@workos/mcp-docs-server 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.docs/organized/changelogs/workos-platform.json +125 -125
- package/.docs/organized/docs/admin-portal/custom-branding.mdx +2 -4
- package/.docs/organized/docs/admin-portal/example-apps.mdx +11 -11
- package/.docs/organized/docs/admin-portal/index.mdx +39 -33
- package/.docs/organized/docs/audit-logs/admin-portal.mdx +1 -1
- package/.docs/organized/docs/audit-logs/editing-events.mdx +1 -1
- package/.docs/organized/docs/audit-logs/exporting-events.mdx +1 -1
- package/.docs/organized/docs/audit-logs/index.mdx +17 -2
- package/.docs/organized/docs/audit-logs/log-streams.mdx +325 -1
- package/.docs/organized/docs/audit-logs/metadata-schema.mdx +1 -1
- package/.docs/organized/docs/authkit/_navigation.mdx +108 -0
- package/.docs/organized/docs/{user-management → authkit}/actions.mdx +3 -4
- package/.docs/organized/docs/authkit/add-ons/google-analytics.mdx +79 -0
- package/.docs/organized/docs/authkit/add-ons/segment.mdx +77 -0
- package/.docs/organized/docs/authkit/add-ons/stripe.mdx +103 -0
- package/.docs/organized/docs/authkit/api-keys.mdx +99 -0
- package/.docs/organized/docs/{user-management → authkit}/branding.mdx +220 -2
- package/.docs/organized/docs/authkit/cli-auth.mdx +76 -0
- package/.docs/organized/docs/authkit/cli-installer.mdx +157 -0
- package/.docs/organized/docs/authkit/connect/m2m.mdx +65 -0
- package/.docs/organized/docs/authkit/connect/oauth.mdx +88 -0
- package/.docs/organized/docs/authkit/connect/standalone.mdx +179 -0
- package/.docs/organized/docs/authkit/connect.mdx +65 -0
- package/.docs/organized/docs/authkit/custom-email-providers.mdx +141 -0
- package/.docs/organized/docs/{user-management → authkit}/custom-emails.mdx +15 -15
- package/.docs/organized/docs/authkit/directory-provisioning.mdx +89 -0
- package/.docs/organized/docs/{user-management → authkit}/domain-verification.mdx +5 -6
- package/.docs/organized/docs/{user-management → authkit}/email-password.mdx +2 -2
- package/.docs/organized/docs/authkit/email-verification.mdx +31 -0
- package/.docs/organized/docs/{user-management → authkit}/example-apps.mdx +3 -3
- package/.docs/organized/docs/authkit/hosted-ui.mdx +165 -0
- package/.docs/organized/docs/{user-management → authkit}/identity-linking.mdx +9 -9
- package/.docs/organized/docs/{user-management → authkit}/impersonation.mdx +8 -8
- package/.docs/organized/docs/{user-management → authkit}/index.mdx +141 -74
- package/.docs/organized/docs/{user-management → authkit}/invitations.mdx +4 -4
- package/.docs/organized/docs/{user-management → authkit}/invite-only-signup.mdx +3 -3
- package/.docs/organized/docs/authkit/jit-provisioning.mdx +42 -0
- package/.docs/organized/docs/{user-management → authkit}/jwt-templates.mdx +37 -3
- package/.docs/organized/docs/authkit/landing.mdx +22 -0
- package/.docs/organized/docs/{user-management → authkit}/magic-auth.mdx +3 -5
- package/.docs/organized/docs/{user-management → authkit}/mcp.mdx +46 -9
- package/.docs/organized/docs/{user-management → authkit}/metadata.mdx +9 -9
- package/.docs/organized/docs/{user-management → authkit}/mfa.mdx +2 -2
- package/.docs/organized/docs/{user-management → authkit}/migrations.mdx +4 -4
- package/.docs/organized/docs/{user-management → authkit}/modeling-your-app.mdx +11 -11
- package/.docs/organized/docs/{user-management → authkit}/organization-policies.mdx +3 -4
- package/.docs/organized/docs/authkit/overview.mdx +46 -0
- package/.docs/organized/docs/{user-management → authkit}/passkeys.mdx +3 -3
- package/.docs/organized/docs/authkit/pipes.mdx +75 -0
- package/.docs/organized/docs/{user-management → authkit}/radar.mdx +39 -4
- package/.docs/organized/docs/authkit/roles-and-permissions.mdx +208 -0
- package/.docs/organized/docs/{user-management → authkit}/sessions.mdx +32 -20
- package/.docs/organized/docs/{user-management → authkit}/social-login.mdx +16 -2
- package/.docs/organized/docs/{user-management → authkit}/sso-with-contractors.mdx +3 -4
- package/.docs/organized/docs/{user-management → authkit}/sso.mdx +2 -2
- package/.docs/organized/docs/authkit/users-organizations.mdx +107 -0
- package/.docs/organized/docs/custom-domains/admin-portal.mdx +0 -2
- package/.docs/organized/docs/custom-domains/authkit.mdx +0 -2
- package/.docs/organized/docs/custom-domains/email.mdx +2 -2
- package/.docs/organized/docs/deprecations/_navigation.mdx +8 -0
- package/.docs/organized/docs/deprecations/raw-attributes.mdx +136 -0
- package/.docs/organized/docs/directory-sync/attributes.mdx +50 -31
- package/.docs/organized/docs/directory-sync/example-apps.mdx +11 -11
- package/.docs/organized/docs/directory-sync/identity-provider-role-assignment.mdx +23 -26
- package/.docs/organized/docs/directory-sync/index.mdx +4 -2
- package/.docs/organized/docs/directory-sync/quick-start.mdx +3 -3
- package/.docs/organized/docs/directory-sync/understanding-events.mdx +2 -2
- package/.docs/organized/docs/domain-verification/api.mdx +8 -8
- package/.docs/organized/docs/domain-verification/index.mdx +3 -3
- package/.docs/organized/docs/email.mdx +49 -5
- package/.docs/organized/docs/events/data-syncing/events-api.mdx +3 -3
- package/.docs/organized/docs/events/data-syncing/index.mdx +2 -3
- package/.docs/organized/docs/events/data-syncing/webhooks.mdx +4 -4
- package/.docs/organized/docs/events/index.mdx +419 -33
- package/.docs/organized/docs/feature-flags/_navigation.mdx +10 -0
- package/.docs/organized/docs/feature-flags/index.mdx +80 -0
- package/.docs/organized/docs/feature-flags/slack-notifications.mdx +58 -0
- package/.docs/organized/docs/fga/_navigation.mdx +34 -54
- package/.docs/organized/docs/fga/access-checks.mdx +109 -0
- package/.docs/organized/docs/fga/assignments.mdx +124 -0
- package/.docs/organized/docs/fga/authkit-integration.mdx +92 -0
- package/.docs/organized/docs/fga/high-cardinality-entities.mdx +172 -0
- package/.docs/organized/docs/fga/idp-role-assignment.mdx +66 -0
- package/.docs/organized/docs/fga/index.mdx +94 -29
- package/.docs/organized/docs/fga/migration-openfga.mdx +306 -0
- package/.docs/organized/docs/fga/migration-oso.mdx +372 -0
- package/.docs/organized/docs/fga/migration-spicedb.mdx +364 -0
- package/.docs/organized/docs/fga/quick-start.mdx +283 -98
- package/.docs/organized/docs/fga/resource-discovery.mdx +78 -0
- package/.docs/organized/docs/fga/resource-types.mdx +165 -0
- package/.docs/organized/docs/fga/resources.mdx +179 -59
- package/.docs/organized/docs/fga/roles-and-permissions.mdx +122 -0
- package/.docs/organized/docs/fga/standalone-integration.mdx +176 -0
- package/.docs/organized/docs/glossary.mdx +7 -3
- package/.docs/organized/docs/integrations/access-people-hr.mdx +1 -1
- package/.docs/organized/docs/integrations/adp-oidc.mdx +1 -1
- package/.docs/organized/docs/integrations/apple.mdx +112 -69
- package/.docs/organized/docs/integrations/auth0-directory-sync.mdx +3 -1
- package/.docs/organized/docs/integrations/auth0-enterprise-connection.mdx +3 -1
- package/.docs/organized/docs/integrations/auth0-saml.mdx +3 -1
- package/.docs/organized/docs/integrations/bamboohr.mdx +4 -4
- package/.docs/organized/docs/integrations/breathe-hr.mdx +1 -1
- package/.docs/organized/docs/integrations/bubble.mdx +1 -1
- package/.docs/organized/docs/integrations/cas-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/classlink-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/clever-oidc.mdx +94 -0
- package/.docs/organized/docs/integrations/cloudflare-saml.mdx +35 -2
- package/.docs/organized/docs/integrations/cyberark-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/cyberark-scim.mdx +1 -1
- package/.docs/organized/docs/integrations/duo-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/entra-id-oidc.mdx +198 -0
- package/.docs/organized/docs/integrations/entra-id-saml.mdx +3 -3
- package/.docs/organized/docs/integrations/entra-id-scim.mdx +5 -1
- package/.docs/organized/docs/integrations/fourth.mdx +2 -2
- package/.docs/organized/docs/integrations/github-oauth.mdx +80 -33
- package/.docs/organized/docs/integrations/gitlab-oauth.mdx +86 -31
- package/.docs/organized/docs/integrations/google-directory-sync.mdx +5 -1
- package/.docs/organized/docs/integrations/google-oauth.mdx +87 -70
- package/.docs/organized/docs/integrations/google-oidc.mdx +142 -0
- package/.docs/organized/docs/integrations/google-saml.mdx +3 -3
- package/.docs/organized/docs/integrations/hibob.mdx +17 -4
- package/.docs/organized/docs/integrations/intuit-oauth.mdx +128 -0
- package/.docs/organized/docs/integrations/jumpcloud-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/jumpcloud-scim.mdx +5 -1
- package/.docs/organized/docs/integrations/keycloak-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/lastpass-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/linkedin-oauth.mdx +69 -30
- package/.docs/organized/docs/integrations/microsoft-ad-fs-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/microsoft-oauth.mdx +95 -38
- package/.docs/organized/docs/integrations/miniorange-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/net-iq-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/next-auth.mdx +1 -1
- package/.docs/organized/docs/integrations/oidc.mdx +37 -24
- package/.docs/organized/docs/integrations/okta-oidc.mdx +149 -0
- package/.docs/organized/docs/integrations/okta-saml.mdx +3 -3
- package/.docs/organized/docs/integrations/okta-scim.mdx +6 -2
- package/.docs/organized/docs/integrations/onelogin-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/onelogin-scim.mdx +1 -1
- package/.docs/organized/docs/integrations/oracle-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/pingfederate-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/pingfederate-scim.mdx +1 -1
- package/.docs/organized/docs/integrations/pingone-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/rippling-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/rippling-scim.mdx +1 -1
- package/.docs/organized/docs/integrations/sailpoint-scim.mdx +77 -0
- package/.docs/organized/docs/integrations/salesforce-oauth.mdx +116 -0
- package/.docs/organized/docs/integrations/salesforce-saml.mdx +4 -4
- package/.docs/organized/docs/integrations/saml.mdx +43 -23
- package/.docs/organized/docs/integrations/scim.mdx +36 -24
- package/.docs/organized/docs/integrations/sftp.mdx +59 -36
- package/.docs/organized/docs/integrations/shibboleth-generic-saml.mdx +1 -1
- package/.docs/organized/docs/integrations/shibboleth-unsolicited-saml.mdx +1 -1
- package/.docs/organized/docs/integrations/simple-saml-php.mdx +2 -2
- package/.docs/organized/docs/integrations/slack-oauth.mdx +53 -49
- package/.docs/organized/docs/integrations/supabase-authkit.mdx +46 -0
- package/.docs/organized/docs/integrations/{supabase.mdx → supabase-sso.mdx} +6 -4
- package/.docs/organized/docs/integrations/vercel-oauth.mdx +120 -0
- package/.docs/organized/docs/integrations/vmware-saml.mdx +2 -2
- package/.docs/organized/docs/integrations/workday.mdx +1 -1
- package/.docs/organized/docs/integrations/xero-oauth.mdx +77 -32
- package/.docs/organized/docs/magic-link/example-apps.mdx +11 -11
- package/.docs/organized/docs/magic-link/index.mdx +2 -0
- package/.docs/organized/docs/mfa/example-apps.mdx +2 -2
- package/.docs/organized/docs/mfa/index.mdx +2 -2
- package/.docs/organized/docs/mfa/ux/enrollment.mdx +1 -1
- package/.docs/organized/docs/mfa/ux/sign-in.mdx +1 -1
- package/.docs/organized/docs/migrate/_navigation.mdx +21 -1
- package/.docs/organized/docs/migrate/auth0.mdx +5 -5
- package/.docs/organized/docs/migrate/aws-cognito.mdx +5 -5
- package/.docs/organized/docs/migrate/better-auth.mdx +282 -0
- package/.docs/organized/docs/migrate/clerk.mdx +9 -11
- package/.docs/organized/docs/migrate/descope.mdx +290 -0
- package/.docs/organized/docs/migrate/firebase.mdx +4 -4
- package/.docs/organized/docs/migrate/other-services.mdx +25 -6
- package/.docs/organized/docs/migrate/standalone-sso.mdx +14 -14
- package/.docs/organized/docs/migrate/stytch.mdx +363 -0
- package/.docs/organized/docs/migrate/supabase.mdx +255 -0
- package/.docs/organized/docs/on-prem-deployment.mdx +1 -1
- package/.docs/organized/docs/pipes/_navigation.mdx +12 -0
- package/.docs/organized/docs/pipes/index.mdx +75 -0
- package/.docs/organized/docs/pipes/providers.mdx +9 -0
- package/.docs/organized/docs/rbac/_navigation.mdx +16 -0
- package/.docs/organized/docs/rbac/configuration.mdx +80 -0
- package/.docs/organized/docs/rbac/idp-role-assignment.mdx +79 -0
- package/.docs/organized/docs/rbac/index.mdx +24 -0
- package/.docs/organized/docs/rbac/integration.mdx +59 -0
- package/.docs/organized/docs/rbac/organization-roles.mdx +38 -0
- package/.docs/organized/docs/rbac/quick-start.mdx +52 -0
- package/.docs/organized/docs/reference/_navigation.mdx +437 -284
- package/.docs/organized/docs/reference/admin-portal/portal-link/index.mdx +1 -1
- package/.docs/organized/docs/reference/admin-portal/provider-icons/index.mdx +3 -3
- package/.docs/organized/docs/reference/{api-keys.mdx → api-authentication/index.mdx} +3 -3
- package/.docs/organized/docs/reference/audit-logs/configuration/index.mdx +97 -0
- package/.docs/organized/docs/reference/audit-logs/{create-event.mdx → event/create.mdx} +12 -2
- package/.docs/organized/docs/reference/audit-logs/event/index.mdx +92 -0
- package/.docs/organized/docs/reference/audit-logs/{create-export.mdx → export/create.mdx} +1 -1
- package/.docs/organized/docs/reference/audit-logs/{get-export.mdx → export/get.mdx} +1 -1
- package/.docs/organized/docs/reference/audit-logs/{audit-log-export.mdx → export/index.mdx} +11 -12
- package/.docs/organized/docs/reference/audit-logs/{get-retention.mdx → retention/get.mdx} +1 -1
- package/.docs/organized/docs/reference/audit-logs/retention/index.mdx +25 -0
- package/.docs/organized/docs/reference/audit-logs/{set-retention.mdx → retention/set.mdx} +1 -1
- package/.docs/organized/docs/reference/audit-logs/{create-schema.mdx → schema/create.mdx} +1 -1
- package/.docs/organized/docs/reference/audit-logs/{audit-log-schema.mdx → schema/index.mdx} +5 -6
- package/.docs/organized/docs/reference/audit-logs/{list-actions.mdx → schema/list-actions.mdx} +2 -1
- package/.docs/organized/docs/reference/audit-logs/{list-schemas.mdx → schema/list.mdx} +1 -1
- package/.docs/organized/docs/reference/authkit/api-keys/create-for-organization.mdx +40 -0
- package/.docs/organized/docs/reference/authkit/api-keys/delete.mdx +23 -0
- package/.docs/organized/docs/reference/authkit/api-keys/index.mdx +275 -0
- package/.docs/organized/docs/reference/authkit/api-keys/list-for-organization.mdx +41 -0
- package/.docs/organized/docs/reference/authkit/api-keys/validate.mdx +77 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/code.mdx +138 -18
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/email-verification.mdx +10 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/get-authorization-url/error-codes.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/get-authorization-url/index.mdx +64 -17
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/get-authorization-url/pkce.mdx +2 -2
- package/.docs/organized/docs/reference/authkit/authentication/get-authorization-url/redirect-uri.mdx +47 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/index.mdx +19 -11
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/magic-auth.mdx +9 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/organization-selection.mdx +9 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/password.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/refresh-and-seal-session-data.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/refresh-token.mdx +17 -17
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/session-cookie.mdx +7 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication/totp.mdx +10 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/email-verification-required-error.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/index.mdx +1 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/mfa-challenge-error.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/mfa-enrollment-error.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/organization-authentication-required-error.mdx +3 -3
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/organization-selection-error.mdx +3 -4
- package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/sso-required-error.mdx +3 -3
- package/.docs/organized/docs/reference/authkit/cli-auth/device-authorization.mdx +61 -0
- package/.docs/organized/docs/reference/authkit/cli-auth/device-code.mdx +57 -0
- package/.docs/organized/docs/reference/authkit/cli-auth/error-codes.mdx +31 -0
- package/.docs/organized/docs/reference/authkit/cli-auth/index.mdx +22 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/email-verification/get.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/email-verification/index.mdx +9 -11
- package/.docs/organized/docs/reference/{user-management → authkit}/identity/index.mdx +6 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/identity/list.mdx +5 -6
- package/.docs/organized/docs/reference/authkit/index.mdx +13 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/accept.mdx +5 -5
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/find-by-token.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/get.mdx +8 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/index.mdx +10 -15
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/list.mdx +10 -11
- package/.docs/organized/docs/reference/authkit/invitation/resend.mdx +109 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/revoke.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/invitation/send.mdx +23 -13
- package/.docs/organized/docs/reference/{user-management → authkit}/logout/get-logout-url-from-session-cookie.mdx +2 -2
- package/.docs/organized/docs/reference/{user-management → authkit}/logout/get-logout-url.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/logout/index.mdx +4 -5
- package/.docs/organized/docs/reference/{user-management → authkit}/magic-auth/create.mdx +10 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/magic-auth/get.mdx +9 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/magic-auth/index.mdx +10 -15
- package/.docs/organized/docs/reference/{user-management → authkit}/mfa/authentication-challenge.mdx +9 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/mfa/authentication-factor.mdx +11 -11
- package/.docs/organized/docs/reference/{user-management → authkit}/mfa/enroll-auth-factor.mdx +19 -15
- package/.docs/organized/docs/reference/authkit/mfa/index.mdx +11 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/mfa/list-auth-factors.mdx +9 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/create.mdx +27 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/deactivate.mdx +10 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/delete.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/get.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/index.mdx +107 -14
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/list.mdx +10 -10
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/reactivate.mdx +11 -11
- package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/update.mdx +25 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/create.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/get.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/index.mdx +10 -12
- package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/reset-password.mdx +8 -8
- package/.docs/organized/docs/reference/authkit/session/index.mdx +128 -0
- package/.docs/organized/docs/reference/authkit/session/list.mdx +110 -0
- package/.docs/organized/docs/reference/authkit/session/revoke.mdx +73 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/authenticate.mdx +22 -6
- package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/get-logout-url.mdx +5 -5
- package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/index.mdx +2 -2
- package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/load-sealed-session.mdx +4 -4
- package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/refresh.mdx +18 -6
- package/.docs/organized/docs/reference/{user-management → authkit}/session-tokens/access-token.mdx +16 -8
- package/.docs/organized/docs/reference/authkit/session-tokens/index.mdx +5 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/session-tokens/jwks.mdx +8 -8
- package/.docs/organized/docs/reference/authkit/session-tokens/refresh-token.mdx +8 -0
- package/.docs/organized/docs/reference/{user-management → authkit}/user/create.mdx +36 -17
- package/.docs/organized/docs/reference/{user-management → authkit}/user/delete.mdx +8 -9
- package/.docs/organized/docs/reference/{user-management → authkit}/user/get-by-external-id.mdx +16 -4
- package/.docs/organized/docs/reference/{user-management → authkit}/user/get.mdx +8 -8
- package/.docs/organized/docs/reference/{user-management → authkit}/user/index.mdx +25 -15
- package/.docs/organized/docs/reference/{user-management → authkit}/user/list.mdx +9 -12
- package/.docs/organized/docs/reference/{user-management → authkit}/user/update.mdx +43 -20
- package/.docs/organized/docs/reference/{client-libraries.mdx → client-libraries/index.mdx} +2 -2
- package/.docs/organized/docs/reference/directory-sync/directory/index.mdx +1 -1
- package/.docs/organized/docs/reference/directory-sync/directory-group/index.mdx +1 -24
- package/.docs/organized/docs/reference/directory-sync/directory-user/index.mdx +1 -29
- package/.docs/organized/docs/reference/directory-sync/directory-user/list.mdx +1 -1
- package/.docs/organized/docs/reference/directory-sync/index.mdx +1 -1
- package/.docs/organized/docs/reference/domain-verification/create.mdx +35 -0
- package/.docs/organized/docs/reference/domain-verification/delete.mdx +55 -0
- package/.docs/organized/docs/reference/domain-verification/get.mdx +29 -0
- package/.docs/organized/docs/reference/domain-verification/index.mdx +57 -1
- package/.docs/organized/docs/reference/domain-verification/verify.mdx +29 -0
- package/.docs/organized/docs/reference/{errors.mdx → errors/index.mdx} +1 -1
- package/.docs/organized/docs/reference/events/list.mdx +5 -4
- package/.docs/organized/docs/reference/feature-flags/flag/disable.mdx +33 -0
- package/.docs/organized/docs/reference/feature-flags/flag/enable.mdx +33 -0
- package/.docs/organized/docs/reference/feature-flags/flag/get.mdx +32 -0
- package/.docs/organized/docs/reference/feature-flags/flag/index.mdx +116 -0
- package/.docs/organized/docs/reference/feature-flags/flag/list.mdx +67 -0
- package/.docs/organized/docs/reference/feature-flags/index.mdx +123 -0
- package/.docs/organized/docs/reference/feature-flags/targeting/add.mdx +43 -0
- package/.docs/organized/docs/reference/feature-flags/targeting/index.mdx +23 -0
- package/.docs/organized/docs/reference/feature-flags/targeting/list-for-organization.mdx +132 -0
- package/.docs/organized/docs/reference/feature-flags/targeting/list-for-user.mdx +94 -0
- package/.docs/organized/docs/reference/feature-flags/targeting/remove.mdx +43 -0
- package/.docs/organized/docs/reference/fga/access-check/check.mdx +102 -0
- package/.docs/organized/docs/reference/fga/access-check/index.mdx +6 -0
- package/.docs/organized/docs/reference/fga/access-check/list-memberships-by-external-id.mdx +143 -0
- package/.docs/organized/docs/reference/fga/access-check/list-memberships.mdx +127 -0
- package/.docs/organized/docs/reference/fga/access-check/list-resources.mdx +152 -0
- package/.docs/organized/docs/reference/fga/index.mdx +14 -2
- package/.docs/organized/docs/reference/fga/resource/create.mdx +74 -88
- package/.docs/organized/docs/reference/fga/resource/delete-by-external-id.mdx +78 -0
- package/.docs/organized/docs/reference/fga/resource/delete.mdx +38 -62
- package/.docs/organized/docs/reference/fga/resource/get-by-external-id.mdx +60 -0
- package/.docs/organized/docs/reference/fga/resource/get.mdx +15 -63
- package/.docs/organized/docs/reference/fga/resource/index.mdx +74 -73
- package/.docs/organized/docs/reference/fga/resource/list.mdx +90 -131
- package/.docs/organized/docs/reference/fga/resource/update-by-external-id.mdx +81 -0
- package/.docs/organized/docs/reference/fga/resource/update.mdx +29 -85
- package/.docs/organized/docs/reference/fga/role-assignment/create.mdx +89 -0
- package/.docs/organized/docs/reference/fga/role-assignment/delete-by-id.mdx +59 -0
- package/.docs/organized/docs/reference/fga/role-assignment/delete.mdx +90 -0
- package/.docs/organized/docs/reference/fga/role-assignment/index.mdx +106 -0
- package/.docs/organized/docs/reference/fga/role-assignment/list.mdx +86 -0
- package/.docs/organized/docs/reference/index.mdx +21 -12
- package/.docs/organized/docs/reference/magic-link/passwordless-session/index.mdx +1 -1
- package/.docs/organized/docs/reference/mfa/{challenge-factor.mdx → challenge/create.mdx} +1 -1
- package/.docs/organized/docs/reference/mfa/{authentication-challenge.mdx → challenge/index.mdx} +11 -14
- package/.docs/organized/docs/reference/mfa/{verify-challenge.mdx → challenge/verify.mdx} +10 -12
- package/.docs/organized/docs/reference/mfa/{delete-factor.mdx → factor/delete.mdx} +1 -1
- package/.docs/organized/docs/reference/mfa/{enroll-factor.mdx → factor/enroll.mdx} +1 -1
- package/.docs/organized/docs/reference/mfa/{get-factor.mdx → factor/get.mdx} +1 -1
- package/.docs/organized/docs/reference/mfa/{authentication-factor.mdx → factor/index.mdx} +11 -12
- package/.docs/organized/docs/reference/organization/create.mdx +1 -6
- package/.docs/organized/docs/reference/organization/get-by-external-id.mdx +1 -1
- package/.docs/organized/docs/reference/organization/index.mdx +5 -5
- package/.docs/organized/docs/reference/organization/update.mdx +1 -1
- package/.docs/organized/docs/reference/{pagination.mdx → pagination/index.mdx} +1 -3
- package/.docs/organized/docs/reference/pipes/access-token/get.mdx +174 -0
- package/.docs/organized/docs/reference/pipes/access-token/index.mdx +44 -0
- package/.docs/organized/docs/reference/pipes/connected-account/delete.mdx +42 -0
- package/.docs/organized/docs/reference/pipes/connected-account/get-authorize-url.mdx +49 -0
- package/.docs/organized/docs/reference/pipes/connected-account/get.mdx +42 -0
- package/.docs/organized/docs/reference/pipes/connected-account/index.mdx +69 -0
- package/.docs/organized/docs/reference/pipes/index.mdx +8 -0
- package/.docs/organized/docs/reference/pipes/provider/index.mdx +70 -0
- package/.docs/organized/docs/reference/pipes/provider/list.mdx +47 -0
- package/.docs/organized/docs/reference/radar/attempts/index.mdx +1 -1
- package/.docs/organized/docs/reference/radar/lists/index.mdx +1 -1
- package/.docs/organized/docs/reference/rate-limits/index.mdx +56 -0
- package/.docs/organized/docs/reference/roles/index.mdx +12 -262
- package/.docs/organized/docs/reference/roles/organization-role/add-permission.mdx +75 -0
- package/.docs/organized/docs/reference/roles/organization-role/create.mdx +95 -0
- package/.docs/organized/docs/reference/roles/organization-role/delete.mdx +47 -0
- package/.docs/organized/docs/reference/roles/organization-role/get.mdx +55 -0
- package/.docs/organized/docs/reference/roles/organization-role/index.mdx +148 -0
- package/.docs/organized/docs/reference/roles/organization-role/list.mdx +68 -0
- package/.docs/organized/docs/reference/roles/organization-role/remove-permission.mdx +68 -0
- package/.docs/organized/docs/reference/roles/organization-role/set-permissions.mdx +79 -0
- package/.docs/organized/docs/reference/roles/organization-role/update.mdx +85 -0
- package/.docs/organized/docs/reference/roles/permission/create.mdx +101 -0
- package/.docs/organized/docs/reference/roles/permission/delete.mdx +38 -0
- package/.docs/organized/docs/reference/roles/permission/get.mdx +45 -0
- package/.docs/organized/docs/reference/roles/permission/index.mdx +128 -0
- package/.docs/organized/docs/reference/roles/permission/list.mdx +91 -0
- package/.docs/organized/docs/reference/roles/permission/update.mdx +80 -0
- package/.docs/organized/docs/reference/roles/role/add-permission.mdx +63 -0
- package/.docs/organized/docs/reference/roles/role/create.mdx +103 -0
- package/.docs/organized/docs/reference/roles/role/get.mdx +52 -0
- package/.docs/organized/docs/reference/roles/role/index.mdx +135 -0
- package/.docs/organized/docs/reference/roles/role/list.mdx +56 -0
- package/.docs/organized/docs/reference/roles/role/set-permissions.mdx +67 -0
- package/.docs/organized/docs/reference/roles/role/update.mdx +78 -0
- package/.docs/organized/docs/reference/sso/connection/index.mdx +2 -2
- package/.docs/organized/docs/reference/sso/get-authorization-url/error-codes.mdx +5 -3
- package/.docs/organized/docs/reference/sso/get-authorization-url/index.mdx +24 -2
- package/.docs/organized/docs/reference/sso/get-authorization-url/redirect-uri.mdx +25 -1
- package/.docs/organized/docs/reference/sso/index.mdx +1 -1
- package/.docs/organized/docs/reference/sso/logout/authorize.mdx +0 -1
- package/.docs/organized/docs/reference/sso/logout/index.mdx +1 -2
- package/.docs/organized/docs/reference/sso/logout/redirect.mdx +0 -1
- package/.docs/organized/docs/reference/sso/profile/get-profile-and-token.mdx +13 -1
- package/.docs/organized/docs/reference/sso/profile/index.mdx +25 -24
- package/.docs/organized/docs/reference/{testing.mdx → testing/index.mdx} +1 -1
- package/.docs/organized/docs/reference/vault/key/create-data-key.mdx +29 -0
- package/.docs/organized/docs/reference/vault/key/decrypt-data-key.mdx +20 -0
- package/.docs/organized/docs/reference/vault/key/decrypt-data.mdx +24 -0
- package/.docs/organized/docs/reference/vault/key/encrypt-data.mdx +20 -0
- package/.docs/organized/docs/reference/vault/object/create.mdx +17 -0
- package/.docs/organized/docs/reference/vault/object/delete.mdx +12 -0
- package/.docs/organized/docs/reference/vault/object/get-by-name.mdx +61 -0
- package/.docs/organized/docs/reference/vault/object/get.mdx +11 -0
- package/.docs/organized/docs/reference/vault/object/index.mdx +50 -4
- package/.docs/organized/docs/reference/vault/object/list.mdx +40 -1
- package/.docs/organized/docs/reference/vault/object/update.mdx +18 -0
- package/.docs/organized/docs/reference/vault/object/version.mdx +15 -2
- package/.docs/organized/docs/reference/vault/object/versions.mdx +13 -0
- package/.docs/organized/docs/reference/widgets/get-token.mdx +8 -5
- package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/create.mdx +55 -0
- package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/delete.mdx +28 -0
- package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/index.mdx +60 -0
- package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/list.mdx +52 -0
- package/.docs/organized/docs/reference/workos-connect/applications/create.mdx +79 -0
- package/.docs/organized/docs/reference/workos-connect/applications/delete.mdx +28 -0
- package/.docs/organized/docs/reference/workos-connect/applications/get.mdx +59 -0
- package/.docs/organized/docs/reference/workos-connect/applications/index.mdx +40 -0
- package/.docs/organized/docs/reference/workos-connect/applications/list.mdx +49 -0
- package/.docs/organized/docs/reference/workos-connect/applications/m2m.mdx +52 -0
- package/.docs/organized/docs/reference/workos-connect/applications/oauth.mdx +85 -0
- package/.docs/organized/docs/reference/workos-connect/applications/update.mdx +59 -0
- package/.docs/organized/docs/reference/workos-connect/authorize/index.mdx +29 -1
- package/.docs/organized/docs/reference/workos-connect/cli-auth/authorize-device/index.mdx +81 -0
- package/.docs/organized/docs/reference/workos-connect/cli-auth/device-code-grant.mdx +74 -0
- package/.docs/organized/docs/reference/workos-connect/cli-auth/index.mdx +23 -0
- package/.docs/organized/docs/reference/workos-connect/index.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/introspection/index.mdx +8 -3
- package/.docs/organized/docs/reference/workos-connect/metadata/index.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/metadata/oauth-authorization-server/index.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/standalone/complete.mdx +68 -0
- package/.docs/organized/docs/reference/workos-connect/standalone/index.mdx +9 -0
- package/.docs/organized/docs/reference/workos-connect/standalone/user-consent-options.mdx +41 -0
- package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/access-token.mdx +6 -0
- package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/id-token.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/token/{authorization-code-grant/index.mdx → authorization-code-grant.mdx} +23 -2
- package/.docs/organized/docs/reference/workos-connect/token/client-credentials-grant/access-token.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/token/{client-credentials-grant/index.mdx → client-credentials-grant.mdx} +2 -2
- package/.docs/organized/docs/reference/workos-connect/token/index.mdx +5 -4
- package/.docs/organized/docs/reference/workos-connect/token/refresh-token-grant.mdx +1 -1
- package/.docs/organized/docs/reference/workos-connect/userinfo/index.mdx +2 -2
- package/.docs/organized/docs/sdks/authkit-js.mdx +14 -0
- package/.docs/organized/docs/sdks/authkit-nextjs.mdx +14 -0
- package/.docs/organized/docs/sdks/authkit-react-router.mdx +14 -0
- package/.docs/organized/docs/sdks/authkit-react.mdx +14 -0
- package/.docs/organized/docs/sdks/authkit-remix.mdx +14 -0
- package/.docs/organized/docs/sdks/authkit-tanstack-start.mdx +14 -0
- package/.docs/organized/docs/sso/_navigation.mdx +8 -2
- package/.docs/organized/docs/sso/attributes.mdx +15 -3
- package/.docs/organized/docs/sso/domains.mdx +8 -6
- package/.docs/organized/docs/sso/example-apps.mdx +2 -2
- package/.docs/organized/docs/sso/identity-provider-role-assignment.mdx +30 -30
- package/.docs/organized/docs/sso/index.mdx +7 -6
- package/.docs/organized/docs/sso/it-team-faq.mdx +1 -1
- package/.docs/organized/docs/sso/jit-provisioning.mdx +2 -3
- package/.docs/organized/docs/sso/launch-checklist.mdx +2 -2
- package/.docs/organized/docs/sso/login-flows.mdx +3 -3
- package/.docs/organized/docs/sso/redirect-uris.mdx +22 -11
- package/.docs/organized/docs/sso/saml-security.mdx +1 -1
- package/.docs/organized/docs/sso/sign-in-consent.mdx +59 -0
- package/.docs/organized/docs/sso/signing-certificates.mdx +7 -7
- package/.docs/organized/docs/sso/single-logout.mdx +0 -1
- package/.docs/organized/docs/sso/ux/sessions.mdx +99 -0
- package/.docs/organized/docs/sso/ux/sign-in.mdx +1 -1
- package/.docs/organized/docs/vault/_navigation.mdx +2 -0
- package/.docs/organized/docs/vault/byok.mdx +140 -0
- package/.docs/organized/docs/vault/index.mdx +1 -1
- package/.docs/organized/docs/widgets/_navigation.mdx +48 -0
- package/.docs/organized/docs/widgets/admin-portal-domain-verification.mdx +24 -0
- package/.docs/organized/docs/widgets/admin-portal-sso-connection.mdx +20 -0
- package/.docs/organized/docs/widgets/api-keys.mdx +28 -0
- package/.docs/organized/docs/widgets/audit-log-streaming.mdx +25 -0
- package/.docs/organized/docs/widgets/directory-sync.mdx +23 -0
- package/.docs/organized/docs/widgets/index.mdx +12 -0
- package/.docs/organized/docs/widgets/localization.mdx +111 -0
- package/.docs/organized/docs/widgets/organization-switcher.mdx +47 -0
- package/.docs/organized/docs/widgets/pipes.mdx +27 -0
- package/.docs/organized/docs/widgets/quick-start.mdx +38 -0
- package/.docs/organized/docs/widgets/styling/css-customization.mdx +100 -0
- package/.docs/organized/docs/widgets/styling/index.mdx +29 -0
- package/.docs/organized/docs/widgets/styling/theme-customization.mdx +51 -0
- package/.docs/organized/docs/widgets/tokens.mdx +17 -0
- package/.docs/organized/docs/widgets/user-management.mdx +28 -0
- package/.docs/organized/docs/widgets/user-profile.mdx +30 -0
- package/.docs/organized/docs/widgets/user-security.mdx +31 -0
- package/.docs/organized/docs/widgets/user-sessions.mdx +26 -0
- package/LICENSE +21 -0
- package/README.md +14 -1
- package/dist/prepare.js +1 -1
- package/dist/prepare.js.map +1 -1
- package/package.json +2 -1
- package/.docs/organized/docs/dashboard.mdx +0 -244
- package/.docs/organized/docs/demo/_navigation.mdx +0 -26
- package/.docs/organized/docs/demo/accordion.mdx +0 -34
- package/.docs/organized/docs/demo/checklist.mdx +0 -33
- package/.docs/organized/docs/demo/code-block.mdx +0 -185
- package/.docs/organized/docs/demo/definition-list.mdx +0 -35
- package/.docs/organized/docs/demo/index.mdx +0 -7
- package/.docs/organized/docs/demo/punctuation.mdx +0 -37
- package/.docs/organized/docs/demo/replacements.mdx +0 -26
- package/.docs/organized/docs/demo/table.mdx +0 -26
- package/.docs/organized/docs/demo/tabs.mdx +0 -17
- package/.docs/organized/docs/fga/identity-provider-sessions.mdx +0 -68
- package/.docs/organized/docs/fga/local-development.mdx +0 -155
- package/.docs/organized/docs/fga/modeling/abac.mdx +0 -107
- package/.docs/organized/docs/fga/modeling/blocklist.mdx +0 -84
- package/.docs/organized/docs/fga/modeling/conditional-roles.mdx +0 -99
- package/.docs/organized/docs/fga/modeling/custom-roles.mdx +0 -90
- package/.docs/organized/docs/fga/modeling/entitlements.mdx +0 -127
- package/.docs/organized/docs/fga/modeling/managed-service-provider.mdx +0 -131
- package/.docs/organized/docs/fga/modeling/org-roles-and-permissions.mdx +0 -95
- package/.docs/organized/docs/fga/modeling/policy-context.mdx +0 -231
- package/.docs/organized/docs/fga/modeling/public-access.mdx +0 -61
- package/.docs/organized/docs/fga/modeling/shareable-content.mdx +0 -106
- package/.docs/organized/docs/fga/modeling/superusers.mdx +0 -74
- package/.docs/organized/docs/fga/modeling/user-groups.mdx +0 -92
- package/.docs/organized/docs/fga/operations-usage.mdx +0 -104
- package/.docs/organized/docs/fga/playground.mdx +0 -12
- package/.docs/organized/docs/fga/policies.mdx +0 -462
- package/.docs/organized/docs/fga/query-language.mdx +0 -112
- package/.docs/organized/docs/fga/schema-management.mdx +0 -224
- package/.docs/organized/docs/fga/schema.mdx +0 -388
- package/.docs/organized/docs/fga/warrant-tokens.mdx +0 -44
- package/.docs/organized/docs/fga/warrants.mdx +0 -92
- package/.docs/organized/docs/reference/fga/batch-check.mdx +0 -277
- package/.docs/organized/docs/reference/fga/check.mdx +0 -563
- package/.docs/organized/docs/reference/fga/policy/create.mdx +0 -27
- package/.docs/organized/docs/reference/fga/policy/delete.mdx +0 -18
- package/.docs/organized/docs/reference/fga/policy/get.mdx +0 -23
- package/.docs/organized/docs/reference/fga/policy/index.mdx +0 -52
- package/.docs/organized/docs/reference/fga/policy/list.mdx +0 -41
- package/.docs/organized/docs/reference/fga/policy/update.mdx +0 -26
- package/.docs/organized/docs/reference/fga/query.mdx +0 -375
- package/.docs/organized/docs/reference/fga/resource/batch-write.mdx +0 -175
- package/.docs/organized/docs/reference/fga/resource-type/apply.mdx +0 -35
- package/.docs/organized/docs/reference/fga/resource-type/create.mdx +0 -24
- package/.docs/organized/docs/reference/fga/resource-type/delete.mdx +0 -22
- package/.docs/organized/docs/reference/fga/resource-type/get.mdx +0 -23
- package/.docs/organized/docs/reference/fga/resource-type/index.mdx +0 -68
- package/.docs/organized/docs/reference/fga/resource-type/list.mdx +0 -36
- package/.docs/organized/docs/reference/fga/resource-type/update.mdx +0 -23
- package/.docs/organized/docs/reference/fga/schema/apply.mdx +0 -42
- package/.docs/organized/docs/reference/fga/schema/get.mdx +0 -24
- package/.docs/organized/docs/reference/fga/schema/index.mdx +0 -39
- package/.docs/organized/docs/reference/fga/warrant/batch-write.mdx +0 -226
- package/.docs/organized/docs/reference/fga/warrant/create.mdx +0 -215
- package/.docs/organized/docs/reference/fga/warrant/delete.mdx +0 -212
- package/.docs/organized/docs/reference/fga/warrant/index.mdx +0 -186
- package/.docs/organized/docs/reference/fga/warrant/list.mdx +0 -282
- package/.docs/organized/docs/reference/idempotency.mdx +0 -21
- package/.docs/organized/docs/reference/organization-domain.mdx +0 -189
- package/.docs/organized/docs/reference/rate-limits.mdx +0 -50
- package/.docs/organized/docs/reference/roles/list-for-organization.mdx +0 -152
- package/.docs/organized/docs/reference/user-management/access-token/index.mdx +0 -13
- package/.docs/organized/docs/reference/user-management/authentication/get-authorization-url/redirect-uri.mdx +0 -23
- package/.docs/organized/docs/reference/user-management/index.mdx +0 -13
- package/.docs/organized/docs/reference/user-management/mfa/index.mdx +0 -5
- package/.docs/organized/docs/reference/user-management/session-tokens/index.mdx +0 -5
- package/.docs/organized/docs/reference/user-management/session-tokens/refresh-token.mdx +0 -8
- package/.docs/organized/docs/user-management/_navigation.mdx +0 -87
- package/.docs/organized/docs/user-management/authkit.mdx +0 -69
- package/.docs/organized/docs/user-management/connect.mdx +0 -110
- package/.docs/organized/docs/user-management/directory-provisioning.mdx +0 -78
- package/.docs/organized/docs/user-management/email-verification.mdx +0 -29
- package/.docs/organized/docs/user-management/entitlements.mdx +0 -46
- package/.docs/organized/docs/user-management/jit-provisioning.mdx +0 -36
- package/.docs/organized/docs/user-management/overview.mdx +0 -46
- package/.docs/organized/docs/user-management/roles-and-permissions.mdx +0 -155
- package/.docs/organized/docs/user-management/users-organizations.mdx +0 -91
- package/.docs/organized/docs/user-management/widgets.mdx +0 -190
|
@@ -1,90 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
title: Custom Roles
|
|
3
|
-
description: >-
|
|
4
|
-
Allow B2B customers to create org-scoped custom roles and map them to a static
|
|
5
|
-
set of permissions that grant capabilities in your application.
|
|
6
|
-
originalPath: .tmp-workos-clone/packages/docs/content/fga/modeling/custom-roles.mdx
|
|
7
|
-
---
|
|
8
|
-
|
|
9
|
-
> Explore the example from this guide [in the FGA Playground](https://explore.fga.workos.com/playground?example=custom_roles), where you can interact with the schema, warrants, and access checks in real-time!
|
|
10
|
-
|
|
11
|
-
Customizable, role-based access control gives customers the freedom to define their own custom roles and map each one to a subset of the permissions offered by your application.
|
|
12
|
-
|
|
13
|
-
## When to Use it
|
|
14
|
-
|
|
15
|
-
Implement custom roles when:
|
|
16
|
-
|
|
17
|
-
- **Role-based access control**: Your application's requirements call for role-based access control (RBAC).
|
|
18
|
-
- **Custom roles**: Your customers need the ability to define custom roles that are scoped to their organization and map them to a static set of permissions in your application.
|
|
19
|
-
|
|
20
|
-
## Schema
|
|
21
|
-
|
|
22
|
-
```fga title="schema.txt"
|
|
23
|
-
version 0.3
|
|
24
|
-
|
|
25
|
-
type user
|
|
26
|
-
|
|
27
|
-
type role
|
|
28
|
-
relation member [user]
|
|
29
|
-
|
|
30
|
-
type organization
|
|
31
|
-
relation can_read_company_info [role]
|
|
32
|
-
relation can_write_company_info [role]
|
|
33
|
-
relation can_read_reports [role]
|
|
34
|
-
relation can_write_reports [role]
|
|
35
|
-
|
|
36
|
-
inherit can_read_company_info if
|
|
37
|
-
any_of
|
|
38
|
-
relation can_write_company_info
|
|
39
|
-
relation member on can_read_company_info [role]
|
|
40
|
-
|
|
41
|
-
inherit can_write_company_info if
|
|
42
|
-
relation member on can_write_company_info [role]
|
|
43
|
-
|
|
44
|
-
inherit can_read_reports if
|
|
45
|
-
any_of
|
|
46
|
-
relation can_write_reports
|
|
47
|
-
relation member on can_read_reports [role]
|
|
48
|
-
|
|
49
|
-
inherit can_write_reports if
|
|
50
|
-
relation member on can_write_reports [role]
|
|
51
|
-
|
|
52
|
-
```
|
|
53
|
-
|
|
54
|
-
## Example
|
|
55
|
-
|
|
56
|
-
### (1) Apply the schema
|
|
57
|
-
|
|
58
|
-
Create a file called `schema.txt` containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
|
|
59
|
-
|
|
60
|
-
> Note: make sure to select the correct environment with the [CLI](https://github.com/workos/workos-cli?tab=readme-ov-file#usage)
|
|
61
|
-
|
|
62
|
-
```shell
|
|
63
|
-
workos fga schema apply schema.txt
|
|
64
|
-
```
|
|
65
|
-
|
|
66
|
-
---
|
|
67
|
-
|
|
68
|
-
### (2) Create warrants
|
|
69
|
-
|
|
70
|
-
Create warrants that associate organizations, roles, and users. The example schema defines the following relationships:
|
|
71
|
-
|
|
72
|
-
- users with organizations
|
|
73
|
-
- users with custom roles (e.g. `org:acme:read-only`)
|
|
74
|
-
|
|
75
|
-
Let's create a few warrants between organization `acme`, role `org:acme:read-only`, and user `user_2oDscjroNWtzxzYEnEzT9P7VYEe`:
|
|
76
|
-
|
|
77
|
-
<CodeBlock title="Create warrants" file="custom-roles-create-warrants" />
|
|
78
|
-
|
|
79
|
-
---
|
|
80
|
-
|
|
81
|
-
### (3) Check access
|
|
82
|
-
|
|
83
|
-
With our environment setup, we can check the user's permission to read company info.
|
|
84
|
-
|
|
85
|
-
<CodeBlock
|
|
86
|
-
title="Check if a user has a permission in their organization"
|
|
87
|
-
file="custom-roles-check"
|
|
88
|
-
/>
|
|
89
|
-
|
|
90
|
-
---
|
|
@@ -1,127 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
title: Feature Entitlements
|
|
3
|
-
description: >-
|
|
4
|
-
Restrict access to features in your SaaS application based on subscription
|
|
5
|
-
tier using FGA policies and relation-based access control.
|
|
6
|
-
originalPath: .tmp-workos-clone/packages/docs/content/fga/modeling/entitlements.mdx
|
|
7
|
-
---
|
|
8
|
-
|
|
9
|
-
> Explore the example from this guide [in the FGA Playground](https://explore.fga.workos.com/playground?example=entitlements), where you can interact with the schema, warrants, and access checks in real-time!
|
|
10
|
-
|
|
11
|
-
In SaaS applications, it's common to control access to product features based on a subscription tier. This approach allows product teams to define distinct experiences for different customer segments—like offering basic tools to free users/organizations and premium features to paying ones.
|
|
12
|
-
|
|
13
|
-
For example, a design tool might offer a `Free` tier with limited capabilities and a `Pro` tier that unlocks collaboration and team-based workflows.
|
|
14
|
-
|
|
15
|
-
## When to Use It?
|
|
16
|
-
|
|
17
|
-
Use feature entitlements when:
|
|
18
|
-
|
|
19
|
-
- Your product has multiple pricing tiers with different access levels.
|
|
20
|
-
- You want to gate advanced features behind specific subscription plans.
|
|
21
|
-
- Fine-grained resource access is controlled by subscription level.
|
|
22
|
-
|
|
23
|
-
Use this approach when you need dynamic, policy-driven access control for features across different plans or user types. It’s especially helpful in multi-tenant SaaS apps where access logic needs to scale cleanly and stay centralized.
|
|
24
|
-
|
|
25
|
-
## Example Applications
|
|
26
|
-
|
|
27
|
-
- **B2B SaaS Platforms**: Unlock additional collaboration tools for premium customers.
|
|
28
|
-
- **Design Tools**: Offer project and team management to higher-tier subscribers.
|
|
29
|
-
- **Analytics Services**: Gate advanced reporting or integrations behind Enterprise plans.
|
|
30
|
-
- **Productivity Software**: Provide shared team workspaces for Pro users.
|
|
31
|
-
|
|
32
|
-
## Schema
|
|
33
|
-
|
|
34
|
-
```fga
|
|
35
|
-
version 0.3
|
|
36
|
-
|
|
37
|
-
type user
|
|
38
|
-
|
|
39
|
-
type organization
|
|
40
|
-
relation admin [user]
|
|
41
|
-
relation member [user]
|
|
42
|
-
|
|
43
|
-
inherit member if
|
|
44
|
-
relation admin
|
|
45
|
-
|
|
46
|
-
// Tiers are defined by subscription attributes
|
|
47
|
-
relation pro_subscriber []
|
|
48
|
-
inherit pro_subscriber if
|
|
49
|
-
all_of
|
|
50
|
-
relation admin // In this example, you must be an admin on the org to get access to pro features
|
|
51
|
-
policy is_pro_subscriber
|
|
52
|
-
|
|
53
|
-
relation free_subscriber []
|
|
54
|
-
inherit free_subscriber if
|
|
55
|
-
any_of
|
|
56
|
-
policy is_free_subscriber
|
|
57
|
-
policy is_pro_subscriber // Pro subscribers can also access free features
|
|
58
|
-
|
|
59
|
-
// Feature access based on subscription tier
|
|
60
|
-
relation feature_projects []
|
|
61
|
-
inherit feature_projects if
|
|
62
|
-
all_of
|
|
63
|
-
relation member
|
|
64
|
-
relation free_subscriber
|
|
65
|
-
|
|
66
|
-
relation feature_teams []
|
|
67
|
-
inherit feature_teams if
|
|
68
|
-
relation pro_subscriber
|
|
69
|
-
|
|
70
|
-
// Teams and Projects demonstrate how you can utilize ReBAC permissions
|
|
71
|
-
// to control access to features based on org subscription tiers
|
|
72
|
-
type team
|
|
73
|
-
relation owner [organization]
|
|
74
|
-
|
|
75
|
-
relation view []
|
|
76
|
-
inherit view if
|
|
77
|
-
relation feature_teams on owner [organization]
|
|
78
|
-
|
|
79
|
-
type project
|
|
80
|
-
relation owner [organization]
|
|
81
|
-
|
|
82
|
-
relation view []
|
|
83
|
-
inherit view if
|
|
84
|
-
relation feature_projects on owner [organization]
|
|
85
|
-
|
|
86
|
-
// Policies check subscription attributes passed from a third party integration
|
|
87
|
-
policy is_pro_subscriber(subscription_attrs map) {
|
|
88
|
-
subscription_attrs.subscription_tier == "pro"
|
|
89
|
-
}
|
|
90
|
-
|
|
91
|
-
policy is_free_subscriber(subscription_attrs map) {
|
|
92
|
-
subscription_attrs.subscription_tier == "free"
|
|
93
|
-
}
|
|
94
|
-
```
|
|
95
|
-
|
|
96
|
-
> Note: Feature access is determined entirely by an organization’s subscription attributes, which are evaluated by policy. This approach enables dynamic, attribute-based access control without manually managing feature grants.
|
|
97
|
-
|
|
98
|
-
---
|
|
99
|
-
|
|
100
|
-
## Example
|
|
101
|
-
|
|
102
|
-
### (1) Apply the schema
|
|
103
|
-
|
|
104
|
-
Create a file called `schema.txt` with the schema above, and apply it to your FGA environment using the CLI.
|
|
105
|
-
|
|
106
|
-
```shell
|
|
107
|
-
workos fga schema apply schema.txt
|
|
108
|
-
```
|
|
109
|
-
|
|
110
|
-
---
|
|
111
|
-
|
|
112
|
-
### (2) Add warrants
|
|
113
|
-
|
|
114
|
-
Create warrants that associate users to organizations and add teams / projects.
|
|
115
|
-
|
|
116
|
-
<CodeBlock title="Create warrants" file="entitlements-create-warrants" />
|
|
117
|
-
|
|
118
|
-
### (3) Check access
|
|
119
|
-
|
|
120
|
-
Once everything is set up, check if a user can access specific features.
|
|
121
|
-
|
|
122
|
-
<CodeBlock
|
|
123
|
-
title="Check if a user can access a feature"
|
|
124
|
-
file="entitlements-check"
|
|
125
|
-
/>
|
|
126
|
-
|
|
127
|
-
---
|
|
@@ -1,131 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
title: Managed Service Provider
|
|
3
|
-
description: >-
|
|
4
|
-
Model a managed service provider (MSP) that provides services to clients and
|
|
5
|
-
manages projects, tasks, and assets.
|
|
6
|
-
originalPath: >-
|
|
7
|
-
.tmp-workos-clone/packages/docs/content/fga/modeling/managed-service-provider.mdx
|
|
8
|
-
---
|
|
9
|
-
|
|
10
|
-
> Explore the example from this guide [in the FGA Playground](https://explore.fga.workos.com/playground?example=managed_service_provider), where you can interact with the schema, warrants, and access checks in real-time!
|
|
11
|
-
|
|
12
|
-
In a managed service provider (MSP) scenario, a client organization grants access to an external provider to perform services or manage resources on its behalf, while retaining control over access by assigning roles to the provider and its personnel.
|
|
13
|
-
|
|
14
|
-
## When to Use It?
|
|
15
|
-
|
|
16
|
-
This model is ideal when you need to grant limited access to external service providers without compromising internal access controls. It’s particularly useful in scenarios where external teams (like IT consultants, marketing agencies, or law firms) are brought in to manage specific projects or assets.
|
|
17
|
-
|
|
18
|
-
- **IT services**: Clients delegate infrastructure or helpdesk support to an MSP.
|
|
19
|
-
- **Marketing agencies**: Agencies manage campaigns and related assets for clients.
|
|
20
|
-
- **Law firms**: External legal teams manage cases and documents for clients.
|
|
21
|
-
- **Project management**: Providers handle maintenance tasks and asset management for clients.
|
|
22
|
-
- **Warehousing**: Providers manage inventory and logistics for clients.
|
|
23
|
-
|
|
24
|
-
## Schema
|
|
25
|
-
|
|
26
|
-
```fga title="schema.txt"
|
|
27
|
-
version 0.3
|
|
28
|
-
|
|
29
|
-
type user
|
|
30
|
-
|
|
31
|
-
// A client is a customer of the provider
|
|
32
|
-
type client
|
|
33
|
-
relation admin [user]
|
|
34
|
-
|
|
35
|
-
// A provider is a service provider managed by the client
|
|
36
|
-
type provider
|
|
37
|
-
relation admin [user]
|
|
38
|
-
relation technician [user]
|
|
39
|
-
|
|
40
|
-
inherit technician if
|
|
41
|
-
relation admin
|
|
42
|
-
|
|
43
|
-
// A project is a project managed by the client and assigned a provider
|
|
44
|
-
type project
|
|
45
|
-
relation client [client]
|
|
46
|
-
relation provider [provider]
|
|
47
|
-
relation editor [user]
|
|
48
|
-
relation viewer [user]
|
|
49
|
-
|
|
50
|
-
inherit editor if
|
|
51
|
-
any_of
|
|
52
|
-
relation admin on client [client]
|
|
53
|
-
relation admin on provider [provider]
|
|
54
|
-
relation technician on provider [provider]
|
|
55
|
-
|
|
56
|
-
inherit viewer if
|
|
57
|
-
any_of
|
|
58
|
-
relation editor
|
|
59
|
-
|
|
60
|
-
type task
|
|
61
|
-
relation assignee [user]
|
|
62
|
-
relation project [project]
|
|
63
|
-
relation edit []
|
|
64
|
-
relation view []
|
|
65
|
-
|
|
66
|
-
inherit edit if
|
|
67
|
-
any_of
|
|
68
|
-
relation assignee
|
|
69
|
-
relation editor on project [project]
|
|
70
|
-
|
|
71
|
-
inherit view if
|
|
72
|
-
any_of
|
|
73
|
-
relation edit
|
|
74
|
-
relation viewer on project [project]
|
|
75
|
-
|
|
76
|
-
type asset
|
|
77
|
-
relation manager [user]
|
|
78
|
-
relation project [project]
|
|
79
|
-
relation edit []
|
|
80
|
-
relation view []
|
|
81
|
-
|
|
82
|
-
inherit edit if
|
|
83
|
-
any_of
|
|
84
|
-
relation manager
|
|
85
|
-
relation editor on project [project]
|
|
86
|
-
|
|
87
|
-
inherit view if
|
|
88
|
-
any_of
|
|
89
|
-
relation edit
|
|
90
|
-
relation viewer on project [project]
|
|
91
|
-
|
|
92
|
-
```
|
|
93
|
-
|
|
94
|
-
## Example
|
|
95
|
-
|
|
96
|
-
### (1) Apply the schema
|
|
97
|
-
|
|
98
|
-
Create a file called `schema.txt` containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
|
|
99
|
-
|
|
100
|
-
> Note: make sure to select the correct environment with the [CLI](https://github.com/workos/workos-cli?tab=readme-ov-file#usage)
|
|
101
|
-
|
|
102
|
-
```shell
|
|
103
|
-
workos fga schema apply schema.txt
|
|
104
|
-
```
|
|
105
|
-
|
|
106
|
-
---
|
|
107
|
-
|
|
108
|
-
### (2) Create warrants
|
|
109
|
-
|
|
110
|
-
Create warrants that associate users, clients, providers, and projects. The example schema defines the following relationships:
|
|
111
|
-
|
|
112
|
-
- clients and providers with projects
|
|
113
|
-
- tasks and assets as children of projects
|
|
114
|
-
- users with clients or providers (using one of the defined roles: `admin` or `technician`)
|
|
115
|
-
|
|
116
|
-
Let's create a few warrants between client `client-1`, provider `provider-1`, project `project-1`, and users:
|
|
117
|
-
|
|
118
|
-
<CodeBlock title="Create warrants" file="msp-create-warrants" />
|
|
119
|
-
|
|
120
|
-
---
|
|
121
|
-
|
|
122
|
-
### (3) Check access
|
|
123
|
-
|
|
124
|
-
With our environment setup, we can check whether the user can view an asset.
|
|
125
|
-
|
|
126
|
-
<CodeBlock
|
|
127
|
-
title="Check if a user has permission to view an asset"
|
|
128
|
-
file="msp-check"
|
|
129
|
-
/>
|
|
130
|
-
|
|
131
|
-
---
|
|
@@ -1,95 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
title: Org Roles & Permissions
|
|
3
|
-
description: >-
|
|
4
|
-
Create org-scoped roles based on common user personas and map them to a static
|
|
5
|
-
set of permissions that grant capabilities in your application.
|
|
6
|
-
originalPath: >-
|
|
7
|
-
.tmp-workos-clone/packages/docs/content/fga/modeling/org-roles-and-permissions.mdx
|
|
8
|
-
---
|
|
9
|
-
|
|
10
|
-
> Explore the example from this guide [in the FGA Playground](https://explore.fga.workos.com/playground?example=org_roles_permissions), where you can interact with the schema, warrants, and access checks in real-time!
|
|
11
|
-
|
|
12
|
-
Build a role-based access control (RBAC) that scopes each user's role and permission assignments to a specific organization.
|
|
13
|
-
|
|
14
|
-
## When to Use it
|
|
15
|
-
|
|
16
|
-
Implement org roles and permissions when:
|
|
17
|
-
|
|
18
|
-
- **Role-based access control**: Your application's requirements call for role-based access control (RBAC)
|
|
19
|
-
- **Org-specific roles**: Your customers want to grant their users privileges based on their role within a specific organization.
|
|
20
|
-
|
|
21
|
-
## Schema
|
|
22
|
-
|
|
23
|
-
```fga title="schema.txt"
|
|
24
|
-
version 0.3
|
|
25
|
-
|
|
26
|
-
type user
|
|
27
|
-
|
|
28
|
-
type organization
|
|
29
|
-
relation role_admin [user]
|
|
30
|
-
relation role_read_only [user]
|
|
31
|
-
inherit role_read_only if
|
|
32
|
-
relation role_admin
|
|
33
|
-
|
|
34
|
-
relation can_read_company_info [role]
|
|
35
|
-
relation can_write_company_info [role]
|
|
36
|
-
relation can_read_reports [role]
|
|
37
|
-
relation can_write_reports [role]
|
|
38
|
-
|
|
39
|
-
inherit can_read_company_info if
|
|
40
|
-
any_of
|
|
41
|
-
relation can_write_company_info
|
|
42
|
-
relation role_read_only
|
|
43
|
-
|
|
44
|
-
inherit can_write_company_info if
|
|
45
|
-
relation role_admin
|
|
46
|
-
|
|
47
|
-
inherit can_read_reports if
|
|
48
|
-
any_of
|
|
49
|
-
relation can_write_reports
|
|
50
|
-
relation role_read_only
|
|
51
|
-
|
|
52
|
-
inherit can_write_reports if
|
|
53
|
-
relation role_admin
|
|
54
|
-
```
|
|
55
|
-
|
|
56
|
-
## Example
|
|
57
|
-
|
|
58
|
-
### (1) Apply the schema
|
|
59
|
-
|
|
60
|
-
Create a file called `schema.txt` containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
|
|
61
|
-
|
|
62
|
-
> Note: make sure to select the correct environment with the [CLI](https://github.com/workos/workos-cli?tab=readme-ov-file#usage)
|
|
63
|
-
|
|
64
|
-
```shell
|
|
65
|
-
workos fga schema apply schema.txt
|
|
66
|
-
```
|
|
67
|
-
|
|
68
|
-
---
|
|
69
|
-
|
|
70
|
-
### (2) Create warrants
|
|
71
|
-
|
|
72
|
-
Create warrants that associate organizations, roles, and users. The example schema defines the following relationships:
|
|
73
|
-
|
|
74
|
-
- users with organizations
|
|
75
|
-
- users with custom roles (e.g. `org:acme:read-only`)
|
|
76
|
-
|
|
77
|
-
Let's create a few warrants between organization `acme`, role `org:acme:read-only`, and user `user_2oDscjroNWtzxzYEnEzT9P7VYEe`:
|
|
78
|
-
|
|
79
|
-
<CodeBlock
|
|
80
|
-
title="Create warrants"
|
|
81
|
-
file="org-roles-permissions-create-warrants"
|
|
82
|
-
/>
|
|
83
|
-
|
|
84
|
-
---
|
|
85
|
-
|
|
86
|
-
### (3) Check access
|
|
87
|
-
|
|
88
|
-
With our environment setup, we can check the user's permission to read company info.
|
|
89
|
-
|
|
90
|
-
<CodeBlock
|
|
91
|
-
title="Check if a user has a permission in their organization"
|
|
92
|
-
file="org-roles-permissions-check"
|
|
93
|
-
/>
|
|
94
|
-
|
|
95
|
-
---
|
|
@@ -1,231 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
title: Policy Context
|
|
3
|
-
description: Learn how to pass context to policies in FGA.
|
|
4
|
-
originalPath: .tmp-workos-clone/packages/docs/content/fga/modeling/policy-context.mdx
|
|
5
|
-
---
|
|
6
|
-
|
|
7
|
-
Policies in FGA allow you to define complex access control rules based on the context of the request. This context can include resource attributes, location and temporal data, or any other relevant information that can help determine access to a specific resource.
|
|
8
|
-
|
|
9
|
-
This guide will walk you through the process of creating a policy that pulls context in two different ways: check context and injected context.
|
|
10
|
-
|
|
11
|
-
## When to Use it
|
|
12
|
-
|
|
13
|
-
Use policy context when:
|
|
14
|
-
|
|
15
|
-
- **Dynamic Access**: You need to make access decisions based on runtime attributes such as location, time of day, IP address, device type, or authentication method.
|
|
16
|
-
- **Resource Attribute-Based Access**: You want to enforce permissions based on properties of the resource itself such as a course’s level, a document’s classification, or user data.
|
|
17
|
-
- **Complex Policies**: You need to evaluate multiple attributes or conditions together to enforce advanced access rules.
|
|
18
|
-
|
|
19
|
-
## Check Context
|
|
20
|
-
|
|
21
|
-
In this approach, you pass context directly in the check request. These values are made available to the policy as named parameters and must be explicitly defined in the policy function signature within your schema.
|
|
22
|
-
|
|
23
|
-
```fga
|
|
24
|
-
version 0.3
|
|
25
|
-
|
|
26
|
-
type user
|
|
27
|
-
|
|
28
|
-
type course
|
|
29
|
-
relation editor [user]
|
|
30
|
-
relation viewer [user]
|
|
31
|
-
relation instructor [user]
|
|
32
|
-
|
|
33
|
-
relation edit []
|
|
34
|
-
relation view_materials []
|
|
35
|
-
relation moderate_discussion []
|
|
36
|
-
|
|
37
|
-
inherit edit if
|
|
38
|
-
all_of
|
|
39
|
-
relation editor
|
|
40
|
-
policy can_edit_course
|
|
41
|
-
policy has_security_compliance
|
|
42
|
-
|
|
43
|
-
inherit view_materials if
|
|
44
|
-
any_of
|
|
45
|
-
all_of
|
|
46
|
-
relation viewer
|
|
47
|
-
policy can_access_materials
|
|
48
|
-
relation edit
|
|
49
|
-
|
|
50
|
-
inherit moderate_discussion if
|
|
51
|
-
all_of
|
|
52
|
-
relation instructor
|
|
53
|
-
policy can_moderate_discussion
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
policy can_edit_course(check_data map, user_attr map) {
|
|
57
|
-
check_data.resource_type == "course" &&
|
|
58
|
-
check_data.resource_id in user_attr.assigned_course_ids &&
|
|
59
|
-
user_attr.role == "instructor"
|
|
60
|
-
}
|
|
61
|
-
|
|
62
|
-
policy can_access_materials(user_attr map, course_attr map) {
|
|
63
|
-
user_attr.is_enrolled == true &&
|
|
64
|
-
user_attr.org_id == course_attr.org_id
|
|
65
|
-
}
|
|
66
|
-
|
|
67
|
-
policy can_moderate_discussion(user_attr map, course_attr map) {
|
|
68
|
-
user_attr.verified == true &&
|
|
69
|
-
course_attr.discussion_enabled == true &&
|
|
70
|
-
course_attr.course_level == "advanced"
|
|
71
|
-
}
|
|
72
|
-
|
|
73
|
-
policy has_security_compliance(security_info map) {
|
|
74
|
-
security_info.mfa_enabled == true &&
|
|
75
|
-
date(security_info.last_password_change) > now() - duration("90d")
|
|
76
|
-
}
|
|
77
|
-
```
|
|
78
|
-
|
|
79
|
-
### (1) Apply the schema
|
|
80
|
-
|
|
81
|
-
Create a file called `schema.txt` containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
|
|
82
|
-
|
|
83
|
-
```shell
|
|
84
|
-
workos fga schema apply schema.txt
|
|
85
|
-
```
|
|
86
|
-
|
|
87
|
-
---
|
|
88
|
-
|
|
89
|
-
### (2) Create warrants
|
|
90
|
-
|
|
91
|
-
Create warrants that associate users with courses. We'll make a user an editor of a course:
|
|
92
|
-
|
|
93
|
-
<CodeBlock title="Create warrants" file="policy-context-warrants" />
|
|
94
|
-
|
|
95
|
-
---
|
|
96
|
-
|
|
97
|
-
### (3) Check access
|
|
98
|
-
|
|
99
|
-
With our environment setup, we can check the user's permission to `view_materials` on a course.
|
|
100
|
-
|
|
101
|
-
<CodeBlock
|
|
102
|
-
title="Check if a user has a permission on a course"
|
|
103
|
-
file="policy-context-passed-check"
|
|
104
|
-
/>
|
|
105
|
-
|
|
106
|
-
In this example, the check context includes `check_data`, `user_attr`, `course_attr`, and `security_info`. The policy will evaluate these attributes to determine if the user has access to view materials for the course.
|
|
107
|
-
|
|
108
|
-
> A drawback with this approach is the size of the context in the check request. This method of passing context requires no state in FGA (other than warrant data), but it starts to break down with complex schemas that require large sets of context data. Consider using injected context for more complex schemas.
|
|
109
|
-
|
|
110
|
-
## Injected Context
|
|
111
|
-
|
|
112
|
-
In this method, you can use context injected by the FGA service. Use injected context to fetch resource metadata in your policy so that you don't have to pass it in the check request.
|
|
113
|
-
|
|
114
|
-
This is useful when your schema requires large context objects, when the context is not known at the time of the check, or when you want to change schemas without updating context in the check request.
|
|
115
|
-
|
|
116
|
-
Read more about injected context and helper functions in the [policy documentation](/fga/policies/advanced-usage).
|
|
117
|
-
|
|
118
|
-
```fga
|
|
119
|
-
version 0.3
|
|
120
|
-
|
|
121
|
-
type user
|
|
122
|
-
|
|
123
|
-
type course
|
|
124
|
-
relation editor [user]
|
|
125
|
-
relation viewer [user]
|
|
126
|
-
relation instructor [user]
|
|
127
|
-
|
|
128
|
-
relation edit []
|
|
129
|
-
relation view_materials []
|
|
130
|
-
relation moderate_discussion []
|
|
131
|
-
|
|
132
|
-
inherit edit if
|
|
133
|
-
all_of
|
|
134
|
-
relation editor
|
|
135
|
-
policy can_edit_course
|
|
136
|
-
policy has_security_compliance
|
|
137
|
-
|
|
138
|
-
inherit view_materials if
|
|
139
|
-
any_of
|
|
140
|
-
all_of
|
|
141
|
-
relation viewer
|
|
142
|
-
policy can_access_materials
|
|
143
|
-
relation edit
|
|
144
|
-
|
|
145
|
-
inherit moderate_discussion if
|
|
146
|
-
all_of
|
|
147
|
-
relation instructor
|
|
148
|
-
policy can_moderate_discussion
|
|
149
|
-
|
|
150
|
-
policy can_edit_course() {
|
|
151
|
-
let user_metadata = get_metadata(check_ctx.subject_type, check_ctx.subject_id);
|
|
152
|
-
|
|
153
|
-
let is_user = check_ctx.subject_type == "user";
|
|
154
|
-
let is_course = check_ctx.resource_type == "course";
|
|
155
|
-
let is_assigned = check_ctx.resource_id in user_metadata.assigned_course_ids;
|
|
156
|
-
let is_instructor = user_metadata.role == "instructor";
|
|
157
|
-
|
|
158
|
-
is_user && is_course && is_assigned && is_instructor
|
|
159
|
-
}
|
|
160
|
-
|
|
161
|
-
policy can_access_materials() {
|
|
162
|
-
let user_metadata = get_metadata(check_ctx.subject_type, check_ctx.subject_id);
|
|
163
|
-
let course_metadata = get_metadata(check_ctx.resource_type, check_ctx.resource_id);
|
|
164
|
-
|
|
165
|
-
let is_user = check_ctx.subject_type == "user";
|
|
166
|
-
let is_enrolled = user_metadata.is_enrolled == true;
|
|
167
|
-
let same_org = user_metadata.org_id == course_metadata.org_id;
|
|
168
|
-
|
|
169
|
-
is_user && is_enrolled && same_org
|
|
170
|
-
}
|
|
171
|
-
|
|
172
|
-
policy can_moderate_discussion() {
|
|
173
|
-
let user_metadata = get_metadata(check_ctx.subject_type, check_ctx.subject_id);
|
|
174
|
-
let course_metadata = get_metadata(check_ctx.resource_type, check_ctx.resource_id);
|
|
175
|
-
|
|
176
|
-
let is_user = check_ctx.subject_type == "user";
|
|
177
|
-
let is_verified = user_metadata.verified == true;
|
|
178
|
-
let discussion_enabled = course_metadata.discussion_enabled == true;
|
|
179
|
-
let is_advanced = course_metadata.course_level == "advanced";
|
|
180
|
-
|
|
181
|
-
is_user && is_verified && discussion_enabled && is_advanced
|
|
182
|
-
}
|
|
183
|
-
|
|
184
|
-
policy has_security_compliance() {
|
|
185
|
-
let user_metadata = get_metadata(check_ctx.subject_type, check_ctx.subject_id);
|
|
186
|
-
|
|
187
|
-
let is_user = check_ctx.subject_type == "user";
|
|
188
|
-
let mfa_enabled = user_metadata.mfa_enabled == true;
|
|
189
|
-
let recent_password = date(user_metadata.last_password_change) > now() - duration("90d");
|
|
190
|
-
|
|
191
|
-
is_user && mfa_enabled && recent_password
|
|
192
|
-
}
|
|
193
|
-
```
|
|
194
|
-
|
|
195
|
-
### (1) Apply the schema
|
|
196
|
-
|
|
197
|
-
Create a file called `schema.txt` containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
|
|
198
|
-
|
|
199
|
-
```shell
|
|
200
|
-
workos fga schema apply schema.txt
|
|
201
|
-
```
|
|
202
|
-
|
|
203
|
-
---
|
|
204
|
-
|
|
205
|
-
### (2) Create warrants
|
|
206
|
-
|
|
207
|
-
Create warrants that associate users with courses. We'll make a user an editor of a course:
|
|
208
|
-
|
|
209
|
-
<CodeBlock title="Create warrants" file="policy-context-warrants" />
|
|
210
|
-
|
|
211
|
-
---
|
|
212
|
-
|
|
213
|
-
### (3) Update app code to sync resource metadata
|
|
214
|
-
|
|
215
|
-
In order to pull resource metadata from our policies, we need to update our app code to sync resource metadata with the FGA service. This is done by calling the [update resource](/reference/fga/resource/update) endpoint in the FGA API.
|
|
216
|
-
|
|
217
|
-
<CodeBlock
|
|
218
|
-
title="Update resource metadata"
|
|
219
|
-
file="policy-context-update-metadata"
|
|
220
|
-
/>
|
|
221
|
-
|
|
222
|
-
---
|
|
223
|
-
|
|
224
|
-
### (4) Check access
|
|
225
|
-
|
|
226
|
-
With our environment setup, we can check the user's permission to `view_materials` on a course.
|
|
227
|
-
|
|
228
|
-
<CodeBlock
|
|
229
|
-
title="Check if a user has a permission on a course"
|
|
230
|
-
file="policy-context-injected-check"
|
|
231
|
-
/>
|