@workos/mcp-docs-server 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.docs/organized/changelogs/workos-platform.json +125 -125
- package/.docs/organized/docs/admin-portal/custom-branding.mdx +2 -4
- package/.docs/organized/docs/admin-portal/example-apps.mdx +11 -11
- package/.docs/organized/docs/admin-portal/index.mdx +39 -33
- package/.docs/organized/docs/audit-logs/admin-portal.mdx +1 -1
- package/.docs/organized/docs/audit-logs/editing-events.mdx +1 -1
- package/.docs/organized/docs/audit-logs/exporting-events.mdx +1 -1
- package/.docs/organized/docs/audit-logs/index.mdx +17 -2
- package/.docs/organized/docs/audit-logs/log-streams.mdx +325 -1
- package/.docs/organized/docs/audit-logs/metadata-schema.mdx +1 -1
- package/.docs/organized/docs/authkit/_navigation.mdx +108 -0
- package/.docs/organized/docs/{user-management → authkit}/actions.mdx +3 -4
- package/.docs/organized/docs/authkit/add-ons/google-analytics.mdx +79 -0
- package/.docs/organized/docs/authkit/add-ons/segment.mdx +77 -0
- package/.docs/organized/docs/authkit/add-ons/stripe.mdx +103 -0
- package/.docs/organized/docs/authkit/api-keys.mdx +99 -0
- package/.docs/organized/docs/{user-management → authkit}/branding.mdx +220 -2
- package/.docs/organized/docs/authkit/cli-auth.mdx +76 -0
- package/.docs/organized/docs/authkit/cli-installer.mdx +157 -0
- package/.docs/organized/docs/authkit/connect/m2m.mdx +65 -0
- package/.docs/organized/docs/authkit/connect/oauth.mdx +88 -0
- package/.docs/organized/docs/authkit/connect/standalone.mdx +179 -0
- package/.docs/organized/docs/authkit/connect.mdx +65 -0
- package/.docs/organized/docs/authkit/custom-email-providers.mdx +141 -0
- package/.docs/organized/docs/{user-management → authkit}/custom-emails.mdx +15 -15
- package/.docs/organized/docs/authkit/directory-provisioning.mdx +89 -0
- package/.docs/organized/docs/{user-management → authkit}/domain-verification.mdx +5 -6
- package/.docs/organized/docs/{user-management → authkit}/email-password.mdx +2 -2
- package/.docs/organized/docs/authkit/email-verification.mdx +31 -0
- package/.docs/organized/docs/{user-management → authkit}/example-apps.mdx +3 -3
- package/.docs/organized/docs/authkit/hosted-ui.mdx +165 -0
- package/.docs/organized/docs/{user-management → authkit}/identity-linking.mdx +9 -9
- package/.docs/organized/docs/{user-management → authkit}/impersonation.mdx +8 -8
- package/.docs/organized/docs/{user-management → authkit}/index.mdx +141 -74
- package/.docs/organized/docs/{user-management → authkit}/invitations.mdx +4 -4
- package/.docs/organized/docs/{user-management → authkit}/invite-only-signup.mdx +3 -3
- package/.docs/organized/docs/authkit/jit-provisioning.mdx +42 -0
- package/.docs/organized/docs/{user-management → authkit}/jwt-templates.mdx +37 -3
- package/.docs/organized/docs/authkit/landing.mdx +22 -0
- package/.docs/organized/docs/{user-management → authkit}/magic-auth.mdx +3 -5
- package/.docs/organized/docs/{user-management → authkit}/mcp.mdx +46 -9
- package/.docs/organized/docs/{user-management → authkit}/metadata.mdx +9 -9
- package/.docs/organized/docs/{user-management → authkit}/mfa.mdx +2 -2
- package/.docs/organized/docs/{user-management → authkit}/migrations.mdx +4 -4
- package/.docs/organized/docs/{user-management → authkit}/modeling-your-app.mdx +11 -11
- package/.docs/organized/docs/{user-management → authkit}/organization-policies.mdx +3 -4
- package/.docs/organized/docs/authkit/overview.mdx +46 -0
- package/.docs/organized/docs/{user-management → authkit}/passkeys.mdx +3 -3
- package/.docs/organized/docs/authkit/pipes.mdx +75 -0
- package/.docs/organized/docs/{user-management → authkit}/radar.mdx +39 -4
- package/.docs/organized/docs/authkit/roles-and-permissions.mdx +208 -0
- package/.docs/organized/docs/{user-management → authkit}/sessions.mdx +32 -20
- package/.docs/organized/docs/{user-management → authkit}/social-login.mdx +16 -2
- package/.docs/organized/docs/{user-management → authkit}/sso-with-contractors.mdx +3 -4
- package/.docs/organized/docs/{user-management → authkit}/sso.mdx +2 -2
- package/.docs/organized/docs/authkit/users-organizations.mdx +107 -0
- package/.docs/organized/docs/custom-domains/admin-portal.mdx +0 -2
- package/.docs/organized/docs/custom-domains/authkit.mdx +0 -2
- package/.docs/organized/docs/custom-domains/email.mdx +2 -2
- package/.docs/organized/docs/deprecations/_navigation.mdx +8 -0
- package/.docs/organized/docs/deprecations/raw-attributes.mdx +136 -0
- package/.docs/organized/docs/directory-sync/attributes.mdx +50 -31
- package/.docs/organized/docs/directory-sync/example-apps.mdx +11 -11
- package/.docs/organized/docs/directory-sync/identity-provider-role-assignment.mdx +23 -26
- package/.docs/organized/docs/directory-sync/index.mdx +4 -2
- package/.docs/organized/docs/directory-sync/quick-start.mdx +3 -3
- package/.docs/organized/docs/directory-sync/understanding-events.mdx +2 -2
- package/.docs/organized/docs/domain-verification/api.mdx +8 -8
- package/.docs/organized/docs/domain-verification/index.mdx +3 -3
- package/.docs/organized/docs/email.mdx +49 -5
- package/.docs/organized/docs/events/data-syncing/events-api.mdx +3 -3
- package/.docs/organized/docs/events/data-syncing/index.mdx +2 -3
- package/.docs/organized/docs/events/data-syncing/webhooks.mdx +4 -4
- package/.docs/organized/docs/events/index.mdx +419 -33
- package/.docs/organized/docs/feature-flags/_navigation.mdx +10 -0
- package/.docs/organized/docs/feature-flags/index.mdx +80 -0
- package/.docs/organized/docs/feature-flags/slack-notifications.mdx +58 -0
- package/.docs/organized/docs/fga/_navigation.mdx +34 -54
- package/.docs/organized/docs/fga/access-checks.mdx +109 -0
- package/.docs/organized/docs/fga/assignments.mdx +124 -0
- package/.docs/organized/docs/fga/authkit-integration.mdx +92 -0
- package/.docs/organized/docs/fga/high-cardinality-entities.mdx +172 -0
- package/.docs/organized/docs/fga/idp-role-assignment.mdx +66 -0
- package/.docs/organized/docs/fga/index.mdx +94 -29
- package/.docs/organized/docs/fga/migration-openfga.mdx +306 -0
- package/.docs/organized/docs/fga/migration-oso.mdx +372 -0
- package/.docs/organized/docs/fga/migration-spicedb.mdx +364 -0
- package/.docs/organized/docs/fga/quick-start.mdx +283 -98
- package/.docs/organized/docs/fga/resource-discovery.mdx +78 -0
- package/.docs/organized/docs/fga/resource-types.mdx +165 -0
- package/.docs/organized/docs/fga/resources.mdx +179 -59
- package/.docs/organized/docs/fga/roles-and-permissions.mdx +122 -0
- package/.docs/organized/docs/fga/standalone-integration.mdx +176 -0
- package/.docs/organized/docs/glossary.mdx +7 -3
- package/.docs/organized/docs/integrations/access-people-hr.mdx +1 -1
- package/.docs/organized/docs/integrations/adp-oidc.mdx +1 -1
- package/.docs/organized/docs/integrations/apple.mdx +112 -69
- package/.docs/organized/docs/integrations/auth0-directory-sync.mdx +3 -1
- package/.docs/organized/docs/integrations/auth0-enterprise-connection.mdx +3 -1
- package/.docs/organized/docs/integrations/auth0-saml.mdx +3 -1
- package/.docs/organized/docs/integrations/bamboohr.mdx +4 -4
- package/.docs/organized/docs/integrations/breathe-hr.mdx +1 -1
- package/.docs/organized/docs/integrations/bubble.mdx +1 -1
- package/.docs/organized/docs/integrations/cas-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/classlink-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/clever-oidc.mdx +94 -0
- package/.docs/organized/docs/integrations/cloudflare-saml.mdx +35 -2
- package/.docs/organized/docs/integrations/cyberark-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/cyberark-scim.mdx +1 -1
- package/.docs/organized/docs/integrations/duo-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/entra-id-oidc.mdx +198 -0
- package/.docs/organized/docs/integrations/entra-id-saml.mdx +3 -3
- package/.docs/organized/docs/integrations/entra-id-scim.mdx +5 -1
- package/.docs/organized/docs/integrations/fourth.mdx +2 -2
- package/.docs/organized/docs/integrations/github-oauth.mdx +80 -33
- package/.docs/organized/docs/integrations/gitlab-oauth.mdx +86 -31
- package/.docs/organized/docs/integrations/google-directory-sync.mdx +5 -1
- package/.docs/organized/docs/integrations/google-oauth.mdx +87 -70
- package/.docs/organized/docs/integrations/google-oidc.mdx +142 -0
- package/.docs/organized/docs/integrations/google-saml.mdx +3 -3
- package/.docs/organized/docs/integrations/hibob.mdx +17 -4
- package/.docs/organized/docs/integrations/intuit-oauth.mdx +128 -0
- package/.docs/organized/docs/integrations/jumpcloud-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/jumpcloud-scim.mdx +5 -1
- package/.docs/organized/docs/integrations/keycloak-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/lastpass-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/linkedin-oauth.mdx +69 -30
- package/.docs/organized/docs/integrations/microsoft-ad-fs-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/microsoft-oauth.mdx +95 -38
- package/.docs/organized/docs/integrations/miniorange-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/net-iq-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/next-auth.mdx +1 -1
- package/.docs/organized/docs/integrations/oidc.mdx +37 -24
- package/.docs/organized/docs/integrations/okta-oidc.mdx +149 -0
- package/.docs/organized/docs/integrations/okta-saml.mdx +3 -3
- package/.docs/organized/docs/integrations/okta-scim.mdx +6 -2
- package/.docs/organized/docs/integrations/onelogin-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/onelogin-scim.mdx +1 -1
- package/.docs/organized/docs/integrations/oracle-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/pingfederate-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/pingfederate-scim.mdx +1 -1
- package/.docs/organized/docs/integrations/pingone-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/rippling-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/rippling-scim.mdx +1 -1
- package/.docs/organized/docs/integrations/sailpoint-scim.mdx +77 -0
- package/.docs/organized/docs/integrations/salesforce-oauth.mdx +116 -0
- package/.docs/organized/docs/integrations/salesforce-saml.mdx +4 -4
- package/.docs/organized/docs/integrations/saml.mdx +43 -23
- package/.docs/organized/docs/integrations/scim.mdx +36 -24
- package/.docs/organized/docs/integrations/sftp.mdx +59 -36
- package/.docs/organized/docs/integrations/shibboleth-generic-saml.mdx +1 -1
- package/.docs/organized/docs/integrations/shibboleth-unsolicited-saml.mdx +1 -1
- package/.docs/organized/docs/integrations/simple-saml-php.mdx +2 -2
- package/.docs/organized/docs/integrations/slack-oauth.mdx +53 -49
- package/.docs/organized/docs/integrations/supabase-authkit.mdx +46 -0
- package/.docs/organized/docs/integrations/{supabase.mdx → supabase-sso.mdx} +6 -4
- package/.docs/organized/docs/integrations/vercel-oauth.mdx +120 -0
- package/.docs/organized/docs/integrations/vmware-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/workday.mdx +1 -1
- package/.docs/organized/docs/integrations/xero-oauth.mdx +77 -32
- package/.docs/organized/docs/magic-link/example-apps.mdx +11 -11
- package/.docs/organized/docs/magic-link/index.mdx +2 -0
- package/.docs/organized/docs/mfa/example-apps.mdx +2 -2
- package/.docs/organized/docs/mfa/index.mdx +2 -2
- package/.docs/organized/docs/mfa/ux/enrollment.mdx +1 -1
- package/.docs/organized/docs/mfa/ux/sign-in.mdx +1 -1
- package/.docs/organized/docs/migrate/_navigation.mdx +21 -1
- package/.docs/organized/docs/migrate/auth0.mdx +5 -5
- package/.docs/organized/docs/migrate/aws-cognito.mdx +5 -5
- package/.docs/organized/docs/migrate/better-auth.mdx +282 -0
- package/.docs/organized/docs/migrate/clerk.mdx +9 -11
- package/.docs/organized/docs/migrate/descope.mdx +290 -0
- package/.docs/organized/docs/migrate/firebase.mdx +4 -4
- package/.docs/organized/docs/migrate/other-services.mdx +25 -6
- package/.docs/organized/docs/migrate/standalone-sso.mdx +14 -14
- package/.docs/organized/docs/migrate/stytch.mdx +363 -0
- package/.docs/organized/docs/migrate/supabase.mdx +255 -0
- package/.docs/organized/docs/on-prem-deployment.mdx +1 -1
- package/.docs/organized/docs/pipes/_navigation.mdx +12 -0
- package/.docs/organized/docs/pipes/index.mdx +75 -0
- package/.docs/organized/docs/pipes/providers.mdx +9 -0
- package/.docs/organized/docs/rbac/_navigation.mdx +16 -0
- package/.docs/organized/docs/rbac/configuration.mdx +80 -0
- package/.docs/organized/docs/rbac/idp-role-assignment.mdx +79 -0
- package/.docs/organized/docs/rbac/index.mdx +24 -0
- package/.docs/organized/docs/rbac/integration.mdx +59 -0
- package/.docs/organized/docs/rbac/organization-roles.mdx +38 -0
- package/.docs/organized/docs/rbac/quick-start.mdx +52 -0
- package/.docs/organized/docs/reference/_navigation.mdx +437 -284
- package/.docs/organized/docs/reference/admin-portal/portal-link/index.mdx +1 -1
- package/.docs/organized/docs/reference/admin-portal/provider-icons/index.mdx +3 -3
- package/.docs/organized/docs/reference/{api-keys.mdx → api-authentication/index.mdx} +3 -3
- package/.docs/organized/docs/reference/audit-logs/configuration/index.mdx +97 -0
- package/.docs/organized/docs/reference/audit-logs/{create-event.mdx → event/create.mdx} +12 -2
- package/.docs/organized/docs/reference/audit-logs/event/index.mdx +92 -0
- package/.docs/organized/docs/reference/audit-logs/{create-export.mdx → export/create.mdx} +1 -1
- package/.docs/organized/docs/reference/audit-logs/{get-export.mdx → export/get.mdx} +1 -1
- package/.docs/organized/docs/reference/audit-logs/{audit-log-export.mdx → export/index.mdx} +11 -12
- package/.docs/organized/docs/reference/audit-logs/{get-retention.mdx → retention/get.mdx} +1 -1
- package/.docs/organized/docs/reference/audit-logs/retention/index.mdx +25 -0
- package/.docs/organized/docs/reference/audit-logs/{set-retention.mdx → retention/set.mdx} +1 -1
- package/.docs/organized/docs/reference/audit-logs/{create-schema.mdx → schema/create.mdx} +1 -1
- package/.docs/organized/docs/reference/audit-logs/{audit-log-schema.mdx → schema/index.mdx} +5 -6
- package/.docs/organized/docs/reference/audit-logs/{list-actions.mdx → schema/list-actions.mdx} +2 -1
- package/.docs/organized/docs/reference/audit-logs/{list-schemas.mdx → schema/list.mdx} +1 -1
- package/.docs/organized/docs/reference/authkit/api-keys/create-for-organization.mdx +40 -0
- package/.docs/organized/docs/reference/authkit/api-keys/delete.mdx +23 -0
- package/.docs/organized/docs/reference/authkit/api-keys/index.mdx +275 -0
- package/.docs/organized/docs/reference/authkit/api-keys/list-for-organization.mdx +41 -0
- package/.docs/organized/docs/reference/authkit/api-keys/validate.mdx +77 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/code.mdx +138 -18
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/email-verification.mdx +10 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/get-authorization-url/error-codes.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/get-authorization-url/index.mdx +64 -17
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/get-authorization-url/pkce.mdx +2 -2
- package/.docs/organized/docs/reference/authkit/authentication/get-authorization-url/redirect-uri.mdx +47 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/index.mdx +19 -11
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/magic-auth.mdx +9 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/organization-selection.mdx +9 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/password.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/refresh-and-seal-session-data.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/refresh-token.mdx +17 -17
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/session-cookie.mdx +7 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/totp.mdx +10 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/email-verification-required-error.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/index.mdx +1 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/mfa-challenge-error.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/mfa-enrollment-error.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/organization-authentication-required-error.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/organization-selection-error.mdx +3 -4
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/sso-required-error.mdx +3 -3
- package/.docs/organized/docs/reference/authkit/cli-auth/device-authorization.mdx +61 -0
- package/.docs/organized/docs/reference/authkit/cli-auth/device-code.mdx +57 -0
- package/.docs/organized/docs/reference/authkit/cli-auth/error-codes.mdx +31 -0
- package/.docs/organized/docs/reference/authkit/cli-auth/index.mdx +22 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/email-verification/get.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/email-verification/index.mdx +9 -11
- package/.docs/organized/docs/reference/{user-management → authkit}/identity/index.mdx +6 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/identity/list.mdx +5 -6
- package/.docs/organized/docs/reference/authkit/index.mdx +13 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/accept.mdx +5 -5
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/find-by-token.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/get.mdx +8 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/index.mdx +10 -15
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/list.mdx +10 -11
- package/.docs/organized/docs/reference/authkit/invitation/resend.mdx +109 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/revoke.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/send.mdx +23 -13
- package/.docs/organized/docs/reference/{user-management → authkit}/logout/get-logout-url-from-session-cookie.mdx +2 -2
- package/.docs/organized/docs/reference/{user-management → authkit}/logout/get-logout-url.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/logout/index.mdx +4 -5
- package/.docs/organized/docs/reference/{user-management → authkit}/magic-auth/create.mdx +10 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/magic-auth/get.mdx +9 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/magic-auth/index.mdx +10 -15
- package/.docs/organized/docs/reference/{user-management → authkit}/mfa/authentication-challenge.mdx +9 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/mfa/authentication-factor.mdx +11 -11
- package/.docs/organized/docs/reference/{user-management → authkit}/mfa/enroll-auth-factor.mdx +19 -15
- package/.docs/organized/docs/reference/authkit/mfa/index.mdx +11 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/mfa/list-auth-factors.mdx +9 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/create.mdx +27 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/deactivate.mdx +10 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/delete.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/get.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/index.mdx +107 -14
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/list.mdx +10 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/reactivate.mdx +11 -11
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/update.mdx +25 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/create.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/get.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/index.mdx +10 -12
- package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/reset-password.mdx +8 -8
- package/.docs/organized/docs/reference/authkit/session/index.mdx +128 -0
- package/.docs/organized/docs/reference/authkit/session/list.mdx +110 -0
- package/.docs/organized/docs/reference/authkit/session/revoke.mdx +73 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/authenticate.mdx +22 -6
- package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/get-logout-url.mdx +5 -5
- package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/index.mdx +2 -2
- package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/load-sealed-session.mdx +4 -4
- package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/refresh.mdx +18 -6
- package/.docs/organized/docs/reference/{user-management → authkit}/session-tokens/access-token.mdx +16 -8
- package/.docs/organized/docs/reference/authkit/session-tokens/index.mdx +5 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/session-tokens/jwks.mdx +8 -8
- package/.docs/organized/docs/reference/authkit/session-tokens/refresh-token.mdx +8 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/user/create.mdx +36 -17
- package/.docs/organized/docs/reference/{user-management → authkit}/user/delete.mdx +8 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/user/get-by-external-id.mdx +16 -4
- package/.docs/organized/docs/reference/{user-management → authkit}/user/get.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/user/index.mdx +25 -15
- package/.docs/organized/docs/reference/{user-management → authkit}/user/list.mdx +9 -12
- package/.docs/organized/docs/reference/{user-management → authkit}/user/update.mdx +43 -20
- package/.docs/organized/docs/reference/{client-libraries.mdx → client-libraries/index.mdx} +2 -2
- package/.docs/organized/docs/reference/directory-sync/directory/index.mdx +1 -1
- package/.docs/organized/docs/reference/directory-sync/directory-group/index.mdx +1 -24
- package/.docs/organized/docs/reference/directory-sync/directory-user/index.mdx +1 -29
- package/.docs/organized/docs/reference/directory-sync/directory-user/list.mdx +1 -1
- package/.docs/organized/docs/reference/directory-sync/index.mdx +1 -1
- package/.docs/organized/docs/reference/domain-verification/create.mdx +35 -0
- package/.docs/organized/docs/reference/domain-verification/delete.mdx +55 -0
- package/.docs/organized/docs/reference/domain-verification/get.mdx +29 -0
- package/.docs/organized/docs/reference/domain-verification/index.mdx +57 -1
- package/.docs/organized/docs/reference/domain-verification/verify.mdx +29 -0
- package/.docs/organized/docs/reference/{errors.mdx → errors/index.mdx} +1 -1
- package/.docs/organized/docs/reference/events/list.mdx +5 -4
- package/.docs/organized/docs/reference/feature-flags/flag/disable.mdx +33 -0
- package/.docs/organized/docs/reference/feature-flags/flag/enable.mdx +33 -0
- package/.docs/organized/docs/reference/feature-flags/flag/get.mdx +32 -0
- package/.docs/organized/docs/reference/feature-flags/flag/index.mdx +116 -0
- package/.docs/organized/docs/reference/feature-flags/flag/list.mdx +67 -0
- package/.docs/organized/docs/reference/feature-flags/index.mdx +123 -0
- package/.docs/organized/docs/reference/feature-flags/targeting/add.mdx +43 -0
- package/.docs/organized/docs/reference/feature-flags/targeting/index.mdx +23 -0
- package/.docs/organized/docs/reference/feature-flags/targeting/list-for-organization.mdx +132 -0
- package/.docs/organized/docs/reference/feature-flags/targeting/list-for-user.mdx +94 -0
- package/.docs/organized/docs/reference/feature-flags/targeting/remove.mdx +43 -0
- package/.docs/organized/docs/reference/fga/access-check/check.mdx +102 -0
- package/.docs/organized/docs/reference/fga/access-check/index.mdx +6 -0
- package/.docs/organized/docs/reference/fga/access-check/list-memberships-by-external-id.mdx +143 -0
- package/.docs/organized/docs/reference/fga/access-check/list-memberships.mdx +127 -0
- package/.docs/organized/docs/reference/fga/access-check/list-resources.mdx +152 -0
- package/.docs/organized/docs/reference/fga/index.mdx +14 -2
- package/.docs/organized/docs/reference/fga/resource/create.mdx +74 -88
- package/.docs/organized/docs/reference/fga/resource/delete-by-external-id.mdx +78 -0
- package/.docs/organized/docs/reference/fga/resource/delete.mdx +38 -62
- package/.docs/organized/docs/reference/fga/resource/get-by-external-id.mdx +60 -0
- package/.docs/organized/docs/reference/fga/resource/get.mdx +15 -63
- package/.docs/organized/docs/reference/fga/resource/index.mdx +74 -73
- package/.docs/organized/docs/reference/fga/resource/list.mdx +90 -131
- package/.docs/organized/docs/reference/fga/resource/update-by-external-id.mdx +81 -0
- package/.docs/organized/docs/reference/fga/resource/update.mdx +29 -85
- package/.docs/organized/docs/reference/fga/role-assignment/create.mdx +89 -0
- package/.docs/organized/docs/reference/fga/role-assignment/delete-by-id.mdx +59 -0
- package/.docs/organized/docs/reference/fga/role-assignment/delete.mdx +90 -0
- package/.docs/organized/docs/reference/fga/role-assignment/index.mdx +106 -0
- package/.docs/organized/docs/reference/fga/role-assignment/list.mdx +86 -0
- package/.docs/organized/docs/reference/index.mdx +21 -12
- package/.docs/organized/docs/reference/magic-link/passwordless-session/index.mdx +1 -1
- package/.docs/organized/docs/reference/mfa/{challenge-factor.mdx → challenge/create.mdx} +1 -1
- package/.docs/organized/docs/reference/mfa/{authentication-challenge.mdx → challenge/index.mdx} +11 -14
- package/.docs/organized/docs/reference/mfa/{verify-challenge.mdx → challenge/verify.mdx} +10 -12
- package/.docs/organized/docs/reference/mfa/{delete-factor.mdx → factor/delete.mdx} +1 -1
- package/.docs/organized/docs/reference/mfa/{enroll-factor.mdx → factor/enroll.mdx} +1 -1
- package/.docs/organized/docs/reference/mfa/{get-factor.mdx → factor/get.mdx} +1 -1
- package/.docs/organized/docs/reference/mfa/{authentication-factor.mdx → factor/index.mdx} +11 -12
- package/.docs/organized/docs/reference/organization/create.mdx +1 -6
- package/.docs/organized/docs/reference/organization/get-by-external-id.mdx +1 -1
- package/.docs/organized/docs/reference/organization/index.mdx +5 -5
- package/.docs/organized/docs/reference/organization/update.mdx +1 -1
- package/.docs/organized/docs/reference/{pagination.mdx → pagination/index.mdx} +1 -3
- package/.docs/organized/docs/reference/pipes/access-token/get.mdx +174 -0
- package/.docs/organized/docs/reference/pipes/access-token/index.mdx +44 -0
- package/.docs/organized/docs/reference/pipes/connected-account/delete.mdx +42 -0
- package/.docs/organized/docs/reference/pipes/connected-account/get-authorize-url.mdx +49 -0
- package/.docs/organized/docs/reference/pipes/connected-account/get.mdx +42 -0
- package/.docs/organized/docs/reference/pipes/connected-account/index.mdx +69 -0
- package/.docs/organized/docs/reference/pipes/index.mdx +8 -0
- package/.docs/organized/docs/reference/pipes/provider/index.mdx +70 -0
- package/.docs/organized/docs/reference/pipes/provider/list.mdx +47 -0
- package/.docs/organized/docs/reference/radar/attempts/index.mdx +1 -1
- package/.docs/organized/docs/reference/radar/lists/index.mdx +1 -1
- package/.docs/organized/docs/reference/rate-limits/index.mdx +56 -0
- package/.docs/organized/docs/reference/roles/index.mdx +12 -262
- package/.docs/organized/docs/reference/roles/organization-role/add-permission.mdx +75 -0
- package/.docs/organized/docs/reference/roles/organization-role/create.mdx +95 -0
- package/.docs/organized/docs/reference/roles/organization-role/delete.mdx +47 -0
- package/.docs/organized/docs/reference/roles/organization-role/get.mdx +55 -0
- package/.docs/organized/docs/reference/roles/organization-role/index.mdx +148 -0
- package/.docs/organized/docs/reference/roles/organization-role/list.mdx +68 -0
- package/.docs/organized/docs/reference/roles/organization-role/remove-permission.mdx +68 -0
- package/.docs/organized/docs/reference/roles/organization-role/set-permissions.mdx +79 -0
- package/.docs/organized/docs/reference/roles/organization-role/update.mdx +85 -0
- package/.docs/organized/docs/reference/roles/permission/create.mdx +101 -0
- package/.docs/organized/docs/reference/roles/permission/delete.mdx +38 -0
- package/.docs/organized/docs/reference/roles/permission/get.mdx +45 -0
- package/.docs/organized/docs/reference/roles/permission/index.mdx +128 -0
- package/.docs/organized/docs/reference/roles/permission/list.mdx +91 -0
- package/.docs/organized/docs/reference/roles/permission/update.mdx +80 -0
- package/.docs/organized/docs/reference/roles/role/add-permission.mdx +63 -0
- package/.docs/organized/docs/reference/roles/role/create.mdx +103 -0
- package/.docs/organized/docs/reference/roles/role/get.mdx +52 -0
- package/.docs/organized/docs/reference/roles/role/index.mdx +135 -0
- package/.docs/organized/docs/reference/roles/role/list.mdx +56 -0
- package/.docs/organized/docs/reference/roles/role/set-permissions.mdx +67 -0
- package/.docs/organized/docs/reference/roles/role/update.mdx +78 -0
- package/.docs/organized/docs/reference/sso/connection/index.mdx +2 -2
- package/.docs/organized/docs/reference/sso/get-authorization-url/error-codes.mdx +5 -3
- package/.docs/organized/docs/reference/sso/get-authorization-url/index.mdx +24 -2
- package/.docs/organized/docs/reference/sso/get-authorization-url/redirect-uri.mdx +25 -1
- package/.docs/organized/docs/reference/sso/index.mdx +1 -1
- package/.docs/organized/docs/reference/sso/logout/authorize.mdx +0 -1
- package/.docs/organized/docs/reference/sso/logout/index.mdx +1 -2
- package/.docs/organized/docs/reference/sso/logout/redirect.mdx +0 -1
- package/.docs/organized/docs/reference/sso/profile/get-profile-and-token.mdx +13 -1
- package/.docs/organized/docs/reference/sso/profile/index.mdx +25 -24
- package/.docs/organized/docs/reference/{testing.mdx → testing/index.mdx} +1 -1
- package/.docs/organized/docs/reference/vault/key/create-data-key.mdx +29 -0
- package/.docs/organized/docs/reference/vault/key/decrypt-data-key.mdx +20 -0
- package/.docs/organized/docs/reference/vault/key/decrypt-data.mdx +24 -0
- package/.docs/organized/docs/reference/vault/key/encrypt-data.mdx +20 -0
- package/.docs/organized/docs/reference/vault/object/create.mdx +17 -0
- package/.docs/organized/docs/reference/vault/object/delete.mdx +12 -0
- package/.docs/organized/docs/reference/vault/object/get-by-name.mdx +61 -0
- package/.docs/organized/docs/reference/vault/object/get.mdx +11 -0
- package/.docs/organized/docs/reference/vault/object/index.mdx +50 -4
- package/.docs/organized/docs/reference/vault/object/list.mdx +40 -1
- package/.docs/organized/docs/reference/vault/object/update.mdx +18 -0
- package/.docs/organized/docs/reference/vault/object/version.mdx +15 -2
- package/.docs/organized/docs/reference/vault/object/versions.mdx +13 -0
- package/.docs/organized/docs/reference/widgets/get-token.mdx +8 -5
- package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/create.mdx +55 -0
- package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/delete.mdx +28 -0
- package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/index.mdx +60 -0
- package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/list.mdx +52 -0
- package/.docs/organized/docs/reference/workos-connect/applications/create.mdx +79 -0
- package/.docs/organized/docs/reference/workos-connect/applications/delete.mdx +28 -0
- package/.docs/organized/docs/reference/workos-connect/applications/get.mdx +59 -0
- package/.docs/organized/docs/reference/workos-connect/applications/index.mdx +40 -0
- package/.docs/organized/docs/reference/workos-connect/applications/list.mdx +49 -0
- package/.docs/organized/docs/reference/workos-connect/applications/m2m.mdx +52 -0
- package/.docs/organized/docs/reference/workos-connect/applications/oauth.mdx +85 -0
- package/.docs/organized/docs/reference/workos-connect/applications/update.mdx +59 -0
- package/.docs/organized/docs/reference/workos-connect/authorize/index.mdx +29 -1
- package/.docs/organized/docs/reference/workos-connect/cli-auth/authorize-device/index.mdx +81 -0
- package/.docs/organized/docs/reference/workos-connect/cli-auth/device-code-grant.mdx +74 -0
- package/.docs/organized/docs/reference/workos-connect/cli-auth/index.mdx +23 -0
- package/.docs/organized/docs/reference/workos-connect/index.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/introspection/index.mdx +8 -3
- package/.docs/organized/docs/reference/workos-connect/metadata/index.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/metadata/oauth-authorization-server/index.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/standalone/complete.mdx +68 -0
- package/.docs/organized/docs/reference/workos-connect/standalone/index.mdx +9 -0
- package/.docs/organized/docs/reference/workos-connect/standalone/user-consent-options.mdx +41 -0
- package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/access-token.mdx +6 -0
- package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/id-token.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/token/{authorization-code-grant/index.mdx → authorization-code-grant.mdx} +23 -2
- package/.docs/organized/docs/reference/workos-connect/token/client-credentials-grant/access-token.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/token/{client-credentials-grant/index.mdx → client-credentials-grant.mdx} +2 -2
- package/.docs/organized/docs/reference/workos-connect/token/index.mdx +5 -4
- package/.docs/organized/docs/reference/workos-connect/token/refresh-token-grant.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/userinfo/index.mdx +2 -2
- package/.docs/organized/docs/sdks/authkit-js.mdx +14 -0
- package/.docs/organized/docs/sdks/authkit-nextjs.mdx +14 -0
- package/.docs/organized/docs/sdks/authkit-react-router.mdx +14 -0
- package/.docs/organized/docs/sdks/authkit-react.mdx +14 -0
- package/.docs/organized/docs/sdks/authkit-remix.mdx +14 -0
- package/.docs/organized/docs/sdks/authkit-tanstack-start.mdx +14 -0
- package/.docs/organized/docs/sso/_navigation.mdx +8 -2
- package/.docs/organized/docs/sso/attributes.mdx +15 -3
- package/.docs/organized/docs/sso/domains.mdx +8 -6
- package/.docs/organized/docs/sso/example-apps.mdx +2 -2
- package/.docs/organized/docs/sso/identity-provider-role-assignment.mdx +30 -30
- package/.docs/organized/docs/sso/index.mdx +7 -6
- package/.docs/organized/docs/sso/it-team-faq.mdx +1 -1
- package/.docs/organized/docs/sso/jit-provisioning.mdx +2 -3
- package/.docs/organized/docs/sso/launch-checklist.mdx +2 -2
- package/.docs/organized/docs/sso/login-flows.mdx +3 -3
- package/.docs/organized/docs/sso/redirect-uris.mdx +22 -11
- package/.docs/organized/docs/sso/saml-security.mdx +1 -1
- package/.docs/organized/docs/sso/sign-in-consent.mdx +59 -0
- package/.docs/organized/docs/sso/signing-certificates.mdx +7 -7
- package/.docs/organized/docs/sso/single-logout.mdx +0 -1
- package/.docs/organized/docs/sso/ux/sessions.mdx +99 -0
- package/.docs/organized/docs/sso/ux/sign-in.mdx +1 -1
- package/.docs/organized/docs/vault/_navigation.mdx +2 -0
- package/.docs/organized/docs/vault/byok.mdx +140 -0
- package/.docs/organized/docs/vault/index.mdx +1 -1
- package/.docs/organized/docs/widgets/_navigation.mdx +48 -0
- package/.docs/organized/docs/widgets/admin-portal-domain-verification.mdx +24 -0
- package/.docs/organized/docs/widgets/admin-portal-sso-connection.mdx +20 -0
- package/.docs/organized/docs/widgets/api-keys.mdx +28 -0
- package/.docs/organized/docs/widgets/audit-log-streaming.mdx +25 -0
- package/.docs/organized/docs/widgets/directory-sync.mdx +23 -0
- package/.docs/organized/docs/widgets/index.mdx +12 -0
- package/.docs/organized/docs/widgets/localization.mdx +111 -0
- package/.docs/organized/docs/widgets/organization-switcher.mdx +47 -0
- package/.docs/organized/docs/widgets/pipes.mdx +27 -0
- package/.docs/organized/docs/widgets/quick-start.mdx +38 -0
- package/.docs/organized/docs/widgets/styling/css-customization.mdx +100 -0
- package/.docs/organized/docs/widgets/styling/index.mdx +29 -0
- package/.docs/organized/docs/widgets/styling/theme-customization.mdx +51 -0
- package/.docs/organized/docs/widgets/tokens.mdx +17 -0
- package/.docs/organized/docs/widgets/user-management.mdx +28 -0
- package/.docs/organized/docs/widgets/user-profile.mdx +30 -0
- package/.docs/organized/docs/widgets/user-security.mdx +31 -0
- package/.docs/organized/docs/widgets/user-sessions.mdx +26 -0
- package/LICENSE +21 -0
- package/README.md +14 -1
- package/dist/prepare.js +1 -1
- package/dist/prepare.js.map +1 -1
- package/package.json +2 -1
- package/.docs/organized/docs/dashboard.mdx +0 -244
- package/.docs/organized/docs/demo/_navigation.mdx +0 -26
- package/.docs/organized/docs/demo/accordion.mdx +0 -34
- package/.docs/organized/docs/demo/checklist.mdx +0 -33
- package/.docs/organized/docs/demo/code-block.mdx +0 -185
- package/.docs/organized/docs/demo/definition-list.mdx +0 -35
- package/.docs/organized/docs/demo/index.mdx +0 -7
- package/.docs/organized/docs/demo/punctuation.mdx +0 -37
- package/.docs/organized/docs/demo/replacements.mdx +0 -26
- package/.docs/organized/docs/demo/table.mdx +0 -26
- package/.docs/organized/docs/demo/tabs.mdx +0 -17
- package/.docs/organized/docs/fga/identity-provider-sessions.mdx +0 -68
- package/.docs/organized/docs/fga/local-development.mdx +0 -155
- package/.docs/organized/docs/fga/modeling/abac.mdx +0 -107
- package/.docs/organized/docs/fga/modeling/blocklist.mdx +0 -84
- package/.docs/organized/docs/fga/modeling/conditional-roles.mdx +0 -99
- package/.docs/organized/docs/fga/modeling/custom-roles.mdx +0 -90
- package/.docs/organized/docs/fga/modeling/entitlements.mdx +0 -127
- package/.docs/organized/docs/fga/modeling/managed-service-provider.mdx +0 -131
- package/.docs/organized/docs/fga/modeling/org-roles-and-permissions.mdx +0 -95
- package/.docs/organized/docs/fga/modeling/policy-context.mdx +0 -231
- package/.docs/organized/docs/fga/modeling/public-access.mdx +0 -61
- package/.docs/organized/docs/fga/modeling/shareable-content.mdx +0 -106
- package/.docs/organized/docs/fga/modeling/superusers.mdx +0 -74
- package/.docs/organized/docs/fga/modeling/user-groups.mdx +0 -92
- package/.docs/organized/docs/fga/operations-usage.mdx +0 -104
- package/.docs/organized/docs/fga/playground.mdx +0 -12
- package/.docs/organized/docs/fga/policies.mdx +0 -462
- package/.docs/organized/docs/fga/query-language.mdx +0 -112
- package/.docs/organized/docs/fga/schema-management.mdx +0 -224
- package/.docs/organized/docs/fga/schema.mdx +0 -388
- package/.docs/organized/docs/fga/warrant-tokens.mdx +0 -44
- package/.docs/organized/docs/fga/warrants.mdx +0 -92
- package/.docs/organized/docs/reference/fga/batch-check.mdx +0 -277
- package/.docs/organized/docs/reference/fga/check.mdx +0 -563
- package/.docs/organized/docs/reference/fga/policy/create.mdx +0 -27
- package/.docs/organized/docs/reference/fga/policy/delete.mdx +0 -18
- package/.docs/organized/docs/reference/fga/policy/get.mdx +0 -23
- package/.docs/organized/docs/reference/fga/policy/index.mdx +0 -52
- package/.docs/organized/docs/reference/fga/policy/list.mdx +0 -41
- package/.docs/organized/docs/reference/fga/policy/update.mdx +0 -26
- package/.docs/organized/docs/reference/fga/query.mdx +0 -375
- package/.docs/organized/docs/reference/fga/resource/batch-write.mdx +0 -175
- package/.docs/organized/docs/reference/fga/resource-type/apply.mdx +0 -35
- package/.docs/organized/docs/reference/fga/resource-type/create.mdx +0 -24
- package/.docs/organized/docs/reference/fga/resource-type/delete.mdx +0 -22
- package/.docs/organized/docs/reference/fga/resource-type/get.mdx +0 -23
- package/.docs/organized/docs/reference/fga/resource-type/index.mdx +0 -68
- package/.docs/organized/docs/reference/fga/resource-type/list.mdx +0 -36
- package/.docs/organized/docs/reference/fga/resource-type/update.mdx +0 -23
- package/.docs/organized/docs/reference/fga/schema/apply.mdx +0 -42
- package/.docs/organized/docs/reference/fga/schema/get.mdx +0 -24
- package/.docs/organized/docs/reference/fga/schema/index.mdx +0 -39
- package/.docs/organized/docs/reference/fga/warrant/batch-write.mdx +0 -226
- package/.docs/organized/docs/reference/fga/warrant/create.mdx +0 -215
- package/.docs/organized/docs/reference/fga/warrant/delete.mdx +0 -212
- package/.docs/organized/docs/reference/fga/warrant/index.mdx +0 -186
- package/.docs/organized/docs/reference/fga/warrant/list.mdx +0 -282
- package/.docs/organized/docs/reference/idempotency.mdx +0 -21
- package/.docs/organized/docs/reference/organization-domain.mdx +0 -189
- package/.docs/organized/docs/reference/rate-limits.mdx +0 -50
- package/.docs/organized/docs/reference/roles/list-for-organization.mdx +0 -152
- package/.docs/organized/docs/reference/user-management/access-token/index.mdx +0 -13
- package/.docs/organized/docs/reference/user-management/authentication/get-authorization-url/redirect-uri.mdx +0 -23
- package/.docs/organized/docs/reference/user-management/index.mdx +0 -13
- package/.docs/organized/docs/reference/user-management/mfa/index.mdx +0 -5
- package/.docs/organized/docs/reference/user-management/session-tokens/index.mdx +0 -5
- package/.docs/organized/docs/reference/user-management/session-tokens/refresh-token.mdx +0 -8
- package/.docs/organized/docs/user-management/_navigation.mdx +0 -87
- package/.docs/organized/docs/user-management/authkit.mdx +0 -69
- package/.docs/organized/docs/user-management/connect.mdx +0 -110
- package/.docs/organized/docs/user-management/directory-provisioning.mdx +0 -78
- package/.docs/organized/docs/user-management/email-verification.mdx +0 -29
- package/.docs/organized/docs/user-management/entitlements.mdx +0 -46
- package/.docs/organized/docs/user-management/jit-provisioning.mdx +0 -36
- package/.docs/organized/docs/user-management/overview.mdx +0 -46
- package/.docs/organized/docs/user-management/roles-and-permissions.mdx +0 -155
- package/.docs/organized/docs/user-management/users-organizations.mdx +0 -91
- package/.docs/organized/docs/user-management/widgets.mdx +0 -190
|
@@ -0,0 +1,165 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Resource Types
|
|
3
|
+
description: >-
|
|
4
|
+
Define the schema of your application's resource hierarchy in the WorkOS
|
|
5
|
+
Dashboard.
|
|
6
|
+
showNextPage: true
|
|
7
|
+
originalPath: .tmp-workos-clone/packages/docs/content/fga/resource-types.mdx
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
## Introduction
|
|
11
|
+
|
|
12
|
+
Before your application can manage fine-grained access, you need to define what kinds of objects exist in your product. Resource types are that schema—they describe the categories of entities users interact with and how those entities relate to each other.
|
|
13
|
+
|
|
14
|
+
Most B2B applications have a natural hierarchy. Users belong to organizations, organizations contain workspaces, workspaces contain projects, and projects contain apps. Resource types let you formalize this structure so FGA can evaluate permissions at any level.
|
|
15
|
+
|
|
16
|
+
Resource types are configured in the [WorkOS Dashboard](https://dashboard.workos.com/) rather than through code, ensuring your authorization schema is intentionally designed and easy to update as your product evolves.
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## What makes a resource type
|
|
21
|
+
|
|
22
|
+
A resource type represents a category of business entity—something users create, access, and collaborate on. Common examples include workspaces, projects, applications, repositories, and dashboards.
|
|
23
|
+
|
|
24
|
+
Each resource type has a few properties:
|
|
25
|
+
|
|
26
|
+
**Name** is the display name users see in the Dashboard, like "Workspace" or "Project."
|
|
27
|
+
|
|
28
|
+
**Slug** is the URL-safe identifier used in API calls, like `workspace` or `project`. Choose slugs that are lowercase, concise, and match your product terminology.
|
|
29
|
+
|
|
30
|
+
**Description** is optional text explaining what this type represents in your application.
|
|
31
|
+
|
|
32
|
+
**Parent types** define which resource types can be parents in the hierarchy. A project might have `workspace` as a parent type, while a workspace might have `organization` as its only parent.
|
|
33
|
+
|
|
34
|
+
---
|
|
35
|
+
|
|
36
|
+
## Designing your hierarchy
|
|
37
|
+
|
|
38
|
+
Start by mapping your existing product structure. Think about the entities users create and how they're nested:
|
|
39
|
+
|
|
40
|
+
```text
|
|
41
|
+
organization (implicit root)
|
|
42
|
+
└─ workspace
|
|
43
|
+
└─ project
|
|
44
|
+
└─ app
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
Organizations are always the root—every hierarchy starts there. Below that, you define the types that make sense for your product.
|
|
48
|
+
|
|
49
|
+
When deciding what to model as a resource type, ask whether users can have different access levels to different instances. If all projects in a workspace have the same access, you might not need `project` as a separate type. If users can be an admin on one project but only a viewer on another, that's a strong signal to model it.
|
|
50
|
+
|
|
51
|
+
Keep your hierarchy shallow—aim for 2-4 levels. Deep hierarchies are harder to understand and manage, both for you and your customers.
|
|
52
|
+
|
|
53
|
+
---
|
|
54
|
+
|
|
55
|
+
## Examples for different products
|
|
56
|
+
|
|
57
|
+
**Multi-tenant SaaS platform**: Organizations contain workspaces, workspaces contain projects, and projects contain apps and databases. Customers create workspaces for different teams, with projects organizing their actual work.
|
|
58
|
+
|
|
59
|
+
```text
|
|
60
|
+
organization
|
|
61
|
+
└─ workspace
|
|
62
|
+
└─ project
|
|
63
|
+
├─ app
|
|
64
|
+
└─ database
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
**Developer platform**: Organizations directly contain repositories, and repositories own branches and secrets. Access is granted at the repository level, with branches and secrets inheriting from their parent repository.
|
|
68
|
+
|
|
69
|
+
```text
|
|
70
|
+
organization
|
|
71
|
+
└─ repository
|
|
72
|
+
├─ branch
|
|
73
|
+
└─ secret
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
**Analytics application**: Organizations contain accounts, and accounts contain multiple dashboards. Each dashboard might have different access levels for different stakeholders.
|
|
77
|
+
|
|
78
|
+
```text
|
|
79
|
+
organization
|
|
80
|
+
└─ account
|
|
81
|
+
└─ dashboard
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
**AI agent platform**: Organizations contain workspaces, and workspaces contain AI agents, the tools those agents can invoke, and the datasets they access. Users need different levels of access to different agents, and agents themselves need scoped permissions to specific tools and datasets—an agent in one workspace might invoke a search tool and read customer data, while another agent is limited to internal documentation.
|
|
85
|
+
|
|
86
|
+
What makes this hierarchy distinct is that agents are both resources and subjects. As resources, they live inside workspaces and users control who can configure or launch them. As subjects, agents receive role assignments on tools and datasets just like users do—an agent might have `invoker` on `tool:web-search` and `reader` on `dataset:customers`. When an agent acts on behalf of a user, it should only receive a subset of that user's access, never more.
|
|
87
|
+
|
|
88
|
+
```text
|
|
89
|
+
organization
|
|
90
|
+
└─ workspace
|
|
91
|
+
├─ agent
|
|
92
|
+
├─ tool
|
|
93
|
+
└─ dataset
|
|
94
|
+
```
|
|
95
|
+
|
|
96
|
+
---
|
|
97
|
+
|
|
98
|
+
## Hierarchy rules
|
|
99
|
+
|
|
100
|
+
A few constraints help keep your authorization model predictable:
|
|
101
|
+
|
|
102
|
+
**Maximum depth** is five levels, which covers even complex enterprise products. Most applications need only two or three.
|
|
103
|
+
|
|
104
|
+
**Single parent** means each resource instance has exactly one parent. A project belongs to one workspace, not multiple.
|
|
105
|
+
|
|
106
|
+
**Multiple parent types** let a resource type accept different parents. An `app` might be created directly under a workspace or nested under a project, so both would be valid parent types.
|
|
107
|
+
|
|
108
|
+
These constraints exist to keep permission evaluation fast and predictable. Single-parent hierarchies ensure that inherited permissions always flow through a clear path—there's no ambiguity about which parent's roles apply. The depth limit keeps traversal efficient and prevents authorization models from becoming unwieldy.
|
|
109
|
+
|
|
110
|
+
That said, the five-level depth limit is a soft limit based on typical enterprise patterns, not a technical limitation. If your use case requires deeper hierarchies, [reach out to us](https://workos.com/contact) to discuss your specific needs.
|
|
111
|
+
|
|
112
|
+
---
|
|
113
|
+
|
|
114
|
+
## Creating and managing resource types
|
|
115
|
+
|
|
116
|
+
Resource types are managed exclusively through the [WorkOS Dashboard](https://dashboard.workos.com/)—they cannot be created, modified, or deleted via the public API.
|
|
117
|
+
|
|
118
|
+
Resource types define your authorization schema, and changes to them can have far-reaching consequences: altering a parent relationship affects how permissions inherit, removing a type orphans all its resources and role assignments, and changing the hierarchy can break application logic that depends on it. By restricting resource type management to the Dashboard, we ensure these changes are made deliberately by someone reviewing the full impact, not accidentally by a script or misconfigured automation.
|
|
119
|
+
|
|
120
|
+
### Using the Dashboard
|
|
121
|
+
|
|
122
|
+
Navigate to **Resources Types** under **Authorization** to configure resource types for your environment. The resource type editor provides:
|
|
123
|
+
|
|
124
|
+
- **Visual hierarchy builder** to arrange parent-child relationships
|
|
125
|
+
- **Type configuration** for names, slugs, and descriptions
|
|
126
|
+
- **Relationship validation** that ensures hierarchy constraints are met before saving
|
|
127
|
+
|
|
128
|
+
|
|
129
|
+
|
|
130
|
+
To create a new resource type, click **Edit resource types**, provide a name and slug, and configure which types can be parents. The Dashboard shows how the new type fits into your existing hierarchy.
|
|
131
|
+
|
|
132
|
+
|
|
133
|
+
|
|
134
|
+
### Modifying resource types
|
|
135
|
+
|
|
136
|
+
Once a resource type exists, you can update its name and description freely—these are display values that don't affect API behavior. However, slugs cannot be changed after creation. They're used in API calls, and changing them would break existing integrations. If you need a different slug, create a new resource type and migrate your resources.
|
|
137
|
+
|
|
138
|
+
> Support for adding parent types is coming soon.
|
|
139
|
+
|
|
140
|
+
### Removing resource types
|
|
141
|
+
|
|
142
|
+
Before removing a resource type:
|
|
143
|
+
|
|
144
|
+
1. Remove any roles and permissions scoped to that type (deleting a role automatically removes its assignments)
|
|
145
|
+
2. Ensure no child types depend on it—only leaf types can be deleted
|
|
146
|
+
|
|
147
|
+
Once these dependencies are resolved, deleting the resource type from the Dashboard will automatically clean up all resource instances of that type.
|
|
148
|
+
|
|
149
|
+
---
|
|
150
|
+
|
|
151
|
+
## Adding types as you grow
|
|
152
|
+
|
|
153
|
+
One of the goals of FGA is to make it easy to evolve your authorization model as your product grows. Unlike other systems where changing inheritance rules or adding new entity types requires rewriting complex policies, FGA lets you add new resource types without disrupting existing access patterns.
|
|
154
|
+
|
|
155
|
+
When you ship a new feature that needs its own access control—say, deployments for your developer platform—you simply add a `deployment` resource type and define its parent relationship. Existing types, roles, and assignments continue working unchanged.
|
|
156
|
+
|
|
157
|
+
```text
|
|
158
|
+
organization
|
|
159
|
+
└─ workspace
|
|
160
|
+
├─ repository
|
|
161
|
+
├─ pipeline
|
|
162
|
+
└─ deployment (new feature)
|
|
163
|
+
```
|
|
164
|
+
|
|
165
|
+
You don't need to predict every future resource type upfront. Start with the types you need today, and add more as you build new features. The hierarchy is designed to grow with your product.
|
|
@@ -1,92 +1,212 @@
|
|
|
1
1
|
---
|
|
2
2
|
title: Resources
|
|
3
|
-
description:
|
|
4
|
-
Resources are FGA's references to your application's access controlled
|
|
5
|
-
resources.
|
|
3
|
+
description: Represent your application's entities in the FGA hierarchy.
|
|
6
4
|
showNextPage: true
|
|
7
5
|
originalPath: .tmp-workos-clone/packages/docs/content/fga/resources.mdx
|
|
8
6
|
---
|
|
9
7
|
|
|
10
|
-
|
|
8
|
+
## Introduction
|
|
11
9
|
|
|
12
|
-
|
|
10
|
+
Resources are the runtime counterpart to resource types. While resource types define your schema, resources represent the actual instances users create and work with.
|
|
13
11
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
12
|
+
When a user creates a workspace in your application, you register a corresponding resource in WorkOS. When they create a project inside that workspace, you register another resource as a child of the workspace. This builds the hierarchy that FGA uses to evaluate permissions.
|
|
13
|
+
|
|
14
|
+
Each resource has a type, an external ID from your application, a parent (the organization or another resource), and a human-readable name. Together, these form the tree structure where access is assigned and inherited.
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Organization resources
|
|
19
|
+
|
|
20
|
+
An organization resource is automatically created for every organization in WorkOS and serves as the root of your hierarchy. Organization resources cannot be edited or deleted—they exist for the lifetime of the organization.
|
|
21
|
+
|
|
22
|
+
Every resource you create must have a parent. For top-level resources like workspaces, the parent is the organization resource. You can reference it using the organization's ID directly as the external ID.
|
|
23
|
+
|
|
24
|
+
---
|
|
25
|
+
|
|
26
|
+
## Creating resources
|
|
27
|
+
|
|
28
|
+
Register resources as users create entities in your application. For top-level resources like workspaces, the parent is optional — when omitted, the resource defaults to the organization as its parent:
|
|
29
|
+
|
|
30
|
+
```bash
|
|
31
|
+
curl https://api.workos.com/authorization/resources \
|
|
32
|
+
-X POST \
|
|
33
|
+
-H "Authorization: Bearer sk_example_123456789" \
|
|
34
|
+
-H "Content-Type: application/json" \
|
|
35
|
+
-d '{
|
|
36
|
+
"resource_type_slug": "workspace",
|
|
37
|
+
"external_id": "workspace_01H",
|
|
38
|
+
"organization_id": "org_01HXYZ",
|
|
39
|
+
"name": "Engineering"
|
|
40
|
+
}'
|
|
18
41
|
```
|
|
19
42
|
|
|
20
|
-
|
|
43
|
+
For nested resources, specify the parent to establish the hierarchy. You can reference the parent by its internal WorkOS ID:
|
|
44
|
+
|
|
45
|
+
```bash
|
|
46
|
+
curl https://api.workos.com/authorization/resources \
|
|
47
|
+
-X POST \
|
|
48
|
+
-H "Authorization: Bearer sk_example_123456789" \
|
|
49
|
+
-H "Content-Type: application/json" \
|
|
50
|
+
-d '{
|
|
51
|
+
"resource_type_slug": "project",
|
|
52
|
+
"external_id": "project_02H",
|
|
53
|
+
"organization_id": "org_01HXYZ",
|
|
54
|
+
"parent_resource_id": "authz_resource_01HXYZ",
|
|
55
|
+
"name": "API Backend"
|
|
56
|
+
}'
|
|
57
|
+
```
|
|
21
58
|
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
59
|
+
Or reference the parent by its external ID and type, which is often more convenient since you're already tracking your own entity IDs:
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
curl https://api.workos.com/authorization/resources \
|
|
63
|
+
-X POST \
|
|
64
|
+
-H "Authorization: Bearer sk_example_123456789" \
|
|
65
|
+
-H "Content-Type: application/json" \
|
|
66
|
+
-d '{
|
|
67
|
+
"resource_type_slug": "project",
|
|
68
|
+
"external_id": "project_02H",
|
|
69
|
+
"organization_id": "org_01HXYZ",
|
|
70
|
+
"parent_resource_type_slug": "workspace",
|
|
71
|
+
"parent_resource_external_id": "workspace_01H",
|
|
72
|
+
"name": "API Backend"
|
|
73
|
+
}'
|
|
74
|
+
```
|
|
25
75
|
|
|
26
|
-
|
|
76
|
+
See the [API reference](/reference) for full endpoint documentation.
|
|
27
77
|
|
|
28
|
-
|
|
78
|
+
---
|
|
29
79
|
|
|
30
|
-
|
|
80
|
+
## External IDs
|
|
31
81
|
|
|
32
|
-
|
|
82
|
+
External IDs are your application's identifiers for resources—typically the primary key from your database. They provide a stable reference that maps directly to your records.
|
|
33
83
|
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
84
|
+
External IDs must be unique within a resource type and organization. Two workspaces in the same organization can't share an external ID, but a workspace and a project can (since they're different types). Two workspaces in different organizations can also share an external ID.
|
|
85
|
+
|
|
86
|
+
This uniqueness rule simplifies resource management for managed service providers and platforms that provision similar structures for each customer. Every customer might have a "main" workspace with external ID `main`—that's fine because they're in different organizations.
|
|
87
|
+
|
|
88
|
+
Use your existing database IDs or UUIDs for external IDs. Keep them stable—don't change an ID after creation—and choose values that are meaningful for debugging and support.
|
|
89
|
+
|
|
90
|
+
### Managing resources by external ID
|
|
91
|
+
|
|
92
|
+
Beyond using internal WorkOS resource IDs, you can manage resources directly using your external IDs:
|
|
93
|
+
|
|
94
|
+
```bash
|
|
95
|
+
# Get a resource by external ID
|
|
96
|
+
curl "https://api.workos.com/authorization/organizations/org_01HXYZ/resources/workspace/workspace_01H" \
|
|
97
|
+
-H "Authorization: Bearer sk_example_123456789"
|
|
98
|
+
|
|
99
|
+
# Update a resource by external ID
|
|
100
|
+
curl https://api.workos.com/authorization/organizations/org_01HXYZ/resources/workspace/workspace_01H \
|
|
101
|
+
-X PATCH \
|
|
102
|
+
-H "Authorization: Bearer sk_example_123456789" \
|
|
103
|
+
-H "Content-Type: application/json" \
|
|
104
|
+
-d '{ "name": "Engineering Team" }'
|
|
105
|
+
|
|
106
|
+
# Delete a resource by external ID
|
|
107
|
+
curl https://api.workos.com/authorization/organizations/org_01HXYZ/resources/workspace/workspace_01H \
|
|
108
|
+
-X DELETE \
|
|
109
|
+
-H "Authorization: Bearer sk_example_123456789"
|
|
44
110
|
```
|
|
45
111
|
|
|
46
|
-
|
|
112
|
+
This is often more convenient than looking up internal resource IDs since you're already tracking your own entity IDs.
|
|
113
|
+
|
|
114
|
+
---
|
|
115
|
+
|
|
116
|
+
## Keeping resources in sync
|
|
117
|
+
|
|
118
|
+
Resources should mirror your application's data. When entities are created, updated, or deleted in your app, the corresponding resources should change in WorkOS.
|
|
119
|
+
|
|
120
|
+
**On creation**, register the resource immediately after saving the entity to your database. The resource needs to exist before you can assign roles to it.
|
|
121
|
+
|
|
122
|
+
**On deletion**, remove the resource when the entity is deleted. By default, deleting a resource will fail if it has child resources or role assignments. Pass `cascade_delete=true` to delete the resource along with all its children and their role assignments.
|
|
123
|
+
|
|
124
|
+
**On rename**, update the resource's name when the entity's name changes in your application. External IDs and parent relationships are immutable after creation.
|
|
47
125
|
|
|
48
|
-
|
|
126
|
+
> Support for changing parent relationships is coming soon.
|
|
127
|
+
|
|
128
|
+
---
|
|
129
|
+
|
|
130
|
+
## What to model as resources
|
|
131
|
+
|
|
132
|
+
FGA is optimized for low-cardinality, stable entities—the structural elements of your application where access boundaries matter.
|
|
133
|
+
|
|
134
|
+
**Good candidates for FGA resources**: Workspaces, teams, accounts, projects, repositories, pipelines, dashboards, environments—entities where users have different access levels to different instances, and the count is typically in the hundreds to thousands per organization.
|
|
135
|
+
|
|
136
|
+
**Keep in your database**: Documents, messages, tasks, files, comments, rows—high-volume content that changes frequently and typically inherits access from a parent. Modeling millions of documents as individual resources would overwhelm sync and provide no real benefit.
|
|
137
|
+
|
|
138
|
+
As a rule of thumb, hundreds to thousands of resources per organization works well. Tens of thousands might work but consider whether they all need individual access control. Millions should stay in your database with references to their parent FGA resource.
|
|
139
|
+
|
|
140
|
+
FGA has a **soft limit of 5,000 resource instances per resource type per organization.** This is based on our experience working with customers to avoid potential data syncing issues—not a technical limitation. If your use case requires higher cardinality, [reach out to us](https://workos.com/contact) to discuss your specific needs.
|
|
141
|
+
|
|
142
|
+
## Parent references for high-volume data
|
|
143
|
+
|
|
144
|
+
High-volume entities can participate in authorization without being modeled as FGA resources. Store a reference to the nearest FGA-managed parent in your database:
|
|
145
|
+
|
|
146
|
+
```json
|
|
49
147
|
{
|
|
50
|
-
"
|
|
51
|
-
"
|
|
148
|
+
"id": "doc_abc123",
|
|
149
|
+
"content": "...",
|
|
150
|
+
"project_id": "proj_456" // ← Reference to FGA resource
|
|
52
151
|
}
|
|
53
152
|
```
|
|
54
153
|
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
154
|
+
When checking access, ask about the parent:
|
|
155
|
+
|
|
156
|
+
```bash
|
|
157
|
+
# Can this user edit this document?
|
|
158
|
+
# → Check: Does user have document:edit on Project proj_456?
|
|
159
|
+
curl https://api.workos.com/authorization/organization_memberships/om_01HXYZ/check \
|
|
160
|
+
-X POST \
|
|
161
|
+
-H "Authorization: Bearer sk_example_123456789" \
|
|
162
|
+
-H "Content-Type: application/json" \
|
|
163
|
+
-d '{
|
|
164
|
+
"permission_slug": "document:edit",
|
|
165
|
+
"resource_type_slug": "project",
|
|
166
|
+
"resource_external_id": "proj_456"
|
|
167
|
+
}'
|
|
60
168
|
```
|
|
61
169
|
|
|
62
|
-
|
|
170
|
+
This approach keeps authorization fast (no sync lag), avoids reconciliation issues, scales to millions of documents, and uses the existing permission hierarchy. Users with `document:edit` on the project can edit all documents in it without syncing each document to WorkOS.
|
|
171
|
+
|
|
172
|
+
---
|
|
63
173
|
|
|
64
|
-
|
|
174
|
+
## Querying resources
|
|
65
175
|
|
|
66
|
-
|
|
176
|
+
List resources with optional filters:
|
|
67
177
|
|
|
68
|
-
|
|
178
|
+
```bash
|
|
179
|
+
curl "https://api.workos.com/authorization/resources?resource_type_slug=project&organization_id=org_01HXYZ" \
|
|
180
|
+
-H "Authorization: Bearer sk_example_123456789"
|
|
181
|
+
```
|
|
69
182
|
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
"
|
|
75
|
-
"email": "john-doe@acme-corp.com",
|
|
76
|
-
"isActivated": true
|
|
77
|
-
}
|
|
78
|
-
}
|
|
183
|
+
Get a specific resource:
|
|
184
|
+
|
|
185
|
+
```bash
|
|
186
|
+
curl https://api.workos.com/authorization/resources/authz_resource_01HXYZ \
|
|
187
|
+
-H "Authorization: Bearer sk_example_123456789"
|
|
79
188
|
```
|
|
80
189
|
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
190
|
+
See the [API reference](/reference) for full query parameters.
|
|
191
|
+
|
|
192
|
+
---
|
|
193
|
+
|
|
194
|
+
## Updating and deleting
|
|
195
|
+
|
|
196
|
+
Update a resource's name when the corresponding entity changes:
|
|
197
|
+
|
|
198
|
+
```bash
|
|
199
|
+
curl https://api.workos.com/authorization/resources/authz_resource_01HXYZ \
|
|
200
|
+
-X PATCH \
|
|
201
|
+
-H "Authorization: Bearer sk_example_123456789" \
|
|
202
|
+
-H "Content-Type: application/json" \
|
|
203
|
+
-d '{ "name": "Engineering Team" }'
|
|
90
204
|
```
|
|
91
205
|
|
|
92
|
-
|
|
206
|
+
Delete a resource when the entity is deleted from your application. By default, the request will fail if the resource has child resources or role assignments. Pass `cascade_delete=true` to remove the resource along with all its children and their assignments:
|
|
207
|
+
|
|
208
|
+
```bash
|
|
209
|
+
curl "https://api.workos.com/authorization/resources/authz_resource_01HXYZ?cascade_delete=true" \
|
|
210
|
+
-X DELETE \
|
|
211
|
+
-H "Authorization: Bearer sk_example_123456789"
|
|
212
|
+
```
|
|
@@ -0,0 +1,122 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Roles and Permissions
|
|
3
|
+
description: Define what users can do within specific resource types.
|
|
4
|
+
showNextPage: true
|
|
5
|
+
originalPath: .tmp-workos-clone/packages/docs/content/fga/roles-and-permissions.mdx
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Introduction
|
|
9
|
+
|
|
10
|
+
Once you've defined your resource types, the next step is deciding what users can actually do. Roles and permissions in FGA are always scoped to a specific resource type—a workspace role applies only to workspaces, a project role applies only to projects.
|
|
11
|
+
|
|
12
|
+
This scoping makes permissions predictable. When you see `workspace-admin`, you know it grants workspace access. When a role includes permissions for child types, those permissions flow down automatically—a workspace admin can access all projects in that workspace without separate assignments.
|
|
13
|
+
|
|
14
|
+
---
|
|
15
|
+
|
|
16
|
+
## Understanding permissions
|
|
17
|
+
|
|
18
|
+
A permission represents a specific action a user can perform on a resource type. Each permission has a name (like "Edit Workspace"), a slug used in code (`workspace:edit`), and the resource type it applies to.
|
|
19
|
+
|
|
20
|
+
We recommend following a `{resource_type}:{action}` pattern for permission slugs. This makes permissions self-documenting—`project:delete` clearly means the ability to delete a project.
|
|
21
|
+
|
|
22
|
+
Common patterns include:
|
|
23
|
+
|
|
24
|
+
- `{type}:view` for read access
|
|
25
|
+
- `{type}:edit` for modifying a resource
|
|
26
|
+
- `{type}:create` for creating child resources
|
|
27
|
+
- `{type}:delete` for removing a resource
|
|
28
|
+
- `{type}:manage` for full administrative control
|
|
29
|
+
- `{type}:invite` for adding collaborators
|
|
30
|
+
|
|
31
|
+
Keep permissions granular. Instead of a broad `project:access` permission, create specific ones like `project:view`, `project:edit`, and `project:delete`. This gives you flexibility as your product's access requirements evolve.
|
|
32
|
+
|
|
33
|
+
---
|
|
34
|
+
|
|
35
|
+
## Understanding roles
|
|
36
|
+
|
|
37
|
+
Roles are collections of permissions that describe what someone can do. Like permissions, each role is scoped to a resource type—you create a role for workspaces, another for projects, and so on.
|
|
38
|
+
|
|
39
|
+
We recommend naming roles to indicate both the scope and the capability level. Following a `{resource-type}-{capability}` pattern makes roles self-explanatory:
|
|
40
|
+
|
|
41
|
+
- `workspace-admin` – full control of a workspace
|
|
42
|
+
- `workspace-member` – basic workspace access
|
|
43
|
+
- `project-editor` – can modify a project
|
|
44
|
+
- `project-viewer` – read-only project access
|
|
45
|
+
|
|
46
|
+
When you assign `workspace-admin` to a user on a specific workspace, they get all the permissions bundled in that role for that workspace.
|
|
47
|
+
|
|
48
|
+
---
|
|
49
|
+
|
|
50
|
+
## Permission inheritance
|
|
51
|
+
|
|
52
|
+
The key feature of FGA roles is that they can include permissions for child resource types. This is where the power of hierarchical authorization comes in.
|
|
53
|
+
|
|
54
|
+
A `workspace-admin` role might include:
|
|
55
|
+
|
|
56
|
+
- `workspace:view` and `workspace:edit` (same type)
|
|
57
|
+
- `project:view` and `project:edit` (child type)
|
|
58
|
+
- `app:view` and `app:deploy` (grandchild type)
|
|
59
|
+
|
|
60
|
+
When you assign this role to someone on a workspace, they can view and edit that workspace, plus view, edit, and deploy all projects and apps within it. One assignment grants access across the entire sub-tree.
|
|
61
|
+
|
|
62
|
+
This reduces "role explosion"—instead of creating separate roles for every resource combination, you define roles at appropriate levels and let inheritance handle the rest. A workspace admin naturally has access to everything in the workspace, which matches how people think about access.
|
|
63
|
+
|
|
64
|
+
---
|
|
65
|
+
|
|
66
|
+
## Seeing inheritance in action
|
|
67
|
+
|
|
68
|
+
To understand how permission inheritance works in practice, consider a hierarchy where an organization contains projects, and projects contain apps:
|
|
69
|
+
|
|
70
|
+
```text
|
|
71
|
+
Org
|
|
72
|
+
└─ Project
|
|
73
|
+
└─ App
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
Different users can have roles at different levels, and the access they receive depends on where their role is assigned and what permissions that role includes.
|
|
77
|
+
|
|
78
|
+
|
|
79
|
+
|
|
80
|
+
- User John has `Project read-only` on `Project:1` and can view only that project, not its apps
|
|
81
|
+
|
|
82
|
+
- User Jane is `Org member` of `Org:1` with `org:read`, `project:read`, and `app:read` permissions. They can view the organization, all of its projects, and all apps under those projects.
|
|
83
|
+
|
|
84
|
+
- Jane is also `Project editor` for `Project:2` and can read and edit `Project:2` and all of its apps.
|
|
85
|
+
|
|
86
|
+
- Jane has `App editor` for `App:Finance` and can view and edit only that app instance.
|
|
87
|
+
|
|
88
|
+
This pattern is powerful because it lets you express nuanced access with minimal assignments. A single organization-level membership provides baseline visibility, while targeted assignments grant elevated access where needed. The hierarchy does the work of propagating permissions, so you don't have to create individual assignments for every resource.
|
|
89
|
+
|
|
90
|
+
---
|
|
91
|
+
|
|
92
|
+
## How access is evaluated
|
|
93
|
+
|
|
94
|
+
When your application checks whether a user can perform an action on a resource, FGA looks at all possible sources of access:
|
|
95
|
+
|
|
96
|
+
1. **Direct assignments** on the resource itself
|
|
97
|
+
2. **Inherited assignments** from parent resources
|
|
98
|
+
3. **Organization-level roles** that include the permission
|
|
99
|
+
|
|
100
|
+
If any of these grant the permission, the user is authorized.
|
|
101
|
+
|
|
102
|
+
For example, if Alice wants to deploy `App:Frontend`, FGA checks whether she has `app:deploy` directly on that app, or on its parent project, or on its parent workspace, or through an organization role. Her `workspace-admin` role on `Workspace: Engineering` includes `app:deploy`, so she's authorized—even without any direct assignment on the app.
|
|
103
|
+
|
|
104
|
+
Permissions are additive. If a user has multiple roles, they get the union of all permissions from all their roles. There's no way for one role to remove permissions granted by another.
|
|
105
|
+
|
|
106
|
+
---
|
|
107
|
+
|
|
108
|
+
## Managing roles in the Dashboard
|
|
109
|
+
|
|
110
|
+
Configure roles and permissions in the [WorkOS Dashboard](https://dashboard.workos.com/) under **Authorization**. You'll need to have [resource types](/fga/resource-types) defined before you can create scoped roles and permissions.
|
|
111
|
+
|
|
112
|
+
To create a new role, select the resource type it applies to and give it a descriptive name and slug.
|
|
113
|
+
|
|
114
|
+
|
|
115
|
+
|
|
116
|
+
Then choose which permissions to include from the same type and child types.
|
|
117
|
+
|
|
118
|
+
|
|
119
|
+
|
|
120
|
+
When you modify a role's permissions, changes apply immediately to everyone with that role. No re-assignment is needed—existing users automatically get the updated permissions.
|
|
121
|
+
|
|
122
|
+
For organizations using [multiple roles](/authkit/roles-and-permissions/multiple-roles), users receive all permissions from all their assigned roles. Priority order only matters for [IdP role assignment](/fga/idp-role-assignment) when running in single-role mode.
|