@workos/mcp-docs-server 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.docs/organized/changelogs/workos-platform.json +277 -0
- package/.docs/organized/docs/admin-portal/_navigation.mdx +16 -0
- package/.docs/organized/docs/admin-portal/custom-branding.mdx +111 -0
- package/.docs/organized/docs/admin-portal/example-apps.mdx +46 -0
- package/.docs/organized/docs/admin-portal/index.mdx +240 -0
- package/.docs/organized/docs/audit-logs/_navigation.mdx +22 -0
- package/.docs/organized/docs/audit-logs/admin-portal.mdx +20 -0
- package/.docs/organized/docs/audit-logs/editing-events.mdx +27 -0
- package/.docs/organized/docs/audit-logs/exporting-events.mdx +29 -0
- package/.docs/organized/docs/audit-logs/index.mdx +110 -0
- package/.docs/organized/docs/audit-logs/log-streams.mdx +56 -0
- package/.docs/organized/docs/audit-logs/metadata-schema.mdx +21 -0
- package/.docs/organized/docs/custom-domains/_navigation.mdx +16 -0
- package/.docs/organized/docs/custom-domains/admin-portal.mdx +38 -0
- package/.docs/organized/docs/custom-domains/auth-api.mdx +59 -0
- package/.docs/organized/docs/custom-domains/authkit.mdx +36 -0
- package/.docs/organized/docs/custom-domains/email.mdx +41 -0
- package/.docs/organized/docs/custom-domains/index.mdx +19 -0
- package/.docs/organized/docs/dashboard.mdx +244 -0
- package/.docs/organized/docs/demo/_navigation.mdx +26 -0
- package/.docs/organized/docs/demo/accordion.mdx +34 -0
- package/.docs/organized/docs/demo/checklist.mdx +33 -0
- package/.docs/organized/docs/demo/code-block.mdx +185 -0
- package/.docs/organized/docs/demo/definition-list.mdx +35 -0
- package/.docs/organized/docs/demo/index.mdx +7 -0
- package/.docs/organized/docs/demo/punctuation.mdx +37 -0
- package/.docs/organized/docs/demo/replacements.mdx +26 -0
- package/.docs/organized/docs/demo/table.mdx +26 -0
- package/.docs/organized/docs/demo/tabs.mdx +17 -0
- package/.docs/organized/docs/directory-sync/_navigation.mdx +28 -0
- package/.docs/organized/docs/directory-sync/attributes.mdx +209 -0
- package/.docs/organized/docs/directory-sync/example-apps.mdx +46 -0
- package/.docs/organized/docs/directory-sync/handle-inactive-users.mdx +52 -0
- package/.docs/organized/docs/directory-sync/identity-provider-role-assignment.mdx +134 -0
- package/.docs/organized/docs/directory-sync/index.mdx +107 -0
- package/.docs/organized/docs/directory-sync/quick-start.mdx +129 -0
- package/.docs/organized/docs/directory-sync/understanding-events.mdx +209 -0
- package/.docs/organized/docs/domain-verification/_navigation.mdx +10 -0
- package/.docs/organized/docs/domain-verification/api.mdx +60 -0
- package/.docs/organized/docs/domain-verification/index.mdx +67 -0
- package/.docs/organized/docs/email.mdx +109 -0
- package/.docs/organized/docs/events/_navigation.mdx +22 -0
- package/.docs/organized/docs/events/data-syncing/data-reconciliation.mdx +56 -0
- package/.docs/organized/docs/events/data-syncing/events-api.mdx +114 -0
- package/.docs/organized/docs/events/data-syncing/index.mdx +66 -0
- package/.docs/organized/docs/events/data-syncing/webhooks.mdx +173 -0
- package/.docs/organized/docs/events/index.mdx +783 -0
- package/.docs/organized/docs/events/observability/datadog.mdx +76 -0
- package/.docs/organized/docs/fga/_navigation.mdx +64 -0
- package/.docs/organized/docs/fga/identity-provider-sessions.mdx +68 -0
- package/.docs/organized/docs/fga/index.mdx +60 -0
- package/.docs/organized/docs/fga/local-development.mdx +155 -0
- package/.docs/organized/docs/fga/modeling/abac.mdx +107 -0
- package/.docs/organized/docs/fga/modeling/blocklist.mdx +84 -0
- package/.docs/organized/docs/fga/modeling/conditional-roles.mdx +99 -0
- package/.docs/organized/docs/fga/modeling/custom-roles.mdx +90 -0
- package/.docs/organized/docs/fga/modeling/entitlements.mdx +127 -0
- package/.docs/organized/docs/fga/modeling/managed-service-provider.mdx +131 -0
- package/.docs/organized/docs/fga/modeling/org-roles-and-permissions.mdx +95 -0
- package/.docs/organized/docs/fga/modeling/policy-context.mdx +231 -0
- package/.docs/organized/docs/fga/modeling/public-access.mdx +61 -0
- package/.docs/organized/docs/fga/modeling/shareable-content.mdx +106 -0
- package/.docs/organized/docs/fga/modeling/superusers.mdx +74 -0
- package/.docs/organized/docs/fga/modeling/user-groups.mdx +92 -0
- package/.docs/organized/docs/fga/operations-usage.mdx +104 -0
- package/.docs/organized/docs/fga/playground.mdx +12 -0
- package/.docs/organized/docs/fga/policies.mdx +462 -0
- package/.docs/organized/docs/fga/query-language.mdx +112 -0
- package/.docs/organized/docs/fga/quick-start.mdx +174 -0
- package/.docs/organized/docs/fga/resources.mdx +92 -0
- package/.docs/organized/docs/fga/schema-management.mdx +224 -0
- package/.docs/organized/docs/fga/schema.mdx +388 -0
- package/.docs/organized/docs/fga/warrant-tokens.mdx +44 -0
- package/.docs/organized/docs/fga/warrants.mdx +92 -0
- package/.docs/organized/docs/glossary.mdx +184 -0
- package/.docs/organized/docs/integrations/_navigation.mdx +6 -0
- package/.docs/organized/docs/integrations/access-people-hr.mdx +87 -0
- package/.docs/organized/docs/integrations/adp-oidc.mdx +103 -0
- package/.docs/organized/docs/integrations/apple.mdx +169 -0
- package/.docs/organized/docs/integrations/auth0-directory-sync.mdx +78 -0
- package/.docs/organized/docs/integrations/auth0-enterprise-connection.mdx +92 -0
- package/.docs/organized/docs/integrations/auth0-saml.mdx +81 -0
- package/.docs/organized/docs/integrations/aws-cognito.mdx +81 -0
- package/.docs/organized/docs/integrations/bamboohr.mdx +90 -0
- package/.docs/organized/docs/integrations/breathe-hr.mdx +89 -0
- package/.docs/organized/docs/integrations/bubble.mdx +129 -0
- package/.docs/organized/docs/integrations/cas-saml.mdx +65 -0
- package/.docs/organized/docs/integrations/cezanne.mdx +74 -0
- package/.docs/organized/docs/integrations/classlink-saml.mdx +100 -0
- package/.docs/organized/docs/integrations/cloudflare-saml.mdx +164 -0
- package/.docs/organized/docs/integrations/cyberark-saml.mdx +138 -0
- package/.docs/organized/docs/integrations/cyberark-scim.mdx +100 -0
- package/.docs/organized/docs/integrations/duo-saml.mdx +127 -0
- package/.docs/organized/docs/integrations/entra-id-saml.mdx +156 -0
- package/.docs/organized/docs/integrations/entra-id-scim.mdx +218 -0
- package/.docs/organized/docs/integrations/firebase.mdx +98 -0
- package/.docs/organized/docs/integrations/fourth.mdx +66 -0
- package/.docs/organized/docs/integrations/github-oauth.mdx +85 -0
- package/.docs/organized/docs/integrations/gitlab-oauth.mdx +81 -0
- package/.docs/organized/docs/integrations/google-directory-sync.mdx +86 -0
- package/.docs/organized/docs/integrations/google-oauth.mdx +173 -0
- package/.docs/organized/docs/integrations/google-saml.mdx +135 -0
- package/.docs/organized/docs/integrations/hibob.mdx +98 -0
- package/.docs/organized/docs/integrations/jumpcloud-saml.mdx +96 -0
- package/.docs/organized/docs/integrations/jumpcloud-scim.mdx +106 -0
- package/.docs/organized/docs/integrations/keycloak-saml.mdx +128 -0
- package/.docs/organized/docs/integrations/lastpass-saml.mdx +134 -0
- package/.docs/organized/docs/integrations/linkedin-oauth.mdx +77 -0
- package/.docs/organized/docs/integrations/login-gov-oidc.mdx +103 -0
- package/.docs/organized/docs/integrations/microsoft-ad-fs-saml.mdx +96 -0
- package/.docs/organized/docs/integrations/microsoft-oauth.mdx +101 -0
- package/.docs/organized/docs/integrations/miniorange-saml.mdx +124 -0
- package/.docs/organized/docs/integrations/net-iq-saml.mdx +75 -0
- package/.docs/organized/docs/integrations/next-auth.mdx +257 -0
- package/.docs/organized/docs/integrations/oidc.mdx +64 -0
- package/.docs/organized/docs/integrations/okta-saml.mdx +144 -0
- package/.docs/organized/docs/integrations/okta-scim.mdx +210 -0
- package/.docs/organized/docs/integrations/onelogin-saml.mdx +131 -0
- package/.docs/organized/docs/integrations/onelogin-scim.mdx +150 -0
- package/.docs/organized/docs/integrations/oracle-saml.mdx +76 -0
- package/.docs/organized/docs/integrations/pingfederate-saml.mdx +103 -0
- package/.docs/organized/docs/integrations/pingfederate-scim.mdx +150 -0
- package/.docs/organized/docs/integrations/pingone-saml.mdx +86 -0
- package/.docs/organized/docs/integrations/react-native-expo.mdx +93 -0
- package/.docs/organized/docs/integrations/rippling-saml.mdx +174 -0
- package/.docs/organized/docs/integrations/rippling-scim.mdx +148 -0
- package/.docs/organized/docs/integrations/salesforce-saml.mdx +143 -0
- package/.docs/organized/docs/integrations/saml.mdx +64 -0
- package/.docs/organized/docs/integrations/scim.mdx +64 -0
- package/.docs/organized/docs/integrations/sftp.mdx +150 -0
- package/.docs/organized/docs/integrations/shibboleth-generic-saml.mdx +84 -0
- package/.docs/organized/docs/integrations/shibboleth-unsolicited-saml.mdx +84 -0
- package/.docs/organized/docs/integrations/simple-saml-php.mdx +78 -0
- package/.docs/organized/docs/integrations/slack-oauth.mdx +102 -0
- package/.docs/organized/docs/integrations/supabase.mdx +68 -0
- package/.docs/organized/docs/integrations/vmware-saml.mdx +100 -0
- package/.docs/organized/docs/integrations/workday.mdx +156 -0
- package/.docs/organized/docs/integrations/xero-oauth.mdx +83 -0
- package/.docs/organized/docs/magic-link/_navigation.mdx +16 -0
- package/.docs/organized/docs/magic-link/example-apps.mdx +46 -0
- package/.docs/organized/docs/magic-link/index.mdx +199 -0
- package/.docs/organized/docs/magic-link/launch-checklist.mdx +27 -0
- package/.docs/organized/docs/mfa/_navigation.mdx +18 -0
- package/.docs/organized/docs/mfa/example-apps.mdx +46 -0
- package/.docs/organized/docs/mfa/index.mdx +140 -0
- package/.docs/organized/docs/mfa/ux/enrollment.mdx +74 -0
- package/.docs/organized/docs/mfa/ux/sign-in.mdx +30 -0
- package/.docs/organized/docs/migrate/_navigation.mdx +6 -0
- package/.docs/organized/docs/migrate/auth0.mdx +98 -0
- package/.docs/organized/docs/migrate/aws-cognito.mdx +115 -0
- package/.docs/organized/docs/migrate/clerk.mdx +106 -0
- package/.docs/organized/docs/migrate/firebase.mdx +80 -0
- package/.docs/organized/docs/migrate/other-services.mdx +179 -0
- package/.docs/organized/docs/migrate/standalone-sso.mdx +105 -0
- package/.docs/organized/docs/on-prem-deployment.mdx +119 -0
- package/.docs/organized/docs/postman.mdx +90 -0
- package/.docs/organized/docs/reference/_navigation.mdx +527 -0
- package/.docs/organized/docs/reference/admin-portal/index.mdx +6 -0
- package/.docs/organized/docs/reference/admin-portal/portal-link/generate.mdx +268 -0
- package/.docs/organized/docs/reference/admin-portal/portal-link/index.mdx +15 -0
- package/.docs/organized/docs/reference/admin-portal/provider-icons/index.mdx +52 -0
- package/.docs/organized/docs/reference/api-keys.mdx +22 -0
- package/.docs/organized/docs/reference/audit-logs/audit-log-export.mdx +239 -0
- package/.docs/organized/docs/reference/audit-logs/audit-log-schema.mdx +69 -0
- package/.docs/organized/docs/reference/audit-logs/create-event.mdx +673 -0
- package/.docs/organized/docs/reference/audit-logs/create-export.mdx +308 -0
- package/.docs/organized/docs/reference/audit-logs/create-schema.mdx +95 -0
- package/.docs/organized/docs/reference/audit-logs/get-export.mdx +117 -0
- package/.docs/organized/docs/reference/audit-logs/get-retention.mdx +34 -0
- package/.docs/organized/docs/reference/audit-logs/index.mdx +6 -0
- package/.docs/organized/docs/reference/audit-logs/list-actions.mdx +40 -0
- package/.docs/organized/docs/reference/audit-logs/list-schemas.mdx +40 -0
- package/.docs/organized/docs/reference/audit-logs/set-retention.mdx +39 -0
- package/.docs/organized/docs/reference/client-libraries.mdx +19 -0
- package/.docs/organized/docs/reference/directory-sync/directory/delete.mdx +90 -0
- package/.docs/organized/docs/reference/directory-sync/directory/get.mdx +105 -0
- package/.docs/organized/docs/reference/directory-sync/directory/index.mdx +385 -0
- package/.docs/organized/docs/reference/directory-sync/directory/list.mdx +281 -0
- package/.docs/organized/docs/reference/directory-sync/directory-group/get.mdx +105 -0
- package/.docs/organized/docs/reference/directory-sync/directory-group/index.mdx +277 -0
- package/.docs/organized/docs/reference/directory-sync/directory-group/list.mdx +295 -0
- package/.docs/organized/docs/reference/directory-sync/directory-user/get.mdx +112 -0
- package/.docs/organized/docs/reference/directory-sync/directory-user/index.mdx +470 -0
- package/.docs/organized/docs/reference/directory-sync/directory-user/list.mdx +304 -0
- package/.docs/organized/docs/reference/directory-sync/index.mdx +10 -0
- package/.docs/organized/docs/reference/domain-verification/create.mdx +38 -0
- package/.docs/organized/docs/reference/domain-verification/get.mdx +32 -0
- package/.docs/organized/docs/reference/domain-verification/index.mdx +84 -0
- package/.docs/organized/docs/reference/domain-verification/verify.mdx +36 -0
- package/.docs/organized/docs/reference/errors.mdx +30 -0
- package/.docs/organized/docs/reference/events/index.mdx +9 -0
- package/.docs/organized/docs/reference/events/list.mdx +246 -0
- package/.docs/organized/docs/reference/fga/batch-check.mdx +277 -0
- package/.docs/organized/docs/reference/fga/check.mdx +563 -0
- package/.docs/organized/docs/reference/fga/index.mdx +6 -0
- package/.docs/organized/docs/reference/fga/policy/create.mdx +27 -0
- package/.docs/organized/docs/reference/fga/policy/delete.mdx +18 -0
- package/.docs/organized/docs/reference/fga/policy/get.mdx +23 -0
- package/.docs/organized/docs/reference/fga/policy/index.mdx +52 -0
- package/.docs/organized/docs/reference/fga/policy/list.mdx +41 -0
- package/.docs/organized/docs/reference/fga/policy/update.mdx +26 -0
- package/.docs/organized/docs/reference/fga/query.mdx +375 -0
- package/.docs/organized/docs/reference/fga/resource/batch-write.mdx +175 -0
- package/.docs/organized/docs/reference/fga/resource/create.mdx +130 -0
- package/.docs/organized/docs/reference/fga/resource/delete.mdx +86 -0
- package/.docs/organized/docs/reference/fga/resource/get.mdx +88 -0
- package/.docs/organized/docs/reference/fga/resource/index.mdx +98 -0
- package/.docs/organized/docs/reference/fga/resource/list.mdx +188 -0
- package/.docs/organized/docs/reference/fga/resource/update.mdx +115 -0
- package/.docs/organized/docs/reference/fga/resource-type/apply.mdx +35 -0
- package/.docs/organized/docs/reference/fga/resource-type/create.mdx +24 -0
- package/.docs/organized/docs/reference/fga/resource-type/delete.mdx +22 -0
- package/.docs/organized/docs/reference/fga/resource-type/get.mdx +23 -0
- package/.docs/organized/docs/reference/fga/resource-type/index.mdx +68 -0
- package/.docs/organized/docs/reference/fga/resource-type/list.mdx +36 -0
- package/.docs/organized/docs/reference/fga/resource-type/update.mdx +23 -0
- package/.docs/organized/docs/reference/fga/schema/apply.mdx +42 -0
- package/.docs/organized/docs/reference/fga/schema/get.mdx +24 -0
- package/.docs/organized/docs/reference/fga/schema/index.mdx +39 -0
- package/.docs/organized/docs/reference/fga/warrant/batch-write.mdx +226 -0
- package/.docs/organized/docs/reference/fga/warrant/create.mdx +215 -0
- package/.docs/organized/docs/reference/fga/warrant/delete.mdx +212 -0
- package/.docs/organized/docs/reference/fga/warrant/index.mdx +186 -0
- package/.docs/organized/docs/reference/fga/warrant/list.mdx +282 -0
- package/.docs/organized/docs/reference/idempotency.mdx +21 -0
- package/.docs/organized/docs/reference/index.mdx +194 -0
- package/.docs/organized/docs/reference/magic-link/index.mdx +8 -0
- package/.docs/organized/docs/reference/magic-link/passwordless-session/create.mdx +268 -0
- package/.docs/organized/docs/reference/magic-link/passwordless-session/index.mdx +203 -0
- package/.docs/organized/docs/reference/magic-link/passwordless-session/send-email.mdx +158 -0
- package/.docs/organized/docs/reference/mfa/authentication-challenge.mdx +217 -0
- package/.docs/organized/docs/reference/mfa/authentication-factor.mdx +381 -0
- package/.docs/organized/docs/reference/mfa/challenge-factor.mdx +170 -0
- package/.docs/organized/docs/reference/mfa/delete-factor.mdx +93 -0
- package/.docs/organized/docs/reference/mfa/enroll-factor.mdx +241 -0
- package/.docs/organized/docs/reference/mfa/get-factor.mdx +108 -0
- package/.docs/organized/docs/reference/mfa/index.mdx +8 -0
- package/.docs/organized/docs/reference/mfa/verify-challenge.mdx +228 -0
- package/.docs/organized/docs/reference/organization/create.mdx +216 -0
- package/.docs/organized/docs/reference/organization/delete.mdx +89 -0
- package/.docs/organized/docs/reference/organization/get-by-external-id.mdx +40 -0
- package/.docs/organized/docs/reference/organization/get.mdx +104 -0
- package/.docs/organized/docs/reference/organization/index.mdx +274 -0
- package/.docs/organized/docs/reference/organization/list.mdx +258 -0
- package/.docs/organized/docs/reference/organization/update.mdx +236 -0
- package/.docs/organized/docs/reference/organization-domain.mdx +189 -0
- package/.docs/organized/docs/reference/pagination.mdx +244 -0
- package/.docs/organized/docs/reference/radar/attempts/create.mdx +115 -0
- package/.docs/organized/docs/reference/radar/attempts/index.mdx +7 -0
- package/.docs/organized/docs/reference/radar/attempts/update.mdx +34 -0
- package/.docs/organized/docs/reference/radar/index.mdx +8 -0
- package/.docs/organized/docs/reference/radar/lists/delete.mdx +36 -0
- package/.docs/organized/docs/reference/radar/lists/index.mdx +7 -0
- package/.docs/organized/docs/reference/radar/lists/update.mdx +36 -0
- package/.docs/organized/docs/reference/rate-limits.mdx +50 -0
- package/.docs/organized/docs/reference/roles/index.mdx +268 -0
- package/.docs/organized/docs/reference/roles/list-for-organization.mdx +152 -0
- package/.docs/organized/docs/reference/sso/connection/delete.mdx +89 -0
- package/.docs/organized/docs/reference/sso/connection/get.mdx +104 -0
- package/.docs/organized/docs/reference/sso/connection/index.mdx +388 -0
- package/.docs/organized/docs/reference/sso/connection/list.mdx +320 -0
- package/.docs/organized/docs/reference/sso/get-authorization-url/error-codes.mdx +28 -0
- package/.docs/organized/docs/reference/sso/get-authorization-url/index.mdx +434 -0
- package/.docs/organized/docs/reference/sso/get-authorization-url/redirect-uri.mdx +21 -0
- package/.docs/organized/docs/reference/sso/index.mdx +8 -0
- package/.docs/organized/docs/reference/sso/logout/authorize.mdx +47 -0
- package/.docs/organized/docs/reference/sso/logout/index.mdx +14 -0
- package/.docs/organized/docs/reference/sso/logout/redirect.mdx +32 -0
- package/.docs/organized/docs/reference/sso/profile/get-profile-and-token.mdx +229 -0
- package/.docs/organized/docs/reference/sso/profile/get-user-profile.mdx +127 -0
- package/.docs/organized/docs/reference/sso/profile/index.mdx +364 -0
- package/.docs/organized/docs/reference/testing.mdx +8 -0
- package/.docs/organized/docs/reference/user-management/access-token/index.mdx +13 -0
- package/.docs/organized/docs/reference/user-management/authentication/code.mdx +448 -0
- package/.docs/organized/docs/reference/user-management/authentication/email-verification.mdx +359 -0
- package/.docs/organized/docs/reference/user-management/authentication/get-authorization-url/error-codes.mdx +25 -0
- package/.docs/organized/docs/reference/user-management/authentication/get-authorization-url/index.mdx +425 -0
- package/.docs/organized/docs/reference/user-management/authentication/get-authorization-url/pkce.mdx +9 -0
- package/.docs/organized/docs/reference/user-management/authentication/get-authorization-url/redirect-uri.mdx +23 -0
- package/.docs/organized/docs/reference/user-management/authentication/index.mdx +66 -0
- package/.docs/organized/docs/reference/user-management/authentication/magic-auth.mdx +353 -0
- package/.docs/organized/docs/reference/user-management/authentication/organization-selection.mdx +349 -0
- package/.docs/organized/docs/reference/user-management/authentication/password.mdx +350 -0
- package/.docs/organized/docs/reference/user-management/authentication/refresh-and-seal-session-data.mdx +57 -0
- package/.docs/organized/docs/reference/user-management/authentication/refresh-token.mdx +381 -0
- package/.docs/organized/docs/reference/user-management/authentication/session-cookie.mdx +79 -0
- package/.docs/organized/docs/reference/user-management/authentication/totp.mdx +369 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/email-verification-required-error.mdx +42 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/index.mdx +20 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/mfa-challenge-error.mdx +44 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/mfa-enrollment-error.mdx +37 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/organization-authentication-required-error.mdx +68 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/organization-selection-error.mdx +44 -0
- package/.docs/organized/docs/reference/user-management/authentication-errors/sso-required-error.mdx +51 -0
- package/.docs/organized/docs/reference/user-management/email-verification/get.mdx +88 -0
- package/.docs/organized/docs/reference/user-management/email-verification/index.mdx +227 -0
- package/.docs/organized/docs/reference/user-management/identity/index.mdx +74 -0
- package/.docs/organized/docs/reference/user-management/identity/list.mdx +52 -0
- package/.docs/organized/docs/reference/user-management/index.mdx +13 -0
- package/.docs/organized/docs/reference/user-management/invitation/accept.mdx +39 -0
- package/.docs/organized/docs/reference/user-management/invitation/find-by-token.mdx +87 -0
- package/.docs/organized/docs/reference/user-management/invitation/get.mdx +87 -0
- package/.docs/organized/docs/reference/user-management/invitation/index.mdx +374 -0
- package/.docs/organized/docs/reference/user-management/invitation/list.mdx +247 -0
- package/.docs/organized/docs/reference/user-management/invitation/revoke.mdx +90 -0
- package/.docs/organized/docs/reference/user-management/invitation/send.mdx +230 -0
- package/.docs/organized/docs/reference/user-management/logout/get-logout-url-from-session-cookie.mdx +52 -0
- package/.docs/organized/docs/reference/user-management/logout/get-logout-url.mdx +147 -0
- package/.docs/organized/docs/reference/user-management/logout/index.mdx +26 -0
- package/.docs/organized/docs/reference/user-management/magic-auth/create.mdx +148 -0
- package/.docs/organized/docs/reference/user-management/magic-auth/get.mdx +88 -0
- package/.docs/organized/docs/reference/user-management/magic-auth/index.mdx +225 -0
- package/.docs/organized/docs/reference/user-management/mfa/authentication-challenge.mdx +194 -0
- package/.docs/organized/docs/reference/user-management/mfa/authentication-factor.mdx +324 -0
- package/.docs/organized/docs/reference/user-management/mfa/enroll-auth-factor.mdx +296 -0
- package/.docs/organized/docs/reference/user-management/mfa/index.mdx +5 -0
- package/.docs/organized/docs/reference/user-management/mfa/list-auth-factors.mdx +194 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/create.mdx +155 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/deactivate.mdx +106 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/delete.mdx +76 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/get.mdx +95 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/index.mdx +265 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/list.mdx +291 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/reactivate.mdx +106 -0
- package/.docs/organized/docs/reference/user-management/organization-membership/update.mdx +119 -0
- package/.docs/organized/docs/reference/user-management/password-reset/create.mdx +108 -0
- package/.docs/organized/docs/reference/user-management/password-reset/get.mdx +88 -0
- package/.docs/organized/docs/reference/user-management/password-reset/index.mdx +227 -0
- package/.docs/organized/docs/reference/user-management/password-reset/reset-password.mdx +144 -0
- package/.docs/organized/docs/reference/user-management/session-helpers/authenticate.mdx +176 -0
- package/.docs/organized/docs/reference/user-management/session-helpers/get-logout-url.mdx +42 -0
- package/.docs/organized/docs/reference/user-management/session-helpers/index.mdx +14 -0
- package/.docs/organized/docs/reference/user-management/session-helpers/load-sealed-session.mdx +105 -0
- package/.docs/organized/docs/reference/user-management/session-helpers/refresh.mdx +213 -0
- package/.docs/organized/docs/reference/user-management/session-tokens/access-token.mdx +90 -0
- package/.docs/organized/docs/reference/user-management/session-tokens/index.mdx +5 -0
- package/.docs/organized/docs/reference/user-management/session-tokens/jwks.mdx +110 -0
- package/.docs/organized/docs/reference/user-management/session-tokens/refresh-token.mdx +8 -0
- package/.docs/organized/docs/reference/user-management/user/create.mdx +327 -0
- package/.docs/organized/docs/reference/user-management/user/delete.mdx +76 -0
- package/.docs/organized/docs/reference/user-management/user/get-by-external-id.mdx +39 -0
- package/.docs/organized/docs/reference/user-management/user/get.mdx +103 -0
- package/.docs/organized/docs/reference/user-management/user/index.mdx +322 -0
- package/.docs/organized/docs/reference/user-management/user/list.mdx +260 -0
- package/.docs/organized/docs/reference/user-management/user/update.mdx +344 -0
- package/.docs/organized/docs/reference/vault/index.mdx +6 -0
- package/.docs/organized/docs/reference/vault/key/create-data-key.mdx +106 -0
- package/.docs/organized/docs/reference/vault/key/decrypt-data-key.mdx +84 -0
- package/.docs/organized/docs/reference/vault/key/decrypt-data.mdx +52 -0
- package/.docs/organized/docs/reference/vault/key/encrypt-data.mdx +58 -0
- package/.docs/organized/docs/reference/vault/key/index.mdx +25 -0
- package/.docs/organized/docs/reference/vault/object/create.mdx +62 -0
- package/.docs/organized/docs/reference/vault/object/delete.mdx +75 -0
- package/.docs/organized/docs/reference/vault/object/get.mdx +50 -0
- package/.docs/organized/docs/reference/vault/object/index.mdx +174 -0
- package/.docs/organized/docs/reference/vault/object/list.mdx +105 -0
- package/.docs/organized/docs/reference/vault/object/metadata.mdx +52 -0
- package/.docs/organized/docs/reference/vault/object/update.mdx +67 -0
- package/.docs/organized/docs/reference/vault/object/version.mdx +87 -0
- package/.docs/organized/docs/reference/vault/object/versions.mdx +83 -0
- package/.docs/organized/docs/reference/widgets/get-token.mdx +185 -0
- package/.docs/organized/docs/reference/widgets/index.mdx +6 -0
- package/.docs/organized/docs/reference/workos-connect/authorize/index.mdx +75 -0
- package/.docs/organized/docs/reference/workos-connect/index.mdx +33 -0
- package/.docs/organized/docs/reference/workos-connect/introspection/index.mdx +122 -0
- package/.docs/organized/docs/reference/workos-connect/metadata/index.mdx +25 -0
- package/.docs/organized/docs/reference/workos-connect/metadata/oauth-authorization-server/index.mdx +99 -0
- package/.docs/organized/docs/reference/workos-connect/metadata/openid-configuration/index.mdx +70 -0
- package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/access-token.mdx +53 -0
- package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/id-token.mdx +60 -0
- package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/index.mdx +69 -0
- package/.docs/organized/docs/reference/workos-connect/token/client-credentials-grant/access-token.mdx +46 -0
- package/.docs/organized/docs/reference/workos-connect/token/client-credentials-grant/index.mdx +56 -0
- package/.docs/organized/docs/reference/workos-connect/token/index.mdx +39 -0
- package/.docs/organized/docs/reference/workos-connect/token/refresh-token-grant.mdx +69 -0
- package/.docs/organized/docs/reference/workos-connect/userinfo/index.mdx +46 -0
- package/.docs/organized/docs/sdks/dotnet.mdx +6 -0
- package/.docs/organized/docs/sdks/elixir.mdx +6 -0
- package/.docs/organized/docs/sdks/go.mdx +6 -0
- package/.docs/organized/docs/sdks/java.mdx +9 -0
- package/.docs/organized/docs/sdks/laravel.mdx +6 -0
- package/.docs/organized/docs/sdks/node.mdx +9 -0
- package/.docs/organized/docs/sdks/php.mdx +6 -0
- package/.docs/organized/docs/sdks/python.mdx +6 -0
- package/.docs/organized/docs/sdks/ruby.mdx +9 -0
- package/.docs/organized/docs/sso/_navigation.mdx +44 -0
- package/.docs/organized/docs/sso/_sequence-diagrams/saml-protocol-security-considerations.md +59 -0
- package/.docs/organized/docs/sso/attributes.mdx +110 -0
- package/.docs/organized/docs/sso/domains.mdx +111 -0
- package/.docs/organized/docs/sso/example-apps.mdx +46 -0
- package/.docs/organized/docs/sso/identity-provider-role-assignment.mdx +113 -0
- package/.docs/organized/docs/sso/index.mdx +295 -0
- package/.docs/organized/docs/sso/it-team-faq.mdx +35 -0
- package/.docs/organized/docs/sso/jit-provisioning.mdx +101 -0
- package/.docs/organized/docs/sso/launch-checklist.mdx +71 -0
- package/.docs/organized/docs/sso/login-flows.mdx +101 -0
- package/.docs/organized/docs/sso/redirect-uris.mdx +44 -0
- package/.docs/organized/docs/sso/saml-security.mdx +122 -0
- package/.docs/organized/docs/sso/signing-certificates.mdx +121 -0
- package/.docs/organized/docs/sso/single-logout.mdx +45 -0
- package/.docs/organized/docs/sso/test-sso.mdx +73 -0
- package/.docs/organized/docs/sso/ux/sign-in.mdx +44 -0
- package/.docs/organized/docs/user-management/_navigation.mdx +87 -0
- package/.docs/organized/docs/user-management/actions.mdx +169 -0
- package/.docs/organized/docs/user-management/authkit.mdx +69 -0
- package/.docs/organized/docs/user-management/branding.mdx +143 -0
- package/.docs/organized/docs/user-management/connect.mdx +110 -0
- package/.docs/organized/docs/user-management/custom-emails.mdx +164 -0
- package/.docs/organized/docs/user-management/directory-provisioning.mdx +78 -0
- package/.docs/organized/docs/user-management/domain-verification.mdx +28 -0
- package/.docs/organized/docs/user-management/email-password.mdx +42 -0
- package/.docs/organized/docs/user-management/email-verification.mdx +29 -0
- package/.docs/organized/docs/user-management/entitlements.mdx +46 -0
- package/.docs/organized/docs/user-management/example-apps.mdx +39 -0
- package/.docs/organized/docs/user-management/identity-linking.mdx +52 -0
- package/.docs/organized/docs/user-management/impersonation.mdx +82 -0
- package/.docs/organized/docs/user-management/index.mdx +525 -0
- package/.docs/organized/docs/user-management/invitations.mdx +60 -0
- package/.docs/organized/docs/user-management/invite-only-signup.mdx +72 -0
- package/.docs/organized/docs/user-management/jit-provisioning.mdx +36 -0
- package/.docs/organized/docs/user-management/jwt-templates.mdx +278 -0
- package/.docs/organized/docs/user-management/magic-auth.mdx +36 -0
- package/.docs/organized/docs/user-management/mcp.mdx +146 -0
- package/.docs/organized/docs/user-management/metadata.mdx +119 -0
- package/.docs/organized/docs/user-management/mfa.mdx +32 -0
- package/.docs/organized/docs/user-management/migrations.mdx +20 -0
- package/.docs/organized/docs/user-management/modeling-your-app.mdx +149 -0
- package/.docs/organized/docs/user-management/organization-policies.mdx +33 -0
- package/.docs/organized/docs/user-management/overview.mdx +46 -0
- package/.docs/organized/docs/user-management/passkeys.mdx +42 -0
- package/.docs/organized/docs/user-management/radar.mdx +127 -0
- package/.docs/organized/docs/user-management/roles-and-permissions.mdx +155 -0
- package/.docs/organized/docs/user-management/sessions.mdx +101 -0
- package/.docs/organized/docs/user-management/social-login.mdx +34 -0
- package/.docs/organized/docs/user-management/sso-with-contractors.mdx +85 -0
- package/.docs/organized/docs/user-management/sso.mdx +96 -0
- package/.docs/organized/docs/user-management/users-organizations.mdx +91 -0
- package/.docs/organized/docs/user-management/widgets.mdx +190 -0
- package/.docs/organized/docs/vault/_navigation.mdx +14 -0
- package/.docs/organized/docs/vault/index.mdx +38 -0
- package/.docs/organized/docs/vault/key-context.mdx +32 -0
- package/.docs/organized/docs/vault/quick-start.mdx +82 -0
- package/README.md +252 -0
- package/dist/chunk-64GKEK6G.js +48 -0
- package/dist/chunk-64GKEK6G.js.map +1 -0
- package/dist/get-tools.d.ts +23 -0
- package/dist/get-tools.js +8 -0
- package/dist/get-tools.js.map +1 -0
- package/dist/index.d.ts +1 -0
- package/dist/index.js +552 -0
- package/dist/index.js.map +1 -0
- package/dist/prepare.d.ts +2 -0
- package/dist/prepare.js +269 -0
- package/dist/prepare.js.map +1 -0
- package/package.json +49 -0
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Conditional Roles
|
|
3
|
+
description: >-
|
|
4
|
+
Combine relationship-based access control (ReBAC) with attribute-based access
|
|
5
|
+
control (ABAC) to create conditional roles.
|
|
6
|
+
originalPath: .tmp-workos-clone/packages/docs/content/fga/modeling/conditional-roles.mdx
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
> Explore the example from this guide [in the FGA Playground](https://explore.fga.workos.com/playground?example=conditional_roles), where you can interact with the schema, warrants, and access checks in real-time!
|
|
10
|
+
|
|
11
|
+
Use FGA to combine **Relationship-Based Access Control (ReBAC)** and **Attribute-Based Access Control (ABAC)**. Define roles that are bound to specific resources and change based on specific conditions. This allows for more granular control over who can do what, when, and under which circumstances.
|
|
12
|
+
|
|
13
|
+
## When to Use It
|
|
14
|
+
|
|
15
|
+
Use conditional roles when you cannot determine access by relationships alone. For example, a team member may be allowed to approve some expenses, but only if they are below a certain amount or belong to specific cost centers. As systems grow in complexity, pure ReBAC or ABAC models may become limiting. Conditional roles help bridge that gap with clear, composable rules.
|
|
16
|
+
|
|
17
|
+
## Example Applications
|
|
18
|
+
|
|
19
|
+
- **Expense Management**: Finance managers can approve expense reports only if the amount is below a defined threshold and aligned with their assigned cost centers.
|
|
20
|
+
- **Procurement**: Department heads may approve purchase orders only after completing mandatory compliance or budget authorization training.
|
|
21
|
+
- **Healthcare Systems**: Authorized clinicians can access sensitive health records only if the individual is assigned to their care team and the access occurs during regulated working hours.
|
|
22
|
+
|
|
23
|
+
## Schema
|
|
24
|
+
|
|
25
|
+
```fga
|
|
26
|
+
version 0.3
|
|
27
|
+
|
|
28
|
+
type user
|
|
29
|
+
|
|
30
|
+
type team
|
|
31
|
+
relation finance_admin [user]
|
|
32
|
+
relation finance_manager [user]
|
|
33
|
+
|
|
34
|
+
inherit finance_manager if
|
|
35
|
+
relation finance_admin
|
|
36
|
+
|
|
37
|
+
type expense
|
|
38
|
+
relation approval_team [team]
|
|
39
|
+
relation submitter [user]
|
|
40
|
+
|
|
41
|
+
relation approve []
|
|
42
|
+
inherit approve if
|
|
43
|
+
any_of
|
|
44
|
+
all_of
|
|
45
|
+
relation finance_manager on approval_team [team]
|
|
46
|
+
policy can_approve_amount
|
|
47
|
+
all_of
|
|
48
|
+
relation finance_admin on approval_team [team]
|
|
49
|
+
policy is_high_value_expense
|
|
50
|
+
|
|
51
|
+
policy can_approve_amount(expense_attributes map, user_attributes map) {
|
|
52
|
+
let can_approve_cost_center = expense_attributes.cost_center in user_attributes.approved_cost_centers;
|
|
53
|
+
let can_approve_amount = expense_attributes.amount <= 1000;
|
|
54
|
+
|
|
55
|
+
can_approve_cost_center && can_approve_amount
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
policy is_high_value_expense(expense_attributes map) {
|
|
59
|
+
expense_attributes.amount > 1000
|
|
60
|
+
}
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
## Example
|
|
64
|
+
|
|
65
|
+
### (1) Apply the schema
|
|
66
|
+
|
|
67
|
+
Create a file called `schema.txt` containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
|
|
68
|
+
|
|
69
|
+
> Note: make sure to select the correct environment with the [CLI](https://github.com/workos/workos-cli?tab=readme-ov-file#usage)
|
|
70
|
+
|
|
71
|
+
```shell
|
|
72
|
+
workos fga schema apply schema.txt
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
---
|
|
76
|
+
|
|
77
|
+
### (2) Create warrants
|
|
78
|
+
|
|
79
|
+
Create warrants that associate users, teams, and expenses. The example schema defines the following relationships:
|
|
80
|
+
|
|
81
|
+
- users with teams (using the `finance_admin` or `finance_manager` roles)
|
|
82
|
+
- teams with expenses (using the `approval_team` relation)
|
|
83
|
+
|
|
84
|
+
Let's create a few warrants between team `finance-1`, expense `expense-1`, and user `user_2oDscjroNWtzxzYEnEzT9P7VYEe`:
|
|
85
|
+
|
|
86
|
+
<CodeBlock title="Create warrants" file="conditional-roles-create-warrants" />
|
|
87
|
+
|
|
88
|
+
---
|
|
89
|
+
|
|
90
|
+
### (3) Check access
|
|
91
|
+
|
|
92
|
+
With our environment setup, we can check the user's permission to approve expenses.
|
|
93
|
+
|
|
94
|
+
<CodeBlock
|
|
95
|
+
title="Check if a user can approve an expense"
|
|
96
|
+
file="conditional-roles-check"
|
|
97
|
+
/>
|
|
98
|
+
|
|
99
|
+
---
|
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Custom Roles
|
|
3
|
+
description: >-
|
|
4
|
+
Allow B2B customers to create org-scoped custom roles and map them to a static
|
|
5
|
+
set of permissions that grant capabilities in your application.
|
|
6
|
+
originalPath: .tmp-workos-clone/packages/docs/content/fga/modeling/custom-roles.mdx
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
> Explore the example from this guide [in the FGA Playground](https://explore.fga.workos.com/playground?example=custom_roles), where you can interact with the schema, warrants, and access checks in real-time!
|
|
10
|
+
|
|
11
|
+
Customizable, role-based access control gives customers the freedom to define their own custom roles and map each one to a subset of the permissions offered by your application.
|
|
12
|
+
|
|
13
|
+
## When to Use it
|
|
14
|
+
|
|
15
|
+
Implement custom roles when:
|
|
16
|
+
|
|
17
|
+
- **Role-based access control**: Your application's requirements call for role-based access control (RBAC).
|
|
18
|
+
- **Custom roles**: Your customers need the ability to define custom roles that are scoped to their organization and map them to a static set of permissions in your application.
|
|
19
|
+
|
|
20
|
+
## Schema
|
|
21
|
+
|
|
22
|
+
```fga title="schema.txt"
|
|
23
|
+
version 0.3
|
|
24
|
+
|
|
25
|
+
type user
|
|
26
|
+
|
|
27
|
+
type role
|
|
28
|
+
relation member [user]
|
|
29
|
+
|
|
30
|
+
type organization
|
|
31
|
+
relation can_read_company_info [role]
|
|
32
|
+
relation can_write_company_info [role]
|
|
33
|
+
relation can_read_reports [role]
|
|
34
|
+
relation can_write_reports [role]
|
|
35
|
+
|
|
36
|
+
inherit can_read_company_info if
|
|
37
|
+
any_of
|
|
38
|
+
relation can_write_company_info
|
|
39
|
+
relation member on can_read_company_info [role]
|
|
40
|
+
|
|
41
|
+
inherit can_write_company_info if
|
|
42
|
+
relation member on can_write_company_info [role]
|
|
43
|
+
|
|
44
|
+
inherit can_read_reports if
|
|
45
|
+
any_of
|
|
46
|
+
relation can_write_reports
|
|
47
|
+
relation member on can_read_reports [role]
|
|
48
|
+
|
|
49
|
+
inherit can_write_reports if
|
|
50
|
+
relation member on can_write_reports [role]
|
|
51
|
+
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
## Example
|
|
55
|
+
|
|
56
|
+
### (1) Apply the schema
|
|
57
|
+
|
|
58
|
+
Create a file called `schema.txt` containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
|
|
59
|
+
|
|
60
|
+
> Note: make sure to select the correct environment with the [CLI](https://github.com/workos/workos-cli?tab=readme-ov-file#usage)
|
|
61
|
+
|
|
62
|
+
```shell
|
|
63
|
+
workos fga schema apply schema.txt
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
---
|
|
67
|
+
|
|
68
|
+
### (2) Create warrants
|
|
69
|
+
|
|
70
|
+
Create warrants that associate organizations, roles, and users. The example schema defines the following relationships:
|
|
71
|
+
|
|
72
|
+
- users with organizations
|
|
73
|
+
- users with custom roles (e.g. `org:acme:read-only`)
|
|
74
|
+
|
|
75
|
+
Let's create a few warrants between organization `acme`, role `org:acme:read-only`, and user `user_2oDscjroNWtzxzYEnEzT9P7VYEe`:
|
|
76
|
+
|
|
77
|
+
<CodeBlock title="Create warrants" file="custom-roles-create-warrants" />
|
|
78
|
+
|
|
79
|
+
---
|
|
80
|
+
|
|
81
|
+
### (3) Check access
|
|
82
|
+
|
|
83
|
+
With our environment setup, we can check the user's permission to read company info.
|
|
84
|
+
|
|
85
|
+
<CodeBlock
|
|
86
|
+
title="Check if a user has a permission in their organization"
|
|
87
|
+
file="custom-roles-check"
|
|
88
|
+
/>
|
|
89
|
+
|
|
90
|
+
---
|
|
@@ -0,0 +1,127 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Feature Entitlements
|
|
3
|
+
description: >-
|
|
4
|
+
Restrict access to features in your SaaS application based on subscription
|
|
5
|
+
tier using FGA policies and relation-based access control.
|
|
6
|
+
originalPath: .tmp-workos-clone/packages/docs/content/fga/modeling/entitlements.mdx
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
> Explore the example from this guide [in the FGA Playground](https://explore.fga.workos.com/playground?example=entitlements), where you can interact with the schema, warrants, and access checks in real-time!
|
|
10
|
+
|
|
11
|
+
In SaaS applications, it's common to control access to product features based on a subscription tier. This approach allows product teams to define distinct experiences for different customer segments—like offering basic tools to free users/organizations and premium features to paying ones.
|
|
12
|
+
|
|
13
|
+
For example, a design tool might offer a `Free` tier with limited capabilities and a `Pro` tier that unlocks collaboration and team-based workflows.
|
|
14
|
+
|
|
15
|
+
## When to Use It?
|
|
16
|
+
|
|
17
|
+
Use feature entitlements when:
|
|
18
|
+
|
|
19
|
+
- Your product has multiple pricing tiers with different access levels.
|
|
20
|
+
- You want to gate advanced features behind specific subscription plans.
|
|
21
|
+
- Fine-grained resource access is controlled by subscription level.
|
|
22
|
+
|
|
23
|
+
Use this approach when you need dynamic, policy-driven access control for features across different plans or user types. It’s especially helpful in multi-tenant SaaS apps where access logic needs to scale cleanly and stay centralized.
|
|
24
|
+
|
|
25
|
+
## Example Applications
|
|
26
|
+
|
|
27
|
+
- **B2B SaaS Platforms**: Unlock additional collaboration tools for premium customers.
|
|
28
|
+
- **Design Tools**: Offer project and team management to higher-tier subscribers.
|
|
29
|
+
- **Analytics Services**: Gate advanced reporting or integrations behind Enterprise plans.
|
|
30
|
+
- **Productivity Software**: Provide shared team workspaces for Pro users.
|
|
31
|
+
|
|
32
|
+
## Schema
|
|
33
|
+
|
|
34
|
+
```fga
|
|
35
|
+
version 0.3
|
|
36
|
+
|
|
37
|
+
type user
|
|
38
|
+
|
|
39
|
+
type organization
|
|
40
|
+
relation admin [user]
|
|
41
|
+
relation member [user]
|
|
42
|
+
|
|
43
|
+
inherit member if
|
|
44
|
+
relation admin
|
|
45
|
+
|
|
46
|
+
// Tiers are defined by subscription attributes
|
|
47
|
+
relation pro_subscriber []
|
|
48
|
+
inherit pro_subscriber if
|
|
49
|
+
all_of
|
|
50
|
+
relation admin // In this example, you must be an admin on the org to get access to pro features
|
|
51
|
+
policy is_pro_subscriber
|
|
52
|
+
|
|
53
|
+
relation free_subscriber []
|
|
54
|
+
inherit free_subscriber if
|
|
55
|
+
any_of
|
|
56
|
+
policy is_free_subscriber
|
|
57
|
+
policy is_pro_subscriber // Pro subscribers can also access free features
|
|
58
|
+
|
|
59
|
+
// Feature access based on subscription tier
|
|
60
|
+
relation feature_projects []
|
|
61
|
+
inherit feature_projects if
|
|
62
|
+
all_of
|
|
63
|
+
relation member
|
|
64
|
+
relation free_subscriber
|
|
65
|
+
|
|
66
|
+
relation feature_teams []
|
|
67
|
+
inherit feature_teams if
|
|
68
|
+
relation pro_subscriber
|
|
69
|
+
|
|
70
|
+
// Teams and Projects demonstrate how you can utilize ReBAC permissions
|
|
71
|
+
// to control access to features based on org subscription tiers
|
|
72
|
+
type team
|
|
73
|
+
relation owner [organization]
|
|
74
|
+
|
|
75
|
+
relation view []
|
|
76
|
+
inherit view if
|
|
77
|
+
relation feature_teams on owner [organization]
|
|
78
|
+
|
|
79
|
+
type project
|
|
80
|
+
relation owner [organization]
|
|
81
|
+
|
|
82
|
+
relation view []
|
|
83
|
+
inherit view if
|
|
84
|
+
relation feature_projects on owner [organization]
|
|
85
|
+
|
|
86
|
+
// Policies check subscription attributes passed from a third party integration
|
|
87
|
+
policy is_pro_subscriber(subscription_attrs map) {
|
|
88
|
+
subscription_attrs.subscription_tier == "pro"
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
policy is_free_subscriber(subscription_attrs map) {
|
|
92
|
+
subscription_attrs.subscription_tier == "free"
|
|
93
|
+
}
|
|
94
|
+
```
|
|
95
|
+
|
|
96
|
+
> Note: Feature access is determined entirely by an organization’s subscription attributes, which are evaluated by policy. This approach enables dynamic, attribute-based access control without manually managing feature grants.
|
|
97
|
+
|
|
98
|
+
---
|
|
99
|
+
|
|
100
|
+
## Example
|
|
101
|
+
|
|
102
|
+
### (1) Apply the schema
|
|
103
|
+
|
|
104
|
+
Create a file called `schema.txt` with the schema above, and apply it to your FGA environment using the CLI.
|
|
105
|
+
|
|
106
|
+
```shell
|
|
107
|
+
workos fga schema apply schema.txt
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
---
|
|
111
|
+
|
|
112
|
+
### (2) Add warrants
|
|
113
|
+
|
|
114
|
+
Create warrants that associate users to organizations and add teams / projects.
|
|
115
|
+
|
|
116
|
+
<CodeBlock title="Create warrants" file="entitlements-create-warrants" />
|
|
117
|
+
|
|
118
|
+
### (3) Check access
|
|
119
|
+
|
|
120
|
+
Once everything is set up, check if a user can access specific features.
|
|
121
|
+
|
|
122
|
+
<CodeBlock
|
|
123
|
+
title="Check if a user can access a feature"
|
|
124
|
+
file="entitlements-check"
|
|
125
|
+
/>
|
|
126
|
+
|
|
127
|
+
---
|
|
@@ -0,0 +1,131 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Managed Service Provider
|
|
3
|
+
description: >-
|
|
4
|
+
Model a managed service provider (MSP) that provides services to clients and
|
|
5
|
+
manages projects, tasks, and assets.
|
|
6
|
+
originalPath: >-
|
|
7
|
+
.tmp-workos-clone/packages/docs/content/fga/modeling/managed-service-provider.mdx
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
> Explore the example from this guide [in the FGA Playground](https://explore.fga.workos.com/playground?example=managed_service_provider), where you can interact with the schema, warrants, and access checks in real-time!
|
|
11
|
+
|
|
12
|
+
In a managed service provider (MSP) scenario, a client organization grants access to an external provider to perform services or manage resources on its behalf, while retaining control over access by assigning roles to the provider and its personnel.
|
|
13
|
+
|
|
14
|
+
## When to Use It?
|
|
15
|
+
|
|
16
|
+
This model is ideal when you need to grant limited access to external service providers without compromising internal access controls. It’s particularly useful in scenarios where external teams (like IT consultants, marketing agencies, or law firms) are brought in to manage specific projects or assets.
|
|
17
|
+
|
|
18
|
+
- **IT services**: Clients delegate infrastructure or helpdesk support to an MSP.
|
|
19
|
+
- **Marketing agencies**: Agencies manage campaigns and related assets for clients.
|
|
20
|
+
- **Law firms**: External legal teams manage cases and documents for clients.
|
|
21
|
+
- **Project management**: Providers handle maintenance tasks and asset management for clients.
|
|
22
|
+
- **Warehousing**: Providers manage inventory and logistics for clients.
|
|
23
|
+
|
|
24
|
+
## Schema
|
|
25
|
+
|
|
26
|
+
```fga title="schema.txt"
|
|
27
|
+
version 0.3
|
|
28
|
+
|
|
29
|
+
type user
|
|
30
|
+
|
|
31
|
+
// A client is a customer of the provider
|
|
32
|
+
type client
|
|
33
|
+
relation admin [user]
|
|
34
|
+
|
|
35
|
+
// A provider is a service provider managed by the client
|
|
36
|
+
type provider
|
|
37
|
+
relation admin [user]
|
|
38
|
+
relation technician [user]
|
|
39
|
+
|
|
40
|
+
inherit technician if
|
|
41
|
+
relation admin
|
|
42
|
+
|
|
43
|
+
// A project is a project managed by the client and assigned a provider
|
|
44
|
+
type project
|
|
45
|
+
relation client [client]
|
|
46
|
+
relation provider [provider]
|
|
47
|
+
relation editor [user]
|
|
48
|
+
relation viewer [user]
|
|
49
|
+
|
|
50
|
+
inherit editor if
|
|
51
|
+
any_of
|
|
52
|
+
relation admin on client [client]
|
|
53
|
+
relation admin on provider [provider]
|
|
54
|
+
relation technician on provider [provider]
|
|
55
|
+
|
|
56
|
+
inherit viewer if
|
|
57
|
+
any_of
|
|
58
|
+
relation editor
|
|
59
|
+
|
|
60
|
+
type task
|
|
61
|
+
relation assignee [user]
|
|
62
|
+
relation project [project]
|
|
63
|
+
relation edit []
|
|
64
|
+
relation view []
|
|
65
|
+
|
|
66
|
+
inherit edit if
|
|
67
|
+
any_of
|
|
68
|
+
relation assignee
|
|
69
|
+
relation editor on project [project]
|
|
70
|
+
|
|
71
|
+
inherit view if
|
|
72
|
+
any_of
|
|
73
|
+
relation edit
|
|
74
|
+
relation viewer on project [project]
|
|
75
|
+
|
|
76
|
+
type asset
|
|
77
|
+
relation manager [user]
|
|
78
|
+
relation project [project]
|
|
79
|
+
relation edit []
|
|
80
|
+
relation view []
|
|
81
|
+
|
|
82
|
+
inherit edit if
|
|
83
|
+
any_of
|
|
84
|
+
relation manager
|
|
85
|
+
relation editor on project [project]
|
|
86
|
+
|
|
87
|
+
inherit view if
|
|
88
|
+
any_of
|
|
89
|
+
relation edit
|
|
90
|
+
relation viewer on project [project]
|
|
91
|
+
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
## Example
|
|
95
|
+
|
|
96
|
+
### (1) Apply the schema
|
|
97
|
+
|
|
98
|
+
Create a file called `schema.txt` containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
|
|
99
|
+
|
|
100
|
+
> Note: make sure to select the correct environment with the [CLI](https://github.com/workos/workos-cli?tab=readme-ov-file#usage)
|
|
101
|
+
|
|
102
|
+
```shell
|
|
103
|
+
workos fga schema apply schema.txt
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
---
|
|
107
|
+
|
|
108
|
+
### (2) Create warrants
|
|
109
|
+
|
|
110
|
+
Create warrants that associate users, clients, providers, and projects. The example schema defines the following relationships:
|
|
111
|
+
|
|
112
|
+
- clients and providers with projects
|
|
113
|
+
- tasks and assets as children of projects
|
|
114
|
+
- users with clients or providers (using one of the defined roles: `admin` or `technician`)
|
|
115
|
+
|
|
116
|
+
Let's create a few warrants between client `client-1`, provider `provider-1`, project `project-1`, and users:
|
|
117
|
+
|
|
118
|
+
<CodeBlock title="Create warrants" file="msp-create-warrants" />
|
|
119
|
+
|
|
120
|
+
---
|
|
121
|
+
|
|
122
|
+
### (3) Check access
|
|
123
|
+
|
|
124
|
+
With our environment setup, we can check whether the user can view an asset.
|
|
125
|
+
|
|
126
|
+
<CodeBlock
|
|
127
|
+
title="Check if a user has permission to view an asset"
|
|
128
|
+
file="msp-check"
|
|
129
|
+
/>
|
|
130
|
+
|
|
131
|
+
---
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Org Roles & Permissions
|
|
3
|
+
description: >-
|
|
4
|
+
Create org-scoped roles based on common user personas and map them to a static
|
|
5
|
+
set of permissions that grant capabilities in your application.
|
|
6
|
+
originalPath: >-
|
|
7
|
+
.tmp-workos-clone/packages/docs/content/fga/modeling/org-roles-and-permissions.mdx
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
> Explore the example from this guide [in the FGA Playground](https://explore.fga.workos.com/playground?example=org_roles_permissions), where you can interact with the schema, warrants, and access checks in real-time!
|
|
11
|
+
|
|
12
|
+
Build a role-based access control (RBAC) that scopes each user's role and permission assignments to a specific organization.
|
|
13
|
+
|
|
14
|
+
## When to Use it
|
|
15
|
+
|
|
16
|
+
Implement org roles and permissions when:
|
|
17
|
+
|
|
18
|
+
- **Role-based access control**: Your application's requirements call for role-based access control (RBAC)
|
|
19
|
+
- **Org-specific roles**: Your customers want to grant their users privileges based on their role within a specific organization.
|
|
20
|
+
|
|
21
|
+
## Schema
|
|
22
|
+
|
|
23
|
+
```fga title="schema.txt"
|
|
24
|
+
version 0.3
|
|
25
|
+
|
|
26
|
+
type user
|
|
27
|
+
|
|
28
|
+
type organization
|
|
29
|
+
relation role_admin [user]
|
|
30
|
+
relation role_read_only [user]
|
|
31
|
+
inherit role_read_only if
|
|
32
|
+
relation role_admin
|
|
33
|
+
|
|
34
|
+
relation can_read_company_info [role]
|
|
35
|
+
relation can_write_company_info [role]
|
|
36
|
+
relation can_read_reports [role]
|
|
37
|
+
relation can_write_reports [role]
|
|
38
|
+
|
|
39
|
+
inherit can_read_company_info if
|
|
40
|
+
any_of
|
|
41
|
+
relation can_write_company_info
|
|
42
|
+
relation role_read_only
|
|
43
|
+
|
|
44
|
+
inherit can_write_company_info if
|
|
45
|
+
relation role_admin
|
|
46
|
+
|
|
47
|
+
inherit can_read_reports if
|
|
48
|
+
any_of
|
|
49
|
+
relation can_write_reports
|
|
50
|
+
relation role_read_only
|
|
51
|
+
|
|
52
|
+
inherit can_write_reports if
|
|
53
|
+
relation role_admin
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
## Example
|
|
57
|
+
|
|
58
|
+
### (1) Apply the schema
|
|
59
|
+
|
|
60
|
+
Create a file called `schema.txt` containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.
|
|
61
|
+
|
|
62
|
+
> Note: make sure to select the correct environment with the [CLI](https://github.com/workos/workos-cli?tab=readme-ov-file#usage)
|
|
63
|
+
|
|
64
|
+
```shell
|
|
65
|
+
workos fga schema apply schema.txt
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
---
|
|
69
|
+
|
|
70
|
+
### (2) Create warrants
|
|
71
|
+
|
|
72
|
+
Create warrants that associate organizations, roles, and users. The example schema defines the following relationships:
|
|
73
|
+
|
|
74
|
+
- users with organizations
|
|
75
|
+
- users with custom roles (e.g. `org:acme:read-only`)
|
|
76
|
+
|
|
77
|
+
Let's create a few warrants between organization `acme`, role `org:acme:read-only`, and user `user_2oDscjroNWtzxzYEnEzT9P7VYEe`:
|
|
78
|
+
|
|
79
|
+
<CodeBlock
|
|
80
|
+
title="Create warrants"
|
|
81
|
+
file="org-roles-permissions-create-warrants"
|
|
82
|
+
/>
|
|
83
|
+
|
|
84
|
+
---
|
|
85
|
+
|
|
86
|
+
### (3) Check access
|
|
87
|
+
|
|
88
|
+
With our environment setup, we can check the user's permission to read company info.
|
|
89
|
+
|
|
90
|
+
<CodeBlock
|
|
91
|
+
title="Check if a user has a permission in their organization"
|
|
92
|
+
file="org-roles-permissions-check"
|
|
93
|
+
/>
|
|
94
|
+
|
|
95
|
+
---
|