@workos/mcp-docs-server 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.docs/organized/changelogs/workos-platform.json +277 -0
- package/.docs/organized/docs/admin-portal/_navigation.mdx +16 -0
- package/.docs/organized/docs/admin-portal/custom-branding.mdx +111 -0
- package/.docs/organized/docs/admin-portal/example-apps.mdx +46 -0
- package/.docs/organized/docs/admin-portal/index.mdx +240 -0
- package/.docs/organized/docs/audit-logs/_navigation.mdx +22 -0
- package/.docs/organized/docs/audit-logs/admin-portal.mdx +20 -0
- package/.docs/organized/docs/audit-logs/editing-events.mdx +27 -0
- package/.docs/organized/docs/audit-logs/exporting-events.mdx +29 -0
- package/.docs/organized/docs/audit-logs/index.mdx +110 -0
- package/.docs/organized/docs/audit-logs/log-streams.mdx +56 -0
- package/.docs/organized/docs/audit-logs/metadata-schema.mdx +21 -0
- package/.docs/organized/docs/custom-domains/_navigation.mdx +16 -0
- package/.docs/organized/docs/custom-domains/admin-portal.mdx +38 -0
- package/.docs/organized/docs/custom-domains/auth-api.mdx +59 -0
- package/.docs/organized/docs/custom-domains/authkit.mdx +36 -0
- package/.docs/organized/docs/custom-domains/email.mdx +41 -0
- package/.docs/organized/docs/custom-domains/index.mdx +19 -0
- package/.docs/organized/docs/dashboard.mdx +244 -0
- package/.docs/organized/docs/demo/_navigation.mdx +26 -0
- package/.docs/organized/docs/demo/accordion.mdx +34 -0
- package/.docs/organized/docs/demo/checklist.mdx +33 -0
- package/.docs/organized/docs/demo/code-block.mdx +185 -0
- package/.docs/organized/docs/demo/definition-list.mdx +35 -0
- package/.docs/organized/docs/demo/index.mdx +7 -0
- package/.docs/organized/docs/demo/punctuation.mdx +37 -0
- package/.docs/organized/docs/demo/replacements.mdx +26 -0
- package/.docs/organized/docs/demo/table.mdx +26 -0
- package/.docs/organized/docs/demo/tabs.mdx +17 -0
- package/.docs/organized/docs/directory-sync/_navigation.mdx +28 -0
- package/.docs/organized/docs/directory-sync/attributes.mdx +209 -0
- package/.docs/organized/docs/directory-sync/example-apps.mdx +46 -0
- package/.docs/organized/docs/directory-sync/handle-inactive-users.mdx +52 -0
- package/.docs/organized/docs/directory-sync/identity-provider-role-assignment.mdx +134 -0
- package/.docs/organized/docs/directory-sync/index.mdx +107 -0
- package/.docs/organized/docs/directory-sync/quick-start.mdx +129 -0
- package/.docs/organized/docs/directory-sync/understanding-events.mdx +209 -0
- package/.docs/organized/docs/domain-verification/_navigation.mdx +10 -0
- package/.docs/organized/docs/domain-verification/api.mdx +60 -0
- package/.docs/organized/docs/domain-verification/index.mdx +67 -0
- package/.docs/organized/docs/email.mdx +109 -0
- package/.docs/organized/docs/events/_navigation.mdx +22 -0
- package/.docs/organized/docs/events/data-syncing/data-reconciliation.mdx +56 -0
- package/.docs/organized/docs/events/data-syncing/events-api.mdx +114 -0
- package/.docs/organized/docs/events/data-syncing/index.mdx +66 -0
- package/.docs/organized/docs/events/data-syncing/webhooks.mdx +173 -0
- package/.docs/organized/docs/events/index.mdx +783 -0
- package/.docs/organized/docs/events/observability/datadog.mdx +76 -0
- package/.docs/organized/docs/fga/_navigation.mdx +64 -0
- package/.docs/organized/docs/fga/identity-provider-sessions.mdx +68 -0
- package/.docs/organized/docs/fga/index.mdx +60 -0
- package/.docs/organized/docs/fga/local-development.mdx +155 -0
- package/.docs/organized/docs/fga/modeling/abac.mdx +107 -0
- package/.docs/organized/docs/fga/modeling/blocklist.mdx +84 -0
- package/.docs/organized/docs/fga/modeling/conditional-roles.mdx +99 -0
- package/.docs/organized/docs/fga/modeling/custom-roles.mdx +90 -0
- package/.docs/organized/docs/fga/modeling/entitlements.mdx +127 -0
- package/.docs/organized/docs/fga/modeling/managed-service-provider.mdx +131 -0
- package/.docs/organized/docs/fga/modeling/org-roles-and-permissions.mdx +95 -0
- package/.docs/organized/docs/fga/modeling/policy-context.mdx +231 -0
- package/.docs/organized/docs/fga/modeling/public-access.mdx +61 -0
- package/.docs/organized/docs/fga/modeling/shareable-content.mdx +106 -0
- package/.docs/organized/docs/fga/modeling/superusers.mdx +74 -0
- package/.docs/organized/docs/fga/modeling/user-groups.mdx +92 -0
- package/.docs/organized/docs/fga/operations-usage.mdx +104 -0
- package/.docs/organized/docs/fga/playground.mdx +12 -0
- package/.docs/organized/docs/fga/policies.mdx +462 -0
- package/.docs/organized/docs/fga/query-language.mdx +112 -0
- package/.docs/organized/docs/fga/quick-start.mdx +174 -0
- package/.docs/organized/docs/fga/resources.mdx +92 -0
- package/.docs/organized/docs/fga/schema-management.mdx +224 -0
- package/.docs/organized/docs/fga/schema.mdx +388 -0
- package/.docs/organized/docs/fga/warrant-tokens.mdx +44 -0
- package/.docs/organized/docs/fga/warrants.mdx +92 -0
- package/.docs/organized/docs/glossary.mdx +184 -0
- package/.docs/organized/docs/integrations/_navigation.mdx +6 -0
- package/.docs/organized/docs/integrations/access-people-hr.mdx +87 -0
- package/.docs/organized/docs/integrations/adp-oidc.mdx +103 -0
- package/.docs/organized/docs/integrations/apple.mdx +169 -0
- package/.docs/organized/docs/integrations/auth0-directory-sync.mdx +78 -0
- package/.docs/organized/docs/integrations/auth0-enterprise-connection.mdx +92 -0
- package/.docs/organized/docs/integrations/auth0-saml.mdx +81 -0
- package/.docs/organized/docs/integrations/aws-cognito.mdx +81 -0
- package/.docs/organized/docs/integrations/bamboohr.mdx +90 -0
- package/.docs/organized/docs/integrations/breathe-hr.mdx +89 -0
- package/.docs/organized/docs/integrations/bubble.mdx +129 -0
- package/.docs/organized/docs/integrations/cas-saml.mdx +65 -0
- package/.docs/organized/docs/integrations/cezanne.mdx +74 -0
- package/.docs/organized/docs/integrations/classlink-saml.mdx +100 -0
- package/.docs/organized/docs/integrations/cloudflare-saml.mdx +164 -0
- package/.docs/organized/docs/integrations/cyberark-saml.mdx +138 -0
- package/.docs/organized/docs/integrations/cyberark-scim.mdx +100 -0
- package/.docs/organized/docs/integrations/duo-saml.mdx +127 -0
- package/.docs/organized/docs/integrations/entra-id-saml.mdx +156 -0
- package/.docs/organized/docs/integrations/entra-id-scim.mdx +218 -0
- package/.docs/organized/docs/integrations/firebase.mdx +98 -0
- package/.docs/organized/docs/integrations/fourth.mdx +66 -0
- package/.docs/organized/docs/integrations/github-oauth.mdx +85 -0
- package/.docs/organized/docs/integrations/gitlab-oauth.mdx +81 -0
- package/.docs/organized/docs/integrations/google-directory-sync.mdx +86 -0
- package/.docs/organized/docs/integrations/google-oauth.mdx +173 -0
- package/.docs/organized/docs/integrations/google-saml.mdx +135 -0
- package/.docs/organized/docs/integrations/hibob.mdx +98 -0
- package/.docs/organized/docs/integrations/jumpcloud-saml.mdx +96 -0
- package/.docs/organized/docs/integrations/jumpcloud-scim.mdx +106 -0
- package/.docs/organized/docs/integrations/keycloak-saml.mdx +128 -0
- package/.docs/organized/docs/integrations/lastpass-saml.mdx +134 -0
- package/.docs/organized/docs/integrations/linkedin-oauth.mdx +77 -0
- package/.docs/organized/docs/integrations/login-gov-oidc.mdx +103 -0
- package/.docs/organized/docs/integrations/microsoft-ad-fs-saml.mdx +96 -0
- package/.docs/organized/docs/integrations/microsoft-oauth.mdx +101 -0
- package/.docs/organized/docs/integrations/miniorange-saml.mdx +124 -0
- package/.docs/organized/docs/integrations/net-iq-saml.mdx +75 -0
- package/.docs/organized/docs/integrations/next-auth.mdx +257 -0
- package/.docs/organized/docs/integrations/oidc.mdx +64 -0
- package/.docs/organized/docs/integrations/okta-saml.mdx +144 -0
- package/.docs/organized/docs/integrations/okta-scim.mdx +210 -0
- package/.docs/organized/docs/integrations/onelogin-saml.mdx +131 -0
- package/.docs/organized/docs/integrations/onelogin-scim.mdx +150 -0
- package/.docs/organized/docs/integrations/oracle-saml.mdx +76 -0
- package/.docs/organized/docs/integrations/pingfederate-saml.mdx +103 -0
- package/.docs/organized/docs/integrations/pingfederate-scim.mdx +150 -0
- package/.docs/organized/docs/integrations/pingone-saml.mdx +86 -0
- package/.docs/organized/docs/integrations/react-native-expo.mdx +93 -0
- package/.docs/organized/docs/integrations/rippling-saml.mdx +174 -0
- package/.docs/organized/docs/integrations/rippling-scim.mdx +148 -0
- package/.docs/organized/docs/integrations/salesforce-saml.mdx +143 -0
- package/.docs/organized/docs/integrations/saml.mdx +64 -0
- package/.docs/organized/docs/integrations/scim.mdx +64 -0
- package/.docs/organized/docs/integrations/sftp.mdx +150 -0
- package/.docs/organized/docs/integrations/shibboleth-generic-saml.mdx +84 -0
- package/.docs/organized/docs/integrations/shibboleth-unsolicited-saml.mdx +84 -0
- package/.docs/organized/docs/integrations/simple-saml-php.mdx +78 -0
- package/.docs/organized/docs/integrations/slack-oauth.mdx +102 -0
- package/.docs/organized/docs/integrations/supabase.mdx +68 -0
- package/.docs/organized/docs/integrations/vmware-saml.mdx +100 -0
- package/.docs/organized/docs/integrations/workday.mdx +156 -0
- package/.docs/organized/docs/integrations/xero-oauth.mdx +83 -0
- package/.docs/organized/docs/magic-link/_navigation.mdx +16 -0
- package/.docs/organized/docs/magic-link/example-apps.mdx +46 -0
- package/.docs/organized/docs/magic-link/index.mdx +199 -0
- package/.docs/organized/docs/magic-link/launch-checklist.mdx +27 -0
- package/.docs/organized/docs/mfa/_navigation.mdx +18 -0
- package/.docs/organized/docs/mfa/example-apps.mdx +46 -0
- package/.docs/organized/docs/mfa/index.mdx +140 -0
- package/.docs/organized/docs/mfa/ux/enrollment.mdx +74 -0
- package/.docs/organized/docs/mfa/ux/sign-in.mdx +30 -0
- package/.docs/organized/docs/migrate/_navigation.mdx +6 -0
- package/.docs/organized/docs/migrate/auth0.mdx +98 -0
- package/.docs/organized/docs/migrate/aws-cognito.mdx +115 -0
- package/.docs/organized/docs/migrate/clerk.mdx +106 -0
- package/.docs/organized/docs/migrate/firebase.mdx +80 -0
- package/.docs/organized/docs/migrate/other-services.mdx +179 -0
- package/.docs/organized/docs/migrate/standalone-sso.mdx +105 -0
- package/.docs/organized/docs/on-prem-deployment.mdx +119 -0
- package/.docs/organized/docs/postman.mdx +90 -0
- package/.docs/organized/docs/reference/_navigation.mdx +527 -0
- package/.docs/organized/docs/reference/admin-portal/index.mdx +6 -0
- package/.docs/organized/docs/reference/admin-portal/portal-link/generate.mdx +268 -0
- package/.docs/organized/docs/reference/admin-portal/portal-link/index.mdx +15 -0
- package/.docs/organized/docs/reference/admin-portal/provider-icons/index.mdx +52 -0
- package/.docs/organized/docs/reference/api-keys.mdx +22 -0
- package/.docs/organized/docs/reference/audit-logs/audit-log-export.mdx +239 -0
- package/.docs/organized/docs/reference/audit-logs/audit-log-schema.mdx +69 -0
- package/.docs/organized/docs/reference/audit-logs/create-event.mdx +673 -0
- package/.docs/organized/docs/reference/audit-logs/create-export.mdx +308 -0
- package/.docs/organized/docs/reference/audit-logs/create-schema.mdx +95 -0
- package/.docs/organized/docs/reference/audit-logs/get-export.mdx +117 -0
- package/.docs/organized/docs/reference/audit-logs/get-retention.mdx +34 -0
- package/.docs/organized/docs/reference/audit-logs/index.mdx +6 -0
- package/.docs/organized/docs/reference/audit-logs/list-actions.mdx +40 -0
- package/.docs/organized/docs/reference/audit-logs/list-schemas.mdx +40 -0
- package/.docs/organized/docs/reference/audit-logs/set-retention.mdx +39 -0
- package/.docs/organized/docs/reference/client-libraries.mdx +19 -0
- package/.docs/organized/docs/reference/directory-sync/directory/delete.mdx +90 -0
- package/.docs/organized/docs/reference/directory-sync/directory/get.mdx +105 -0
- package/.docs/organized/docs/reference/directory-sync/directory/index.mdx +385 -0
- package/.docs/organized/docs/reference/directory-sync/directory/list.mdx +281 -0
- package/.docs/organized/docs/reference/directory-sync/directory-group/get.mdx +105 -0
- package/.docs/organized/docs/reference/directory-sync/directory-group/index.mdx +277 -0
- package/.docs/organized/docs/reference/directory-sync/directory-group/list.mdx +295 -0
- package/.docs/organized/docs/reference/directory-sync/directory-user/get.mdx +112 -0
- package/.docs/organized/docs/reference/directory-sync/directory-user/index.mdx +470 -0
- package/.docs/organized/docs/reference/directory-sync/directory-user/list.mdx +304 -0
- package/.docs/organized/docs/reference/directory-sync/index.mdx +10 -0
- package/.docs/organized/docs/reference/domain-verification/create.mdx +38 -0
- package/.docs/organized/docs/reference/domain-verification/get.mdx +32 -0
- package/.docs/organized/docs/reference/domain-verification/index.mdx +84 -0
- package/.docs/organized/docs/reference/domain-verification/verify.mdx +36 -0
- package/.docs/organized/docs/reference/errors.mdx +30 -0
- package/.docs/organized/docs/reference/events/index.mdx +9 -0
- package/.docs/organized/docs/reference/events/list.mdx +246 -0
- package/.docs/organized/docs/reference/fga/batch-check.mdx +277 -0
- package/.docs/organized/docs/reference/fga/check.mdx +563 -0
- package/.docs/organized/docs/reference/fga/index.mdx +6 -0
- package/.docs/organized/docs/reference/fga/policy/create.mdx +27 -0
- package/.docs/organized/docs/reference/fga/policy/delete.mdx +18 -0
- package/.docs/organized/docs/reference/fga/policy/get.mdx +23 -0
- package/.docs/organized/docs/reference/fga/policy/index.mdx +52 -0
- package/.docs/organized/docs/reference/fga/policy/list.mdx +41 -0
- package/.docs/organized/docs/reference/fga/policy/update.mdx +26 -0
- package/.docs/organized/docs/reference/fga/query.mdx +375 -0
- package/.docs/organized/docs/reference/fga/resource/batch-write.mdx +175 -0
- package/.docs/organized/docs/reference/fga/resource/create.mdx +130 -0
- package/.docs/organized/docs/reference/fga/resource/delete.mdx +86 -0
- package/.docs/organized/docs/reference/fga/resource/get.mdx +88 -0
- package/.docs/organized/docs/reference/fga/resource/index.mdx +98 -0
- package/.docs/organized/docs/reference/fga/resource/list.mdx +188 -0
- package/.docs/organized/docs/reference/fga/resource/update.mdx +115 -0
- package/.docs/organized/docs/reference/fga/resource-type/apply.mdx +35 -0
- package/.docs/organized/docs/reference/fga/resource-type/create.mdx +24 -0
- package/.docs/organized/docs/reference/fga/resource-type/delete.mdx +22 -0
- package/.docs/organized/docs/reference/fga/resource-type/get.mdx +23 -0
- package/.docs/organized/docs/reference/fga/resource-type/index.mdx +68 -0
- package/.docs/organized/docs/reference/fga/resource-type/list.mdx +36 -0
- package/.docs/organized/docs/reference/fga/resource-type/update.mdx +23 -0
- package/.docs/organized/docs/reference/fga/schema/apply.mdx +42 -0
- package/.docs/organized/docs/reference/fga/schema/get.mdx +24 -0
- package/.docs/organized/docs/reference/fga/schema/index.mdx +39 -0
- package/.docs/organized/docs/reference/fga/warrant/batch-write.mdx +226 -0
- package/.docs/organized/docs/reference/fga/warrant/create.mdx +215 -0
- package/.docs/organized/docs/reference/fga/warrant/delete.mdx +212 -0
- package/.docs/organized/docs/reference/fga/warrant/index.mdx +186 -0
- package/.docs/organized/docs/reference/fga/warrant/list.mdx +282 -0
- package/.docs/organized/docs/reference/idempotency.mdx +21 -0
- package/.docs/organized/docs/reference/index.mdx +194 -0
- package/.docs/organized/docs/reference/magic-link/index.mdx +8 -0
- package/.docs/organized/docs/reference/magic-link/passwordless-session/create.mdx +268 -0
- package/.docs/organized/docs/reference/magic-link/passwordless-session/index.mdx +203 -0
- package/.docs/organized/docs/reference/magic-link/passwordless-session/send-email.mdx +158 -0
- package/.docs/organized/docs/reference/mfa/authentication-challenge.mdx +217 -0
- package/.docs/organized/docs/reference/mfa/authentication-factor.mdx +381 -0
- package/.docs/organized/docs/reference/mfa/challenge-factor.mdx +170 -0
- package/.docs/organized/docs/reference/mfa/delete-factor.mdx +93 -0
- package/.docs/organized/docs/reference/mfa/enroll-factor.mdx +241 -0
- package/.docs/organized/docs/reference/mfa/get-factor.mdx +108 -0
- package/.docs/organized/docs/reference/mfa/index.mdx +8 -0
- package/.docs/organized/docs/reference/mfa/verify-challenge.mdx +228 -0
- package/.docs/organized/docs/reference/organization/create.mdx +216 -0
- package/.docs/organized/docs/reference/organization/delete.mdx +89 -0
- package/.docs/organized/docs/reference/organization/get-by-external-id.mdx +40 -0
- package/.docs/organized/docs/reference/organization/get.mdx +104 -0
- package/.docs/organized/docs/reference/organization/index.mdx +274 -0
- package/.docs/organized/docs/reference/organization/list.mdx +258 -0
- package/.docs/organized/docs/reference/organization/update.mdx +236 -0
- package/.docs/organized/docs/reference/organization-domain.mdx +189 -0
- package/.docs/organized/docs/reference/pagination.mdx +244 -0
- package/.docs/organized/docs/reference/radar/attempts/create.mdx +115 -0
- package/.docs/organized/docs/reference/radar/attempts/index.mdx +7 -0
- package/.docs/organized/docs/reference/radar/attempts/update.mdx +34 -0
- package/.docs/organized/docs/reference/radar/index.mdx +8 -0
- package/.docs/organized/docs/reference/radar/lists/delete.mdx +36 -0
- package/.docs/organized/docs/reference/radar/lists/index.mdx +7 -0
- package/.docs/organized/docs/reference/radar/lists/update.mdx +36 -0
- package/.docs/organized/docs/reference/rate-limits.mdx +50 -0
- package/.docs/organized/docs/reference/roles/index.mdx +268 -0
- package/.docs/organized/docs/reference/roles/list-for-organization.mdx +152 -0
- package/.docs/organized/docs/reference/sso/connection/delete.mdx +89 -0
- package/.docs/organized/docs/reference/sso/connection/get.mdx +104 -0
- package/.docs/organized/docs/reference/sso/connection/index.mdx +388 -0
- package/.docs/organized/docs/reference/sso/connection/list.mdx +320 -0
- package/.docs/organized/docs/reference/sso/get-authorization-url/error-codes.mdx +28 -0
- package/.docs/organized/docs/reference/sso/get-authorization-url/index.mdx +434 -0
- package/.docs/organized/docs/reference/sso/get-authorization-url/redirect-uri.mdx +21 -0
- package/.docs/organized/docs/reference/sso/index.mdx +8 -0
- package/.docs/organized/docs/reference/sso/logout/authorize.mdx +47 -0
- package/.docs/organized/docs/reference/sso/logout/index.mdx +14 -0
- package/.docs/organized/docs/reference/sso/logout/redirect.mdx +32 -0
- package/.docs/organized/docs/reference/sso/profile/get-profile-and-token.mdx +229 -0
- package/.docs/organized/docs/reference/sso/profile/get-user-profile.mdx +127 -0
- package/.docs/organized/docs/reference/sso/profile/index.mdx +364 -0
- package/.docs/organized/docs/reference/testing.mdx +8 -0
- package/.docs/organized/docs/reference/user-management/access-token/index.mdx +13 -0
- package/.docs/organized/docs/reference/user-management/authentication/code.mdx +448 -0
- package/.docs/organized/docs/reference/user-management/authentication/email-verification.mdx +359 -0
- package/.docs/organized/docs/reference/user-management/authentication/get-authorization-url/error-codes.mdx +25 -0
- package/.docs/organized/docs/reference/user-management/authentication/get-authorization-url/index.mdx +425 -0
- package/.docs/organized/docs/reference/user-management/authentication/get-authorization-url/pkce.mdx +9 -0
- package/.docs/organized/docs/reference/user-management/authentication/get-authorization-url/redirect-uri.mdx +23 -0
- package/.docs/organized/docs/reference/user-management/authentication/index.mdx +66 -0
- package/.docs/organized/docs/reference/user-management/authentication/magic-auth.mdx +353 -0
- package/.docs/organized/docs/reference/user-management/authentication/organization-selection.mdx +349 -0
- package/.docs/organized/docs/reference/user-management/authentication/password.mdx +350 -0
- package/.docs/organized/docs/reference/user-management/authentication/refresh-and-seal-session-data.mdx +57 -0
- package/.docs/organized/docs/reference/user-management/authentication/refresh-token.mdx +381 -0
- package/.docs/organized/docs/reference/user-management/authentication/session-cookie.mdx +79 -0
- package/.docs/organized/docs/reference/user-management/authentication/totp.mdx +369 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/email-verification-required-error.mdx +42 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/index.mdx +20 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/mfa-challenge-error.mdx +44 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/mfa-enrollment-error.mdx +37 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/organization-authentication-required-error.mdx +68 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/organization-selection-error.mdx +44 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/sso-required-error.mdx +51 -0
- package/.docs/organized/docs/reference/user-management/email-verification/get.mdx +88 -0
- package/.docs/organized/docs/reference/user-management/email-verification/index.mdx +227 -0
- package/.docs/organized/docs/reference/user-management/identity/index.mdx +74 -0
- package/.docs/organized/docs/reference/user-management/identity/list.mdx +52 -0
- package/.docs/organized/docs/reference/user-management/index.mdx +13 -0
- package/.docs/organized/docs/reference/user-management/invitation/accept.mdx +39 -0
- package/.docs/organized/docs/reference/user-management/invitation/find-by-token.mdx +87 -0
- package/.docs/organized/docs/reference/user-management/invitation/get.mdx +87 -0
- package/.docs/organized/docs/reference/user-management/invitation/index.mdx +374 -0
- package/.docs/organized/docs/reference/user-management/invitation/list.mdx +247 -0
- package/.docs/organized/docs/reference/user-management/invitation/revoke.mdx +90 -0
- package/.docs/organized/docs/reference/user-management/invitation/send.mdx +230 -0
- package/.docs/organized/docs/reference/user-management/logout/get-logout-url-from-session-cookie.mdx +52 -0
- package/.docs/organized/docs/reference/user-management/logout/get-logout-url.mdx +147 -0
- package/.docs/organized/docs/reference/user-management/logout/index.mdx +26 -0
- package/.docs/organized/docs/reference/user-management/magic-auth/create.mdx +148 -0
- package/.docs/organized/docs/reference/user-management/magic-auth/get.mdx +88 -0
- package/.docs/organized/docs/reference/user-management/magic-auth/index.mdx +225 -0
- package/.docs/organized/docs/reference/user-management/mfa/authentication-challenge.mdx +194 -0
- package/.docs/organized/docs/reference/user-management/mfa/authentication-factor.mdx +324 -0
- package/.docs/organized/docs/reference/user-management/mfa/enroll-auth-factor.mdx +296 -0
- package/.docs/organized/docs/reference/user-management/mfa/index.mdx +5 -0
- package/.docs/organized/docs/reference/user-management/mfa/list-auth-factors.mdx +194 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/create.mdx +155 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/deactivate.mdx +106 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/delete.mdx +76 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/get.mdx +95 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/index.mdx +265 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/list.mdx +291 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/reactivate.mdx +106 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/update.mdx +119 -0
- package/.docs/organized/docs/reference/user-management/password-reset/create.mdx +108 -0
- package/.docs/organized/docs/reference/user-management/password-reset/get.mdx +88 -0
- package/.docs/organized/docs/reference/user-management/password-reset/index.mdx +227 -0
- package/.docs/organized/docs/reference/user-management/password-reset/reset-password.mdx +144 -0
- package/.docs/organized/docs/reference/user-management/session-helpers/authenticate.mdx +176 -0
- package/.docs/organized/docs/reference/user-management/session-helpers/get-logout-url.mdx +42 -0
- package/.docs/organized/docs/reference/user-management/session-helpers/index.mdx +14 -0
- package/.docs/organized/docs/reference/user-management/session-helpers/load-sealed-session.mdx +105 -0
- package/.docs/organized/docs/reference/user-management/session-helpers/refresh.mdx +213 -0
- package/.docs/organized/docs/reference/user-management/session-tokens/access-token.mdx +90 -0
- package/.docs/organized/docs/reference/user-management/session-tokens/index.mdx +5 -0
- package/.docs/organized/docs/reference/user-management/session-tokens/jwks.mdx +110 -0
- package/.docs/organized/docs/reference/user-management/session-tokens/refresh-token.mdx +8 -0
- package/.docs/organized/docs/reference/user-management/user/create.mdx +327 -0
- package/.docs/organized/docs/reference/user-management/user/delete.mdx +76 -0
- package/.docs/organized/docs/reference/user-management/user/get-by-external-id.mdx +39 -0
- package/.docs/organized/docs/reference/user-management/user/get.mdx +103 -0
- package/.docs/organized/docs/reference/user-management/user/index.mdx +322 -0
- package/.docs/organized/docs/reference/user-management/user/list.mdx +260 -0
- package/.docs/organized/docs/reference/user-management/user/update.mdx +344 -0
- package/.docs/organized/docs/reference/vault/index.mdx +6 -0
- package/.docs/organized/docs/reference/vault/key/create-data-key.mdx +106 -0
- package/.docs/organized/docs/reference/vault/key/decrypt-data-key.mdx +84 -0
- package/.docs/organized/docs/reference/vault/key/decrypt-data.mdx +52 -0
- package/.docs/organized/docs/reference/vault/key/encrypt-data.mdx +58 -0
- package/.docs/organized/docs/reference/vault/key/index.mdx +25 -0
- package/.docs/organized/docs/reference/vault/object/create.mdx +62 -0
- package/.docs/organized/docs/reference/vault/object/delete.mdx +75 -0
- package/.docs/organized/docs/reference/vault/object/get.mdx +50 -0
- package/.docs/organized/docs/reference/vault/object/index.mdx +174 -0
- package/.docs/organized/docs/reference/vault/object/list.mdx +105 -0
- package/.docs/organized/docs/reference/vault/object/metadata.mdx +52 -0
- package/.docs/organized/docs/reference/vault/object/update.mdx +67 -0
- package/.docs/organized/docs/reference/vault/object/version.mdx +87 -0
- package/.docs/organized/docs/reference/vault/object/versions.mdx +83 -0
- package/.docs/organized/docs/reference/widgets/get-token.mdx +185 -0
- package/.docs/organized/docs/reference/widgets/index.mdx +6 -0
- package/.docs/organized/docs/reference/workos-connect/authorize/index.mdx +75 -0
- package/.docs/organized/docs/reference/workos-connect/index.mdx +33 -0
- package/.docs/organized/docs/reference/workos-connect/introspection/index.mdx +122 -0
- package/.docs/organized/docs/reference/workos-connect/metadata/index.mdx +25 -0
- package/.docs/organized/docs/reference/workos-connect/metadata/oauth-authorization-server/index.mdx +99 -0
- package/.docs/organized/docs/reference/workos-connect/metadata/openid-configuration/index.mdx +70 -0
- package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/access-token.mdx +53 -0
- package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/id-token.mdx +60 -0
- package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/index.mdx +69 -0
- package/.docs/organized/docs/reference/workos-connect/token/client-credentials-grant/access-token.mdx +46 -0
- package/.docs/organized/docs/reference/workos-connect/token/client-credentials-grant/index.mdx +56 -0
- package/.docs/organized/docs/reference/workos-connect/token/index.mdx +39 -0
- package/.docs/organized/docs/reference/workos-connect/token/refresh-token-grant.mdx +69 -0
- package/.docs/organized/docs/reference/workos-connect/userinfo/index.mdx +46 -0
- package/.docs/organized/docs/sdks/dotnet.mdx +6 -0
- package/.docs/organized/docs/sdks/elixir.mdx +6 -0
- package/.docs/organized/docs/sdks/go.mdx +6 -0
- package/.docs/organized/docs/sdks/java.mdx +9 -0
- package/.docs/organized/docs/sdks/laravel.mdx +6 -0
- package/.docs/organized/docs/sdks/node.mdx +9 -0
- package/.docs/organized/docs/sdks/php.mdx +6 -0
- package/.docs/organized/docs/sdks/python.mdx +6 -0
- package/.docs/organized/docs/sdks/ruby.mdx +9 -0
- package/.docs/organized/docs/sso/_navigation.mdx +44 -0
- package/.docs/organized/docs/sso/_sequence-diagrams/saml-protocol-security-considerations.md +59 -0
- package/.docs/organized/docs/sso/attributes.mdx +110 -0
- package/.docs/organized/docs/sso/domains.mdx +111 -0
- package/.docs/organized/docs/sso/example-apps.mdx +46 -0
- package/.docs/organized/docs/sso/identity-provider-role-assignment.mdx +113 -0
- package/.docs/organized/docs/sso/index.mdx +295 -0
- package/.docs/organized/docs/sso/it-team-faq.mdx +35 -0
- package/.docs/organized/docs/sso/jit-provisioning.mdx +101 -0
- package/.docs/organized/docs/sso/launch-checklist.mdx +71 -0
- package/.docs/organized/docs/sso/login-flows.mdx +101 -0
- package/.docs/organized/docs/sso/redirect-uris.mdx +44 -0
- package/.docs/organized/docs/sso/saml-security.mdx +122 -0
- package/.docs/organized/docs/sso/signing-certificates.mdx +121 -0
- package/.docs/organized/docs/sso/single-logout.mdx +45 -0
- package/.docs/organized/docs/sso/test-sso.mdx +73 -0
- package/.docs/organized/docs/sso/ux/sign-in.mdx +44 -0
- package/.docs/organized/docs/user-management/_navigation.mdx +87 -0
- package/.docs/organized/docs/user-management/actions.mdx +169 -0
- package/.docs/organized/docs/user-management/authkit.mdx +69 -0
- package/.docs/organized/docs/user-management/branding.mdx +143 -0
- package/.docs/organized/docs/user-management/connect.mdx +110 -0
- package/.docs/organized/docs/user-management/custom-emails.mdx +164 -0
- package/.docs/organized/docs/user-management/directory-provisioning.mdx +78 -0
- package/.docs/organized/docs/user-management/domain-verification.mdx +28 -0
- package/.docs/organized/docs/user-management/email-password.mdx +42 -0
- package/.docs/organized/docs/user-management/email-verification.mdx +29 -0
- package/.docs/organized/docs/user-management/entitlements.mdx +46 -0
- package/.docs/organized/docs/user-management/example-apps.mdx +39 -0
- package/.docs/organized/docs/user-management/identity-linking.mdx +52 -0
- package/.docs/organized/docs/user-management/impersonation.mdx +82 -0
- package/.docs/organized/docs/user-management/index.mdx +525 -0
- package/.docs/organized/docs/user-management/invitations.mdx +60 -0
- package/.docs/organized/docs/user-management/invite-only-signup.mdx +72 -0
- package/.docs/organized/docs/user-management/jit-provisioning.mdx +36 -0
- package/.docs/organized/docs/user-management/jwt-templates.mdx +278 -0
- package/.docs/organized/docs/user-management/magic-auth.mdx +36 -0
- package/.docs/organized/docs/user-management/mcp.mdx +146 -0
- package/.docs/organized/docs/user-management/metadata.mdx +119 -0
- package/.docs/organized/docs/user-management/mfa.mdx +32 -0
- package/.docs/organized/docs/user-management/migrations.mdx +20 -0
- package/.docs/organized/docs/user-management/modeling-your-app.mdx +149 -0
- package/.docs/organized/docs/user-management/organization-policies.mdx +33 -0
- package/.docs/organized/docs/user-management/overview.mdx +46 -0
- package/.docs/organized/docs/user-management/passkeys.mdx +42 -0
- package/.docs/organized/docs/user-management/radar.mdx +127 -0
- package/.docs/organized/docs/user-management/roles-and-permissions.mdx +155 -0
- package/.docs/organized/docs/user-management/sessions.mdx +101 -0
- package/.docs/organized/docs/user-management/social-login.mdx +34 -0
- package/.docs/organized/docs/user-management/sso-with-contractors.mdx +85 -0
- package/.docs/organized/docs/user-management/sso.mdx +96 -0
- package/.docs/organized/docs/user-management/users-organizations.mdx +91 -0
- package/.docs/organized/docs/user-management/widgets.mdx +190 -0
- package/.docs/organized/docs/vault/_navigation.mdx +14 -0
- package/.docs/organized/docs/vault/index.mdx +38 -0
- package/.docs/organized/docs/vault/key-context.mdx +32 -0
- package/.docs/organized/docs/vault/quick-start.mdx +82 -0
- package/README.md +252 -0
- package/dist/chunk-64GKEK6G.js +48 -0
- package/dist/chunk-64GKEK6G.js.map +1 -0
- package/dist/get-tools.d.ts +23 -0
- package/dist/get-tools.js +8 -0
- package/dist/get-tools.js.map +1 -0
- package/dist/index.d.ts +1 -0
- package/dist/index.js +552 -0
- package/dist/index.js.map +1 -0
- package/dist/prepare.d.ts +2 -0
- package/dist/prepare.js +269 -0
- package/dist/prepare.js.map +1 -0
- package/package.json +49 -0
|
@@ -0,0 +1,462 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Policies
|
|
3
|
+
description: >-
|
|
4
|
+
Use policies to implement advanced attribute based access control with FGA,
|
|
5
|
+
providing relevant data from your application at access control check time.
|
|
6
|
+
showNextPage: true
|
|
7
|
+
originalPath: .tmp-workos-clone/packages/docs/content/fga/policies.mdx
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
WorkOS FGA allows you to define custom logic that is executed when evaluating access checks. A **policy** is a [boolean expression](https://en.wikipedia.org/wiki/Boolean_expression) that specifies additional conditions to be satisfied in order for an access check to be authorized. Use policies to enforce complex rules and conditions that go beyond simple role-based access control (RBAC) or attribute-based access control (ABAC).
|
|
11
|
+
|
|
12
|
+
Policies can be defined on warrants or as part of your schema.
|
|
13
|
+
|
|
14
|
+
> FGA currently supports defining policy expressions using [expr](https://expr-lang.org/docs/language-definition). Support for more policy languages will be coming soon.
|
|
15
|
+
|
|
16
|
+
## Warrant Policies
|
|
17
|
+
|
|
18
|
+
You can optionally include a policy in a warrant. For a warrant to match a check/query, its policy must evaluate to true. The system evaluates policies after matching the warrant based on its resource, relation, and subject attributes. It evaluates the policy in the context of the check/query request, using any dynamic values provided via the context attribute (see [context](fga/policies/warrant-policies/context) below) to process the expression.
|
|
19
|
+
|
|
20
|
+
For example, the following warrant states that `[role:accountant] is a [member] of [permission:view-profits-and-losses]` _only when_ `companyId == 'wayne-enterprises'`:
|
|
21
|
+
|
|
22
|
+
```json
|
|
23
|
+
{
|
|
24
|
+
"resource_type": "permission",
|
|
25
|
+
"resource_id": "view-profits-and-losses",
|
|
26
|
+
"relation": "member",
|
|
27
|
+
"subject": {
|
|
28
|
+
"resource_type": "role",
|
|
29
|
+
"resource_id": "accountant"
|
|
30
|
+
},
|
|
31
|
+
"policy": "companyId == 'wayne-enterprises'"
|
|
32
|
+
}
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
Policies can reference dynamic variables. You must provide values for these variables in check or query requests via the context attribute (e.g., role, tenant, or geographic location). Before evaluating a policy, the system substitutes the provided values into the expression. Policy expressions undergo static type checking, so type mismatches prevent evaluation from returning true. Policies with missing values or evaluation errors also do not return true. The system compiles and statically checks policies for errors upon creation.
|
|
36
|
+
|
|
37
|
+
Policies have numerous uses but are most commonly used to implement forms of attribute-based access control (ABAC). For example, create a warrant that only matches users visiting from a specific IP address:
|
|
38
|
+
|
|
39
|
+
```json
|
|
40
|
+
{
|
|
41
|
+
"resource_type": "database",
|
|
42
|
+
"resource_id": "prod",
|
|
43
|
+
"relation": "admin",
|
|
44
|
+
"subject": {
|
|
45
|
+
"resource_type": "user",
|
|
46
|
+
"resource_id": "ops-user"
|
|
47
|
+
},
|
|
48
|
+
"policy": "user.client_ip == '192.168.1.1'"
|
|
49
|
+
}
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
Combine policies with role-based access control (RBAC) to support different role/permission mappings per customer or tenant. For example, define a warrant stating that `[role:accountant]` grants `[permission:view-balance-sheet]` only when `companyId == 'wayne-enterprises'`:
|
|
53
|
+
|
|
54
|
+
```json
|
|
55
|
+
{
|
|
56
|
+
"resource_type": "permission",
|
|
57
|
+
"resource_id": "view-balance-sheet",
|
|
58
|
+
"relation": "member",
|
|
59
|
+
"subject": {
|
|
60
|
+
"resource_type": "role",
|
|
61
|
+
"resource_id": "accountant"
|
|
62
|
+
},
|
|
63
|
+
"policy": "companyId == 'wayne-enterprises'"
|
|
64
|
+
}
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
Create another warrant specifying that `[role:accountant]` grants users `[permission:view-profits-and-losses]` only when `companyId == 'daily-planet'`:
|
|
68
|
+
|
|
69
|
+
```json
|
|
70
|
+
{
|
|
71
|
+
"resource_type": "permission",
|
|
72
|
+
"resource_id": "view-profits-and-losses",
|
|
73
|
+
"relation": "member",
|
|
74
|
+
"subject": {
|
|
75
|
+
"resource_type": "role",
|
|
76
|
+
"resource_id": "accountant"
|
|
77
|
+
},
|
|
78
|
+
"policy": "companyId == 'daily-planet'"
|
|
79
|
+
}
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
### Context
|
|
83
|
+
|
|
84
|
+
[Make access checks](/reference/fga/check), passing in different `companyId` values via the `context` based on the company a user belongs to:
|
|
85
|
+
|
|
86
|
+
```json
|
|
87
|
+
{
|
|
88
|
+
"checks": [
|
|
89
|
+
{
|
|
90
|
+
"resource_type": "permission",
|
|
91
|
+
"resource_id": "view-profits-and-losses",
|
|
92
|
+
"relation": "member",
|
|
93
|
+
"subject": {
|
|
94
|
+
"resource_type": "role",
|
|
95
|
+
"resource_id": "accountant"
|
|
96
|
+
},
|
|
97
|
+
"context": {
|
|
98
|
+
"companyId": "wayne-enterprises"
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
]
|
|
102
|
+
}
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
This access check returns `false` because `[role:accountant]` only grants `[permission:view-profits-and-losses]` within the context of company `daily-planet`.
|
|
106
|
+
|
|
107
|
+
## Schema Policies
|
|
108
|
+
|
|
109
|
+
You can reference policies in your schema, allowing you to define and reuse complex rules across different relations and inheritance rules. Use policies in the inherit clause of your schema definition.
|
|
110
|
+
For example, consider the following schema:
|
|
111
|
+
|
|
112
|
+
```fga
|
|
113
|
+
version 0.3
|
|
114
|
+
|
|
115
|
+
type user
|
|
116
|
+
|
|
117
|
+
type organization
|
|
118
|
+
relation viewer [user]
|
|
119
|
+
|
|
120
|
+
relation view []
|
|
121
|
+
inherit view if
|
|
122
|
+
all_of
|
|
123
|
+
policy ip_allowed
|
|
124
|
+
relation viewer
|
|
125
|
+
|
|
126
|
+
policy ip_allowed(clientIp string) {
|
|
127
|
+
clientIp matches "192\\.168\\..*\\..*"
|
|
128
|
+
}
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
Here, the `view` relation is inherited based on the ip_allowed policy and the viewer relation. This means that users must meet the conditions of the `ip_allowed` policy and also be in the `viewer` relation to access the `view` permission.
|
|
132
|
+
|
|
133
|
+
`view` has no allowed types, so it cannot be assigned a warrant directly. Instead, it inherits from the `viewer` relation and the `ip_allowed` policy so that we can check if a user is in the `viewer` relation and also meets the conditions of the `ip_allowed` policy.
|
|
134
|
+
|
|
135
|
+
> Make sure schema version is set to `0.3` or higher to use policies in your schema.
|
|
136
|
+
|
|
137
|
+
### Defining and Using Policies
|
|
138
|
+
|
|
139
|
+
Policies can be defined in the Schema Editor of the WorkOS FGA Dashboard or via the API. Each policy consists of the following fields:
|
|
140
|
+
|
|
141
|
+
- **name** - a unique identifier for the policy
|
|
142
|
+
- **language** - currently only `expr` is supported
|
|
143
|
+
- **parameters** - define which values the policy accepts
|
|
144
|
+
- **expression** - the boolean expression that defines the policy
|
|
145
|
+
|
|
146
|
+
#### Policy Syntax
|
|
147
|
+
|
|
148
|
+
`Expr` policies are defined directly in your FGA schema, making it easy to view policies alongside your inheritance rules. More languages will be supported in the future and managed through a different user interface.
|
|
149
|
+
|
|
150
|
+
```txt
|
|
151
|
+
policy <policy_name>(<parameter_name> <parameter_type>, ...) {
|
|
152
|
+
<expression>
|
|
153
|
+
}
|
|
154
|
+
```
|
|
155
|
+
|
|
156
|
+
> View `expr` language [documentation](https://expr-lang.org/docs/language-definition).
|
|
157
|
+
|
|
158
|
+
Policies are referenced in inheritance rules using their name.
|
|
159
|
+
|
|
160
|
+
```txt
|
|
161
|
+
inherit <relation_name> if
|
|
162
|
+
policy <policy_name>
|
|
163
|
+
```
|
|
164
|
+
|
|
165
|
+
### Attribute-Based Access Control (ABAC)
|
|
166
|
+
|
|
167
|
+
You can use policies to implement pure attribute-based access control (ABAC) without any inheritance rules or warrant data. This allows you to define access control based solely on user attributes or other context values as you would with a policy engine. For example:
|
|
168
|
+
|
|
169
|
+
```fga
|
|
170
|
+
version 0.3
|
|
171
|
+
|
|
172
|
+
type user
|
|
173
|
+
|
|
174
|
+
type organization
|
|
175
|
+
relation view_internal_settings []
|
|
176
|
+
inherit view_internal_settings if
|
|
177
|
+
policy staff_user
|
|
178
|
+
|
|
179
|
+
policy staff_user(user map) {
|
|
180
|
+
user.email endsWith "@internal-domain.com" && user.role == "staff"
|
|
181
|
+
}
|
|
182
|
+
```
|
|
183
|
+
|
|
184
|
+
In this example, the `view_internal_settings` relation inherits from the `staff_user` policy. This means only users with a staff role and an email ending in `@internal-domain.com` can access `view_internal_settings`.
|
|
185
|
+
|
|
186
|
+
Since this policy is the sole inheritance rule for `view_internal_settings`, FGA does not check for warrants when evaluating access. This allows you to use FGA purely as an attribute-based access control (ABAC) system if desired.
|
|
187
|
+
|
|
188
|
+
### Combining Policies with ReBAC
|
|
189
|
+
|
|
190
|
+
Policies can also be combined with ReBAC inheritance rules to create more complex access control models. Consider the following example:
|
|
191
|
+
|
|
192
|
+
```fga
|
|
193
|
+
version 0.3
|
|
194
|
+
|
|
195
|
+
type user
|
|
196
|
+
|
|
197
|
+
type organization
|
|
198
|
+
relation admin [user]
|
|
199
|
+
relation configure_payments [user]
|
|
200
|
+
|
|
201
|
+
inherit configure_payments if
|
|
202
|
+
all_of
|
|
203
|
+
relation admin
|
|
204
|
+
policy has_strong_auth
|
|
205
|
+
|
|
206
|
+
policy has_strong_auth(user_attributes map) {
|
|
207
|
+
user_attributes.mfa_enabled == true &&
|
|
208
|
+
user_attributes.account_age_days > 30
|
|
209
|
+
}
|
|
210
|
+
```
|
|
211
|
+
|
|
212
|
+
In this example, the `configure_payments` relation inherits from both the `admin` relation and the `has_strong_auth` policy. This means that users must be an admin and meet the strong authentication requirements to access the `configure_payments` relation.
|
|
213
|
+
|
|
214
|
+
## Managing Policies via API
|
|
215
|
+
|
|
216
|
+
WorkOS FGA provides API endpoints if you prefer managing policies programmatically and separately from the schema.
|
|
217
|
+
|
|
218
|
+
For more details, see the [Policies API documentation](/reference/fga/policy).
|
|
219
|
+
|
|
220
|
+
## Making Checks
|
|
221
|
+
|
|
222
|
+
When making an FGA check, pass the required context values as you would with warrant policies. FGA evaluates warrant and schema policies together during access checks.
|
|
223
|
+
|
|
224
|
+
```json
|
|
225
|
+
{
|
|
226
|
+
"checks": [
|
|
227
|
+
{
|
|
228
|
+
"resource_type": "organization",
|
|
229
|
+
"resource_id": "acme-corp",
|
|
230
|
+
"relation": "configure_payments",
|
|
231
|
+
"subject": {
|
|
232
|
+
"resource_type": "user",
|
|
233
|
+
"resource_id": "123"
|
|
234
|
+
},
|
|
235
|
+
"context": {
|
|
236
|
+
"user_attributes": { "mfa_enabled": true, "account_age_days": 45 }
|
|
237
|
+
}
|
|
238
|
+
}
|
|
239
|
+
]
|
|
240
|
+
}
|
|
241
|
+
```
|
|
242
|
+
|
|
243
|
+
## Policies in Schema JSON
|
|
244
|
+
|
|
245
|
+
Policies can also be defined in the schema JSON format. Here’s an example of how to define a policy in JSON:
|
|
246
|
+
|
|
247
|
+
```json
|
|
248
|
+
{
|
|
249
|
+
"version": "0.3",
|
|
250
|
+
"resource_types": {
|
|
251
|
+
"user": {},
|
|
252
|
+
"organization": {
|
|
253
|
+
"relations": {
|
|
254
|
+
"view": {
|
|
255
|
+
"policy": "ip_allowed"
|
|
256
|
+
}
|
|
257
|
+
}
|
|
258
|
+
}
|
|
259
|
+
},
|
|
260
|
+
"policies": {
|
|
261
|
+
"ip_allowed": {
|
|
262
|
+
"name": "ip_allowed",
|
|
263
|
+
"language": "expr",
|
|
264
|
+
"parameters": [
|
|
265
|
+
{
|
|
266
|
+
"name": "clientIp",
|
|
267
|
+
"type": "string"
|
|
268
|
+
}
|
|
269
|
+
],
|
|
270
|
+
"expression": "clientIp matches \"192\\\\.168\\\\..*\\\\..*\""
|
|
271
|
+
}
|
|
272
|
+
}
|
|
273
|
+
}
|
|
274
|
+
```
|
|
275
|
+
|
|
276
|
+
> At runtime, if a policy fails to evaluate due to an invalid or missing context parameter, the system will return a 400 Bad Request in response to the check or query.
|
|
277
|
+
|
|
278
|
+
## Advanced Usage
|
|
279
|
+
|
|
280
|
+
### Injected Context
|
|
281
|
+
|
|
282
|
+
Policies can reference dynamic variables that are injected by the FGA system **at runtime**. When a policy is evaluated, the system substitutes the provided values into the expression. This allows you to create policies that depend on runtime context, such as warrant data that the policy is stored with or check arguments.
|
|
283
|
+
|
|
284
|
+
#### `check_ctx`
|
|
285
|
+
|
|
286
|
+
A map containing the subject, resource, and relation of the check (or sub-check) executing the policy. This context variable is only available when the policy is evaluated in the context of a check (otherwise it is an empty map).
|
|
287
|
+
|
|
288
|
+
```json title="check_ctx"
|
|
289
|
+
{
|
|
290
|
+
"subject_type": "user",
|
|
291
|
+
"subject_id": "123",
|
|
292
|
+
"relation": "view_feature_1",
|
|
293
|
+
"resource_type": "organization",
|
|
294
|
+
"resource_id": "acme-corp"
|
|
295
|
+
}
|
|
296
|
+
```
|
|
297
|
+
|
|
298
|
+
```fga
|
|
299
|
+
policy is_user_in_org(user_attributes map) {
|
|
300
|
+
check_ctx.resource_type == "organization" && user_attributes.organization_id == check_ctx.resource_id
|
|
301
|
+
}
|
|
302
|
+
```
|
|
303
|
+
|
|
304
|
+
Use `check_ctx` in a policy when:
|
|
305
|
+
|
|
306
|
+
- **You want to avoid duplicating check arguments in context**\
|
|
307
|
+
Instead of manually passing `subject_id`, `resource_type`, or `relation` as context values in every access check, reference them directly via `check_ctx` to reduce redundancy and simplify your check requests.
|
|
308
|
+
|
|
309
|
+
- **Your policy logic needs to vary based on the check's subject or resource**\
|
|
310
|
+
For example, use `check_ctx` when applying different rules depending on whether the subject is a `user` or `service`, or if the resource type is `document` versus `organization`.
|
|
311
|
+
|
|
312
|
+
- **You're leveraging [policy helper functions](/fga/policies/advanced-usage/helper-functions)**\
|
|
313
|
+
Pass resource ids from `check_ctx` into helper functions.
|
|
314
|
+
|
|
315
|
+
#### `warrant_ctx`
|
|
316
|
+
|
|
317
|
+
A map containing the subject, resource, and relation of the warrant that the policy was stored on. This context variable is only available when the policy is stored on a warrant (otherwise it is an empty map).
|
|
318
|
+
|
|
319
|
+
```json title="warrant_ctx"
|
|
320
|
+
{
|
|
321
|
+
"subject_type": "user",
|
|
322
|
+
"subject_id": "123",
|
|
323
|
+
"relation": "editor",
|
|
324
|
+
"resource_type": "organization",
|
|
325
|
+
"resource_id": "acme-corp",
|
|
326
|
+
"created_at": "2023-10-01T00:00:00Z"
|
|
327
|
+
}
|
|
328
|
+
```
|
|
329
|
+
|
|
330
|
+
```fga
|
|
331
|
+
policy warrant_not_expired() {
|
|
332
|
+
let expiration = duration("1h");
|
|
333
|
+
date(warrant_ctx.created_at) > now() + expiration
|
|
334
|
+
}
|
|
335
|
+
```
|
|
336
|
+
|
|
337
|
+
Use `warrant_ctx` in a policy when:
|
|
338
|
+
|
|
339
|
+
- **You need time-based or expiring access control**\
|
|
340
|
+
Reference `warrant_ctx.created_at` to enforce temporal constraints like short-lived or trial permissions.
|
|
341
|
+
|
|
342
|
+
- **Your policy behavior depends on the warrant’s subject, resource, or relation**\
|
|
343
|
+
For example, restrict logic to apply only if the warrant’s `relation` is `"editor"` or `resource_type` is `"project"`.
|
|
344
|
+
|
|
345
|
+
- **You need to evaluate policies only within warrant-based contexts**\
|
|
346
|
+
Helps enforce logic that should not apply in schema-only (inheritance) scenarios.
|
|
347
|
+
|
|
348
|
+
- **You're using [policy helper functions](/fga/policies/advanced-usage/helper-functions)**\
|
|
349
|
+
Pass resource ids from `warrant_ctx` into helper functions.
|
|
350
|
+
|
|
351
|
+
> Context variables can be empty if the policy is not evaluated in the context of a check or warrant. Make sure to check for empty values in your policy expressions to avoid errors.
|
|
352
|
+
|
|
353
|
+
### Helper Functions
|
|
354
|
+
|
|
355
|
+
In addition to all of the built-in functions available in the [expr language](https://expr-lang.org/docs/language-definition), FGA provides the following helper functions for use in policies:
|
|
356
|
+
|
|
357
|
+
#### `get_metadata`
|
|
358
|
+
|
|
359
|
+
Fetches metadata for a given resource type and id when a policy is evaluated. This allows you to access metadata attributes stored on the resource in FGA without having to pass them in as context. This is especially useful when you don't want to update your check requests to include additional context values after schema changes.
|
|
360
|
+
|
|
361
|
+
```fga
|
|
362
|
+
policy user_in_org() {
|
|
363
|
+
let subject_metadata = get_metadata(check_ctx.subject_type, check_ctx.subject_id);
|
|
364
|
+
subject_metadata.organization_id == check_ctx.resource_id &&
|
|
365
|
+
check_ctx.subject_type == "user" &&
|
|
366
|
+
check_ctx.resource_type == "organization"
|
|
367
|
+
}
|
|
368
|
+
```
|
|
369
|
+
|
|
370
|
+
> Make sure to check for empty values in your policy expressions to avoid errors. It is best practice to avoid nested keys or use [optional chaining](https://expr-lang.org/docs/language-definition#optional-chaining) to prevent errors when accessing metadata attributes.
|
|
371
|
+
|
|
372
|
+
#### `jwt_claim`
|
|
373
|
+
|
|
374
|
+
Retrieves a specific claim from the JWT used to authenticate an access check. This is useful for policy logic that depends on user attributes embedded in the JWT, without needing to explicitly pass them through the context. This helper returns `nil` if a different authentication method (i.e. not a JWT) was used or the claim does not exist.
|
|
375
|
+
|
|
376
|
+
This also works directly with Custom Attributes from AuthKit [JWT templates](/user-management/jwt-templates), allowing you to access user attributes directly in your policies.
|
|
377
|
+
|
|
378
|
+
> Ensure your JWKS (JSON Web Key Set) is [properly configured](/fga/identity-provider-sessions) to validate JWT signatures and authorize requests.
|
|
379
|
+
|
|
380
|
+
```fga
|
|
381
|
+
policy user_is_workos_admin() {
|
|
382
|
+
let role = jwt_claim("role");
|
|
383
|
+
let email = jwt_claim("email");
|
|
384
|
+
|
|
385
|
+
role == "admin" &&
|
|
386
|
+
check_ctx.subject_type == "user" &&
|
|
387
|
+
email endsWith "@workos.com"
|
|
388
|
+
}
|
|
389
|
+
```
|
|
390
|
+
|
|
391
|
+
### Combine with Inheritance Rules
|
|
392
|
+
|
|
393
|
+
Combine policies with inheritance rules to create complex access control models. For example, define a policy that checks specific conditions and apply it across multiple relations or inheritance rules:
|
|
394
|
+
|
|
395
|
+
```fga
|
|
396
|
+
version 0.3
|
|
397
|
+
|
|
398
|
+
type user
|
|
399
|
+
|
|
400
|
+
type staff_group
|
|
401
|
+
relation member [user]
|
|
402
|
+
|
|
403
|
+
type org_role
|
|
404
|
+
relation member [user]
|
|
405
|
+
|
|
406
|
+
type organization
|
|
407
|
+
relation internal_admin [staff_group]
|
|
408
|
+
relation viewer [user, org_role]
|
|
409
|
+
|
|
410
|
+
relation view_feature_1 []
|
|
411
|
+
inherit view_feature_1 if
|
|
412
|
+
any_of
|
|
413
|
+
relation member on internal_admin [staff_group]
|
|
414
|
+
all_of
|
|
415
|
+
any_of
|
|
416
|
+
relation viewer
|
|
417
|
+
relation member on viewer [org_role]
|
|
418
|
+
policy valid_enterprise_plan
|
|
419
|
+
|
|
420
|
+
policy valid_enterprise_plan(payment_plan map) {
|
|
421
|
+
payment_plan.is_active == true && payment_plan.tier == "enterprise"
|
|
422
|
+
}
|
|
423
|
+
```
|
|
424
|
+
|
|
425
|
+
In this example:
|
|
426
|
+
|
|
427
|
+
- `view_feature_1` access can be inherited based on multiple conditions.
|
|
428
|
+
- Internal admins (`staff_group` members) can access `view_feature_1`.
|
|
429
|
+
- Users in `viewer` or an `org_role` can also access it if they meet the `valid_payment_plan` policy requirements.
|
|
430
|
+
|
|
431
|
+
## Passing Context vs. Injecting Context
|
|
432
|
+
|
|
433
|
+
When using policies, you can provide context in two ways:
|
|
434
|
+
by passing values directly in the check request, or by injecting them into the policy using `get_metadata`. The right approach depends on where your data lives, how often it changes, and how you want to manage changes to your schema or policies.
|
|
435
|
+
|
|
436
|
+
**Pass context**: Use this method when you want to provide specific values for the policy to evaluate. This is useful for dynamic values that may change frequently or are specific to the check being made.
|
|
437
|
+
|
|
438
|
+
Passing context also does not require syncing data between your application and FGA, as the context is provided at check time. The major drawback is that it can lead to large check requests if you have many attributes to pass in. This can also make it difficult to manage and maintain the context values over time since changes to your schema or policies may require updates to the context values in your check requests.
|
|
439
|
+
|
|
440
|
+
**Inject context**: Use this method when you want to fetch metadata or other attributes from the resource itself. This is useful for static values that are stored in FGA and do not change frequently or when you want to avoid passing large amounts of context data in the check request.
|
|
441
|
+
|
|
442
|
+
Schema or policy changes do not require updates to the context values in your check requests, as the metadata is fetched at runtime. The major drawback is that it requires syncing data between your application and FGA.
|
|
443
|
+
|
|
444
|
+
See the [Policy Context](/fga/modeling/policy-context) modeling guide for more details on how to use context in your policies.
|
|
445
|
+
|
|
446
|
+
## Common Use Cases
|
|
447
|
+
|
|
448
|
+
Using policies and inheritance rules together provides a powerful way to model permissions for:
|
|
449
|
+
|
|
450
|
+
- **Entitlements** (e.g., feature access based on plan level)
|
|
451
|
+
- **Feature flags** (e.g., enabling experimental features for specific groups)
|
|
452
|
+
- **Domain-specific logic** (e.g., enforcing security constraints specific data attributes)
|
|
453
|
+
- **Temporal data** (e.g., granting temporary access based on time-based or location-based policies)
|
|
454
|
+
|
|
455
|
+
## Next Steps
|
|
456
|
+
|
|
457
|
+
To start using policies in your schema, ensure the following:
|
|
458
|
+
|
|
459
|
+
1. Create policies in the schema or with the Policy API
|
|
460
|
+
2. Reference policies in your schema
|
|
461
|
+
3. Pass the correct context values when making access checks
|
|
462
|
+
4. Test your schema logic using the FGA dashboard and API
|
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Query Language
|
|
3
|
+
description: Query which resources users have access to in your application.
|
|
4
|
+
showNextPage: true
|
|
5
|
+
originalPath: .tmp-workos-clone/packages/docs/content/fga/query-language.mdx
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
The Query Language is a declarative, SQL-like language used to [query](/reference/fga/query) WorkOS FGA for (1) the set of resources a particular subject has access to or (2) the set of subjects who have access to a particular resource. Examples of queries that can be specified with the query language include:
|
|
9
|
+
|
|
10
|
+
1. List all documents `user:A` is a `viewer` on.
|
|
11
|
+
2. List all users who are `editor`s of `document:finance-report`.
|
|
12
|
+
3. List all resources `user:malicious` has access to.
|
|
13
|
+
4. List all users who have the permission `view-financial-reporting`.
|
|
14
|
+
5. and many more
|
|
15
|
+
|
|
16
|
+
## Overview
|
|
17
|
+
|
|
18
|
+
A query is composed of a `select` clause and either a `for` clause (if querying for subjects) or a `where` clause (if querying for resources):
|
|
19
|
+
|
|
20
|
+
```sql
|
|
21
|
+
select permission where user:tony-stark is member
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
## Select Clause
|
|
25
|
+
|
|
26
|
+
The **select clause** specifies whether a query should return resources a subject has access to or return subjects that have access to a resource.
|
|
27
|
+
|
|
28
|
+
### Select Resources
|
|
29
|
+
|
|
30
|
+
Return resources a subject has access to
|
|
31
|
+
|
|
32
|
+
```sql
|
|
33
|
+
select <resource_types>
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
> `<resource_types>` can be a comma separated list of one or more resource types that results of the query will be filtered to. To select resources matching _any_ resource type, pass a wildcard (`*`) instead.
|
|
37
|
+
|
|
38
|
+
### Select Subjects
|
|
39
|
+
|
|
40
|
+
Return subjects that have access to a resource.
|
|
41
|
+
|
|
42
|
+
```sql
|
|
43
|
+
select <relations> of type <subject_types>
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
> `<relations>` and `<subject_types>` can be comma separated lists of one or more relations or one or more resource types respectively, that results of the query will be filtered to. To match _any_ relation or _any_ subject type, pass a wildcard (`*`) for the `<relations>` or `<subject_types>` properties respectively.
|
|
47
|
+
|
|
48
|
+
## Where Clause
|
|
49
|
+
|
|
50
|
+
When selecting resources (e.g. `select tenant`), provide a `where` clause to specify a subject and one or more relations that subject must have on any resources returned in the query result.
|
|
51
|
+
|
|
52
|
+
```sql
|
|
53
|
+
select <resource_types> where <subject> is <relations>
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
> `<subject>` must be a resource in the format `<resource_type>:<resource_id>`. `<relations>` can be a comma separated list of one or more relations. To match _any_ relation, pass a wildcard (`*`) instead.
|
|
57
|
+
|
|
58
|
+
## For Clause
|
|
59
|
+
|
|
60
|
+
When selecting subjects (e.g. `select member of type user`), provide a `for` clause to specify a resource and one or more relations subjects must have on the specified resource to be returned in the query result.
|
|
61
|
+
|
|
62
|
+
```sql
|
|
63
|
+
select <relations> of type <subject_types> for <resource>
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
> `<relations>` and `<subject_types>` can be comma separated lists of one or more relations or one or more resource types respectively. To match _any_ relation or _any_ resource type respectively, pass a wildcard (`*`) instead.
|
|
67
|
+
|
|
68
|
+
### Implicit vs. Explicit Results
|
|
69
|
+
|
|
70
|
+
A query can optionally include the `explicit` keyword immediately following the `select` keyword to indicate that the query should _only_ return results that _explicitly_ match the provided relations. Explicit results are results for which a warrant matching one or more of the relations specified in the query explicitly exists. Implicit results are results which may implicitly match the relations specified in the query through [inheritance rules](/fga/schema/schema-syntax/inheritance-rules). Without the `explicit` keyword specified, a query will return both explicit and implicit results.
|
|
71
|
+
|
|
72
|
+
```sql title="Example: Get all users who explicitly have the viewer relation on document:doc1"
|
|
73
|
+
select explicit viewer of type user for document:doc1
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
```sql title="Example: Get all users who have the viewer relation on document:doc1 explicitly OR implicitly"
|
|
77
|
+
select viewer of type user for document:doc1
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
## Examples
|
|
81
|
+
|
|
82
|
+
```sql title="Get all documents on which user:1 is a viewer (either explicitly or implicitly)"
|
|
83
|
+
select document where user:1 is viewer
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
```sql title="Get all documents on which user:1 is explicitly a viewer"
|
|
87
|
+
select explicit document where user:1 is viewer
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
```sql title="Get all documents on which user:1 has any relation (either explicitly or implicitly)"
|
|
91
|
+
select document where user:1 is *
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
```sql title="Get all resources of any type on which user:1 has any relation (either explicitly or implicitly)"
|
|
95
|
+
select * where user:1 is *
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
```sql title="Get all users who are viewers of document:doc1 (either explicitly or implicitly)"
|
|
99
|
+
select viewer of type user for document:doc1
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
```sql title="Get all users who are explicitly viewers of document:doc1"
|
|
103
|
+
select explicit viewer of type user for document:doc1
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
```sql title="Get all users who have any relation on document:doc1 (either explicitly or implicitly)"
|
|
107
|
+
select * of type user for document:doc1
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
```sql title="Get all subjects of any type who have any relation on document:doc1 (either explicitly or implicitly)"
|
|
111
|
+
select * of type * for document:doc1
|
|
112
|
+
```
|