workos 6.2.0 → 7.1.0

data/lib/workos/authorization.rb

@@ -0,0 +1,1283 @@
+# frozen_string_literal: true
+
+# This file is auto-generated by oagen. Do not edit.
+
+require "json"
+
+module WorkOS
+  class Authorization
+    def initialize(client)
+      @client = client
+    end
+
+    # Check authorization
+    # @param organization_membership_id [String] The ID of the organization membership to check.
+    # @param permission_slug [String] The slug of the permission to check.
+    # @param resource_id [String, nil] The ID of the resource. Mutually exclusive with `resource_external_id` and `resource_type_slug`.
+    # @param resource_external_id [String, nil] The external ID of the resource. Required with `resource_type_slug`. Mutually exclusive with `resource_id`.
+    # @param resource_type_slug [String, nil] The slug of the resource type. Required with `resource_external_id`. Mutually exclusive with `resource_id`.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::AuthorizationCheck]
+    def check(
+      organization_membership_id:,
+      permission_slug:,
+      resource_target:,
+      resource_id: nil,
+      resource_external_id: nil,
+      resource_type_slug: nil,
+      request_options: {}
+    )
+      body = {
+        "permission_slug" => permission_slug,
+        "resource_id" => resource_id,
+        "resource_external_id" => resource_external_id,
+        "resource_type_slug" => resource_type_slug
+      }.compact
+      case resource_target[:type]
+      when "by_id"
+        body["resource_id"] = resource_target[:resource_id]
+      when "by_external_id"
+        body["resource_external_id"] = resource_target[:resource_external_id]
+        body["resource_type_slug"] = resource_target[:resource_type_slug]
+      end
+      response = @client.request(
+        method: :post,
+        path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/check",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::AuthorizationCheck.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # List resources for organization membership
+    # @param organization_membership_id [String] The ID of the organization membership.
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param permission_slug [String] The permission slug to filter by. Only child resources where the organization membership has this permission are returned.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>]
+    def list_resources_for_membership(
+      organization_membership_id:,
+      permission_slug:,
+      parent_resource:,
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order,
+        "permission_slug" => permission_slug
+      }.compact
+      case parent_resource[:type]
+      when "by_id"
+        params["parent_resource_id"] = parent_resource[:parent_resource_id]
+      when "by_external_id"
+        params["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
+        params["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
+      end
+      response = @client.request(
+        method: :get,
+        path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/resources",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_resources_for_membership(
+          organization_membership_id: organization_membership_id,
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          permission_slug: permission_slug,
+          parent_resource: parent_resource,
+          request_options: request_options
+        )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::AuthorizationResource,
+        filters: {organization_membership_id: organization_membership_id, before: before, limit: limit, order: order, permission_slug: permission_slug, parent_resource: parent_resource},
+        fetch_next: fetch_next
+      )
+    end
+
+    # List effective permissions for an organization membership on a resource
+    # @param organization_membership_id [String] The ID of the organization membership.
+    # @param resource_id [String] The ID of the authorization resource.
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>]
+    def list_effective_permissions(
+      organization_membership_id:,
+      resource_id:,
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/resources/#{WorkOS::Util.encode_path(resource_id)}/permissions",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_effective_permissions(
+          organization_membership_id: organization_membership_id,
+          resource_id: resource_id,
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          request_options: request_options
+        )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::AuthorizationPermission,
+        filters: {organization_membership_id: organization_membership_id, resource_id: resource_id, before: before, limit: limit, order: order},
+        fetch_next: fetch_next
+      )
+    end
+
+    # List effective permissions for an organization membership on a resource by external ID
+    # @param organization_membership_id [String] The ID of the organization membership.
+    # @param resource_type_slug [String] The slug of the resource type.
+    # @param external_id [String] An identifier you provide to reference the resource in your system.
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>]
+    def list_effective_permissions_by_external_id(
+      organization_membership_id:,
+      resource_type_slug:,
+      external_id:,
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/resources/#{WorkOS::Util.encode_path(resource_type_slug)}/#{WorkOS::Util.encode_path(external_id)}/permissions",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_effective_permissions_by_external_id(
+          organization_membership_id: organization_membership_id,
+          resource_type_slug: resource_type_slug,
+          external_id: external_id,
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          request_options: request_options
+        )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::AuthorizationPermission,
+        filters: {organization_membership_id: organization_membership_id, resource_type_slug: resource_type_slug, external_id: external_id, before: before, limit: limit, order: order},
+        fetch_next: fetch_next
+      )
+    end
+
+    # List role assignments
+    # @param organization_membership_id [String] The ID of the organization membership.
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::RoleAssignment>]
+    def list_role_assignments(
+      organization_membership_id:,
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/role_assignments",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_role_assignments(
+          organization_membership_id: organization_membership_id,
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          request_options: request_options
+        )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::RoleAssignment,
+        filters: {organization_membership_id: organization_membership_id, before: before, limit: limit, order: order},
+        fetch_next: fetch_next
+      )
+    end
+
+    # Assign a role
+    # @param organization_membership_id [String] The ID of the organization membership.
+    # @param role_slug [String] The slug of the role to assign.
+    # @param resource_id [String, nil] The ID of the resource. Mutually exclusive with `resource_external_id` and `resource_type_slug`.
+    # @param resource_external_id [String, nil] The external ID of the resource. Required with `resource_type_slug`. Mutually exclusive with `resource_id`.
+    # @param resource_type_slug [String, nil] The resource type slug. Required with `resource_external_id`. Mutually exclusive with `resource_id`.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::RoleAssignment]
+    def assign_role(
+      organization_membership_id:,
+      role_slug:,
+      resource_target:,
+      resource_id: nil,
+      resource_external_id: nil,
+      resource_type_slug: nil,
+      request_options: {}
+    )
+      body = {
+        "role_slug" => role_slug,
+        "resource_id" => resource_id,
+        "resource_external_id" => resource_external_id,
+        "resource_type_slug" => resource_type_slug
+      }.compact
+      case resource_target[:type]
+      when "by_id"
+        body["resource_id"] = resource_target[:resource_id]
+      when "by_external_id"
+        body["resource_external_id"] = resource_target[:resource_external_id]
+        body["resource_type_slug"] = resource_target[:resource_type_slug]
+      end
+      response = @client.request(
+        method: :post,
+        path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/role_assignments",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::RoleAssignment.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Remove a role assignment
+    # @param organization_membership_id [String] The ID of the organization membership.
+    # @param role_slug [String] The slug of the role to remove.
+    # @param resource_id [String, nil] The ID of the resource. Mutually exclusive with `resource_external_id` and `resource_type_slug`.
+    # @param resource_external_id [String, nil] The external ID of the resource. Required with `resource_type_slug`. Mutually exclusive with `resource_id`.
+    # @param resource_type_slug [String, nil] The resource type slug. Required with `resource_external_id`. Mutually exclusive with `resource_id`.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [void]
+    def remove_role(
+      organization_membership_id:,
+      role_slug:,
+      resource_target:,
+      resource_id: nil,
+      resource_external_id: nil,
+      resource_type_slug: nil,
+      request_options: {}
+    )
+      params = {}.compact
+      case resource_target[:type]
+      when "by_id"
+        params["resource_id"] = resource_target[:resource_id]
+      when "by_external_id"
+        params["resource_external_id"] = resource_target[:resource_external_id]
+        params["resource_type_slug"] = resource_target[:resource_type_slug]
+      end
+      body = {
+        "role_slug" => role_slug,
+        "resource_id" => resource_id,
+        "resource_external_id" => resource_external_id,
+        "resource_type_slug" => resource_type_slug
+      }.compact
+      @client.request(
+        method: :delete,
+        path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/role_assignments",
+        auth: true,
+        params: params,
+        body: body,
+        request_options: request_options
+      )
+      nil
+    end
+
+    # Remove a role assignment by ID
+    # @param organization_membership_id [String] The ID of the organization membership.
+    # @param role_assignment_id [String] The ID of the role assignment to remove.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [void]
+    def remove_role_assignment(
+      organization_membership_id:,
+      role_assignment_id:,
+      request_options: {}
+    )
+      @client.request(
+        method: :delete,
+        path: "/authorization/organization_memberships/#{WorkOS::Util.encode_path(organization_membership_id)}/role_assignments/#{WorkOS::Util.encode_path(role_assignment_id)}",
+        auth: true,
+        request_options: request_options
+      )
+      nil
+    end
+
+    # List custom roles
+    # @param organization_id [String] The ID of the organization.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::RoleList]
+    def list_organization_roles(
+      organization_id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::RoleList.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Create a custom role
+    # @param organization_id [String] The ID of the organization.
+    # @param slug [String, nil] A unique identifier for the role within the organization. When provided, must begin with 'org-' and contain only lowercase letters, numbers, hyphens, and underscores. When omitted, a slug is auto-generated from the role name and a random suffix.
+    # @param name [String] A descriptive name for the role.
+    # @param description [String, nil] An optional description of the role's purpose.
+    # @param resource_type_slug [String, nil] The slug of the resource type the role is scoped to.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Role]
+    def create_organization_role(
+      organization_id:,
+      name:,
+      slug: nil,
+      description: nil,
+      resource_type_slug: nil,
+      request_options: {}
+    )
+      body = {
+        "slug" => slug,
+        "name" => name,
+        "description" => description,
+        "resource_type_slug" => resource_type_slug
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::Role.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Get a custom role
+    # @param organization_id [String] The ID of the organization.
+    # @param slug [String] The slug of the role.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Role]
+    def get_organization_role(
+      organization_id:,
+      slug:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::Role.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Update a custom role
+    # @param organization_id [String] The ID of the organization.
+    # @param slug [String] The slug of the role.
+    # @param name [String, nil] A descriptive name for the role.
+    # @param description [String, nil] An optional description of the role's purpose.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Role]
+    def update_organization_role(
+      organization_id:,
+      slug:,
+      name: nil,
+      description: nil,
+      request_options: {}
+    )
+      body = {
+        "name" => name,
+        "description" => description
+      }.compact
+      response = @client.request(
+        method: :patch,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::Role.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Delete a custom role
+    # @param organization_id [String] The ID of the organization.
+    # @param slug [String] The slug of the role.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [void]
+    def delete_organization_role(
+      organization_id:,
+      slug:,
+      request_options: {}
+    )
+      @client.request(
+        method: :delete,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}",
+        auth: true,
+        request_options: request_options
+      )
+      nil
+    end
+
+    # Add a permission to a custom role
+    # @param organization_id [String] The ID of the organization.
+    # @param slug [String] The slug of the role.
+    # @param body_slug [String] The slug of the permission to add to the role.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Role]
+    def add_organization_role_permission(
+      organization_id:,
+      slug:,
+      body_slug:,
+      request_options: {}
+    )
+      body = {
+        "slug" => body_slug
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::Role.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Set permissions for a custom role
+    # @param organization_id [String] The ID of the organization.
+    # @param slug [String] The slug of the role.
+    # @param permissions [Array<String>] The permission slugs to assign to the role.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Role]
+    def set_organization_role_permissions(
+      organization_id:,
+      slug:,
+      permissions:,
+      request_options: {}
+    )
+      body = {
+        "permissions" => permissions
+      }.compact
+      response = @client.request(
+        method: :put,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::Role.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Remove a permission from a custom role
+    # @param organization_id [String] The ID of the organization.
+    # @param slug [String] The slug of the role.
+    # @param permission_slug [String] The slug of the permission to remove.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Role]
+    def remove_organization_role_permission(
+      organization_id:,
+      slug:,
+      permission_slug:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :delete,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/roles/#{WorkOS::Util.encode_path(slug)}/permissions/#{WorkOS::Util.encode_path(permission_slug)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::Role.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Get a resource by external ID
+    # @param organization_id [String] The ID of the organization that owns the resource.
+    # @param resource_type_slug [String] The slug of the resource type.
+    # @param external_id [String] An identifier you provide to reference the resource in your system.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::AuthorizationResource]
+    def get_resource_by_external_id(
+      organization_id:,
+      resource_type_slug:,
+      external_id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/resources/#{WorkOS::Util.encode_path(resource_type_slug)}/#{WorkOS::Util.encode_path(external_id)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::AuthorizationResource.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Update a resource by external ID
+    # @param organization_id [String] The ID of the organization that owns the resource.
+    # @param resource_type_slug [String] The slug of the resource type.
+    # @param external_id [String] An identifier you provide to reference the resource in your system.
+    # @param name [String, nil] A display name for the resource.
+    # @param description [String, nil] An optional description of the resource.
+    # @param parent_resource_id [String, nil] The ID of the parent resource. Mutually exclusive with `parent_resource_external_id` and `parent_resource_type_slug`.
+    # @param parent_resource_external_id [String, nil] The external ID of the parent resource. Required with `parent_resource_type_slug`. Mutually exclusive with `parent_resource_id`.
+    # @param parent_resource_type_slug [String, nil] The resource type slug of the parent resource. Required with `parent_resource_external_id`. Mutually exclusive with `parent_resource_id`.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::AuthorizationResource]
+    def update_resource_by_external_id(
+      organization_id:,
+      resource_type_slug:,
+      external_id:,
+      name: nil,
+      description: nil,
+      parent_resource_id: nil,
+      parent_resource_external_id: nil,
+      parent_resource_type_slug: nil,
+      parent_resource: nil,
+      request_options: {}
+    )
+      body = {
+        "name" => name,
+        "description" => description,
+        "parent_resource_id" => parent_resource_id,
+        "parent_resource_external_id" => parent_resource_external_id,
+        "parent_resource_type_slug" => parent_resource_type_slug
+      }.compact
+      if parent_resource
+        case parent_resource[:type]
+        when "by_id"
+          body["parent_resource_id"] = parent_resource[:parent_resource_id]
+        when "by_external_id"
+          body["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
+          body["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
+        end
+      end
+      response = @client.request(
+        method: :patch,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/resources/#{WorkOS::Util.encode_path(resource_type_slug)}/#{WorkOS::Util.encode_path(external_id)}",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::AuthorizationResource.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Delete an authorization resource by external ID
+    # @param organization_id [String] The ID of the organization that owns the resource.
+    # @param resource_type_slug [String] The slug of the resource type.
+    # @param external_id [String] An identifier you provide to reference the resource in your system.
+    # @param cascade_delete [Boolean, nil] If true, deletes all descendant resources and role assignments. If not set and the resource has children or assignments, the request will fail.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [void]
+    def delete_resource_by_external_id(
+      organization_id:,
+      resource_type_slug:,
+      external_id:,
+      cascade_delete: nil,
+      request_options: {}
+    )
+      params = {
+        "cascade_delete" => cascade_delete
+      }.compact
+      @client.request(
+        method: :delete,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/resources/#{WorkOS::Util.encode_path(resource_type_slug)}/#{WorkOS::Util.encode_path(external_id)}",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      nil
+    end
+
+    # List memberships for a resource by external ID
+    # @param organization_id [String] The ID of the organization that owns the resource.
+    # @param resource_type_slug [String] The slug of the resource type this resource belongs to.
+    # @param external_id [String] An identifier you provide to reference the resource in your system.
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param permission_slug [String] The permission slug to filter by. Only users with this permission on the resource are returned.
+    # @param assignment [WorkOS::Types::AuthorizationAssignment, nil] Filter by assignment type. Use "direct" for direct assignments only, or "indirect" to include inherited assignments.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::UserOrganizationMembershipBaseListData>]
+    def list_memberships_for_resource_by_external_id(
+      organization_id:,
+      resource_type_slug:,
+      external_id:,
+      permission_slug:,
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      assignment: nil,
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order,
+        "permission_slug" => permission_slug,
+        "assignment" => assignment
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/authorization/organizations/#{WorkOS::Util.encode_path(organization_id)}/resources/#{WorkOS::Util.encode_path(resource_type_slug)}/#{WorkOS::Util.encode_path(external_id)}/organization_memberships",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_memberships_for_resource_by_external_id(
+          organization_id: organization_id,
+          resource_type_slug: resource_type_slug,
+          external_id: external_id,
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          permission_slug: permission_slug,
+          assignment: assignment,
+          request_options: request_options
+        )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::UserOrganizationMembershipBaseListData,
+        filters: {organization_id: organization_id, resource_type_slug: resource_type_slug, external_id: external_id, before: before, limit: limit, order: order, permission_slug: permission_slug, assignment: assignment},
+        fetch_next: fetch_next
+      )
+    end
+
+    # List resources
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param organization_id [String, nil] Filter resources by organization ID.
+    # @param resource_type_slug [String, nil] Filter resources by resource type slug.
+    # @param resource_external_id [String, nil] Filter resources by external ID.
+    # @param search [String, nil] Search resources by name.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationResource>]
+    def list_resources(
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      organization_id: nil,
+      resource_type_slug: nil,
+      resource_external_id: nil,
+      search: nil,
+      parent: nil,
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order,
+        "organization_id" => organization_id,
+        "resource_type_slug" => resource_type_slug,
+        "resource_external_id" => resource_external_id,
+        "search" => search
+      }.compact
+      if parent
+        case parent[:type]
+        when "by_id"
+          params["parent_resource_id"] = parent[:parent_resource_id]
+        when "by_external_id"
+          params["parent_resource_type_slug"] = parent[:parent_resource_type_slug]
+          params["parent_external_id"] = parent[:parent_external_id]
+        end
+      end
+      response = @client.request(
+        method: :get,
+        path: "/authorization/resources",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_resources(
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          organization_id: organization_id,
+          resource_type_slug: resource_type_slug,
+          resource_external_id: resource_external_id,
+          search: search,
+          parent: parent,
+          request_options: request_options
+        )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::AuthorizationResource,
+        filters: {before: before, limit: limit, order: order, organization_id: organization_id, resource_type_slug: resource_type_slug, resource_external_id: resource_external_id, search: search, parent: parent},
+        fetch_next: fetch_next
+      )
+    end
+
+    # Create an authorization resource
+    # @param external_id [String] An external identifier for the resource.
+    # @param name [String] A display name for the resource.
+    # @param description [String, nil] An optional description of the resource.
+    # @param resource_type_slug [String] The slug of the resource type.
+    # @param organization_id [String] The ID of the organization this resource belongs to.
+    # @param parent_resource_id [String, nil] The ID of the parent resource. Mutually exclusive with `parent_resource_external_id` and `parent_resource_type_slug`.
+    # @param parent_resource_external_id [String, nil] The external ID of the parent resource. Required with `parent_resource_type_slug`. Mutually exclusive with `parent_resource_id`.
+    # @param parent_resource_type_slug [String, nil] The resource type slug of the parent resource. Required with `parent_resource_external_id`. Mutually exclusive with `parent_resource_id`.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::AuthorizationResource]
+    def create_resource(
+      external_id:,
+      name:,
+      resource_type_slug:,
+      organization_id:,
+      description: nil,
+      parent_resource_id: nil,
+      parent_resource_external_id: nil,
+      parent_resource_type_slug: nil,
+      parent_resource: nil,
+      request_options: {}
+    )
+      body = {
+        "external_id" => external_id,
+        "name" => name,
+        "description" => description,
+        "resource_type_slug" => resource_type_slug,
+        "organization_id" => organization_id,
+        "parent_resource_id" => parent_resource_id,
+        "parent_resource_external_id" => parent_resource_external_id,
+        "parent_resource_type_slug" => parent_resource_type_slug
+      }.compact
+      if parent_resource
+        case parent_resource[:type]
+        when "by_id"
+          body["parent_resource_id"] = parent_resource[:parent_resource_id]
+        when "by_external_id"
+          body["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
+          body["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
+        end
+      end
+      response = @client.request(
+        method: :post,
+        path: "/authorization/resources",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::AuthorizationResource.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Get a resource
+    # @param resource_id [String] The ID of the authorization resource.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::AuthorizationResource]
+    def get_resource(
+      resource_id:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/authorization/resources/#{WorkOS::Util.encode_path(resource_id)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::AuthorizationResource.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Update a resource
+    # @param resource_id [String] The ID of the authorization resource.
+    # @param name [String, nil] A display name for the resource.
+    # @param description [String, nil] An optional description of the resource.
+    # @param parent_resource_id [String, nil] The ID of the parent resource. Mutually exclusive with `parent_resource_external_id` and `parent_resource_type_slug`.
+    # @param parent_resource_external_id [String, nil] The external ID of the parent resource. Required with `parent_resource_type_slug`. Mutually exclusive with `parent_resource_id`.
+    # @param parent_resource_type_slug [String, nil] The resource type slug of the parent resource. Required with `parent_resource_external_id`. Mutually exclusive with `parent_resource_id`.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::AuthorizationResource]
+    def update_resource(
+      resource_id:,
+      name: nil,
+      description: nil,
+      parent_resource_id: nil,
+      parent_resource_external_id: nil,
+      parent_resource_type_slug: nil,
+      parent_resource: nil,
+      request_options: {}
+    )
+      body = {
+        "name" => name,
+        "description" => description,
+        "parent_resource_id" => parent_resource_id,
+        "parent_resource_external_id" => parent_resource_external_id,
+        "parent_resource_type_slug" => parent_resource_type_slug
+      }.compact
+      if parent_resource
+        case parent_resource[:type]
+        when "by_id"
+          body["parent_resource_id"] = parent_resource[:parent_resource_id]
+        when "by_external_id"
+          body["parent_resource_external_id"] = parent_resource[:parent_resource_external_id]
+          body["parent_resource_type_slug"] = parent_resource[:parent_resource_type_slug]
+        end
+      end
+      response = @client.request(
+        method: :patch,
+        path: "/authorization/resources/#{WorkOS::Util.encode_path(resource_id)}",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::AuthorizationResource.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Delete an authorization resource
+    # @param resource_id [String] The ID of the authorization resource.
+    # @param cascade_delete [Boolean, nil] If true, deletes all descendant resources and role assignments. If not set and the resource has children or assignments, the request will fail.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [void]
+    def delete_resource(
+      resource_id:,
+      cascade_delete: nil,
+      request_options: {}
+    )
+      params = {
+        "cascade_delete" => cascade_delete
+      }.compact
+      @client.request(
+        method: :delete,
+        path: "/authorization/resources/#{WorkOS::Util.encode_path(resource_id)}",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      nil
+    end
+
+    # List organization memberships for resource
+    # @param resource_id [String] The ID of the authorization resource.
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::AuthorizationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param permission_slug [String] The permission slug to filter by. Only users with this permission on the resource are returned.
+    # @param assignment [WorkOS::Types::AuthorizationAssignment, nil] Filter by assignment type. Use `direct` for direct assignments only, or `indirect` to include inherited assignments.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::UserOrganizationMembershipBaseListData>]
+    def list_memberships_for_resource(
+      resource_id:,
+      permission_slug:,
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      assignment: nil,
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order,
+        "permission_slug" => permission_slug,
+        "assignment" => assignment
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/authorization/resources/#{WorkOS::Util.encode_path(resource_id)}/organization_memberships",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_memberships_for_resource(
+          resource_id: resource_id,
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          permission_slug: permission_slug,
+          assignment: assignment,
+          request_options: request_options
+        )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::UserOrganizationMembershipBaseListData,
+        filters: {resource_id: resource_id, before: before, limit: limit, order: order, permission_slug: permission_slug, assignment: assignment},
+        fetch_next: fetch_next
+      )
+    end
+
+    # List environment roles
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::RoleList]
+    def list_environment_roles(request_options: {})
+      response = @client.request(
+        method: :get,
+        path: "/authorization/roles",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::RoleList.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Create an environment role
+    # @param slug [String] A unique slug for the role.
+    # @param name [String] A descriptive name for the role.
+    # @param description [String, nil] An optional description of the role.
+    # @param resource_type_slug [String, nil] The slug of the resource type the role is scoped to.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Role]
+    def create_environment_role(
+      slug:,
+      name:,
+      description: nil,
+      resource_type_slug: nil,
+      request_options: {}
+    )
+      body = {
+        "slug" => slug,
+        "name" => name,
+        "description" => description,
+        "resource_type_slug" => resource_type_slug
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/authorization/roles",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::Role.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Get an environment role
+    # @param slug [String] The slug of the environment role.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Role]
+    def get_environment_role(
+      slug:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::Role.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Update an environment role
+    # @param slug [String] The slug of the environment role.
+    # @param name [String, nil] A descriptive name for the role.
+    # @param description [String, nil] An optional description of the role.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Role]
+    def update_environment_role(
+      slug:,
+      name: nil,
+      description: nil,
+      request_options: {}
+    )
+      body = {
+        "name" => name,
+        "description" => description
+      }.compact
+      response = @client.request(
+        method: :patch,
+        path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::Role.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Add a permission to an environment role
+    # @param slug [String] The slug of the environment role.
+    # @param body_slug [String] The slug of the permission to add to the role.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Role]
+    def add_environment_role_permission(
+      slug:,
+      body_slug:,
+      request_options: {}
+    )
+      body = {
+        "slug" => body_slug
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::Role.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Set permissions for an environment role
+    # @param slug [String] The slug of the environment role.
+    # @param permissions [Array<String>] The permission slugs to assign to the role.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Role]
+    def set_environment_role_permissions(
+      slug:,
+      permissions:,
+      request_options: {}
+    )
+      body = {
+        "permissions" => permissions
+      }.compact
+      response = @client.request(
+        method: :put,
+        path: "/authorization/roles/#{WorkOS::Util.encode_path(slug)}/permissions",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::Role.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # List permissions
+    # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
+    # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
+    # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
+    # @param order [WorkOS::Types::PermissionsOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Types::ListStruct<WorkOS::AuthorizationPermission>]
+    def list_permissions(
+      before: nil,
+      after: nil,
+      limit: nil,
+      order: "desc",
+      request_options: {}
+    )
+      params = {
+        "before" => before,
+        "after" => after,
+        "limit" => limit,
+        "order" => order
+      }.compact
+      response = @client.request(
+        method: :get,
+        path: "/authorization/permissions",
+        auth: true,
+        params: params,
+        request_options: request_options
+      )
+      fetch_next = ->(cursor) {
+        list_permissions(
+          before: before,
+          after: cursor,
+          limit: limit,
+          order: order,
+          request_options: request_options
+        )
+      }
+      WorkOS::Types::ListStruct.from_response(
+        response,
+        model: WorkOS::AuthorizationPermission,
+        filters: {before: before, limit: limit, order: order},
+        fetch_next: fetch_next
+      )
+    end
+
+    # Create a permission
+    # @param slug [String] A unique key to reference the permission. Must be lowercase and contain only letters, numbers, hyphens, underscores, colons, periods, and asterisks.
+    # @param name [String] A descriptive name for the Permission.
+    # @param description [String, nil] An optional description of the Permission.
+    # @param resource_type_slug [String, nil] The slug of the resource type this permission is scoped to.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::Permission]
+    def create_permission(
+      slug:,
+      name:,
+      description: nil,
+      resource_type_slug: nil,
+      request_options: {}
+    )
+      body = {
+        "slug" => slug,
+        "name" => name,
+        "description" => description,
+        "resource_type_slug" => resource_type_slug
+      }.compact
+      response = @client.request(
+        method: :post,
+        path: "/authorization/permissions",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::Permission.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Get a permission
+    # @param slug [String] A unique key to reference the permission. Must be lowercase and contain only letters, numbers, hyphens, underscores, colons, periods, and asterisks.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::AuthorizationPermission]
+    def get_permission(
+      slug:,
+      request_options: {}
+    )
+      response = @client.request(
+        method: :get,
+        path: "/authorization/permissions/#{WorkOS::Util.encode_path(slug)}",
+        auth: true,
+        request_options: request_options
+      )
+      result = WorkOS::AuthorizationPermission.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Update a permission
+    # @param slug [String] A unique key to reference the permission. Must be lowercase and contain only letters, numbers, hyphens, underscores, colons, periods, and asterisks.
+    # @param name [String, nil] A descriptive name for the Permission.
+    # @param description [String, nil] An optional description of the Permission.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [WorkOS::AuthorizationPermission]
+    def update_permission(
+      slug:,
+      name: nil,
+      description: nil,
+      request_options: {}
+    )
+      body = {
+        "name" => name,
+        "description" => description
+      }.compact
+      response = @client.request(
+        method: :patch,
+        path: "/authorization/permissions/#{WorkOS::Util.encode_path(slug)}",
+        auth: true,
+        body: body,
+        request_options: request_options
+      )
+      result = WorkOS::AuthorizationPermission.new(response.body)
+      result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
+      result
+    end
+
+    # Delete a permission
+    # @param slug [String] A unique key to reference the permission. Must be lowercase and contain only letters, numbers, hyphens, underscores, colons, periods, and asterisks.
+    # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
+    # @return [void]
+    def delete_permission(
+      slug:,
+      request_options: {}
+    )
+      @client.request(
+        method: :delete,
+        path: "/authorization/permissions/#{WorkOS::Util.encode_path(slug)}",
+        auth: true,
+        request_options: request_options
+      )
+      nil
+    end
+  end
+end