface
isAuthorized, err := warrant.Check(warrant.WarrantCheckParams{
Object: someReport,
Relation: "viewer",
Subject: someUser,
})
Report report = new Report("avk2837"); // assuming 'Report' implements the 'WarrantObject' interface
boolean isAuthorized = client.check(report, "viewer", new WarrantSubject("user", "5djfs6"));
if (isAuthorized) {
// Proceed if authorized
}
const isAuthorized = await warrantClient.Authorization.check({
warrants: [
{
object: {
objectType: "report",
objectId: "avk2837",
},
relation: "viewer",
subject: {
objectType: "user",
objectId: "5djfs6",
},
},
],
});
if (isAuthorized) {
// Proceed if authorized
}
user_subject = warrant.Subject("user", "5djfs6")
is_authorized = warrant.Authz.check("report", "avk2837", "viewer", user_subject)
is_authorized = Warrant::WarrantClient.is_authorized?(
warrants: [
{
object_type: "report",
object_id: "avk2837",
relation: "viewer",
subject: {
object_type: "user",
object_id: "5djfs6"
}
}
])
$warrants_to_check = [
new \Warrant\Warrant(
"report",
"avk2837",
"viewer",
new \Warrant\Subject("user", "5djfs6")
)
];
$is_authorized = $warrant->isAuthorized(new \Warrant\WarrantCheck(\Warrant\WarrantCheckOp::ALL_OF, $warrants_to_check));
warrant check user:5djfs6 viewer report:avk2837
Response
200 OK
{
"code": 200,
"result": "Authorized"
}