swagger: '2.0'
info:
title: OpenFGA
description: A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar.
version: 1.x
contact:
name: OpenFGA
url: https://openfga.dev
email: [email protected]
license:
name: Apache-2.0
url: https://github.com/openfga/openfga/blob/main/LICENSE
tags:
- name: AuthZenService
- name: OpenFGAService
schemes:
- https
consumes:
- application/json
produces:
- application/json
paths:
/.well-known/authzen-configuration/{store_id}:
get:
summary: '[Experimental] Get AuthZEN PDP configuration and capabilities'
description: "[Experimental] The GetConfiguration API returns metadata about the Policy Decision Point (PDP) including its name, version, supported endpoints,\
\ and capabilities. This endpoint follows the AuthZEN specification for PDP discovery.\n\nFollowing the AuthZEN spec's multi-tenant pattern, OpenFGA provides\
\ a per-store discovery endpoint at `/.well-known/authzen-configuration/{store_id}`. This returns absolute endpoint URLs specific to that store.\n\n## Example\
\ Response\n```json\n{\n \"policy_decision_point\": \"https://example.com/stores/01ARZ3NDEKTSV4RRFFQ69G5FAV\",\n \"access_evaluation_endpoint\": \"https://example.com/stores/01ARZ3NDEKTSV4RRFFQ69G5FAV/access/v1/evaluation\"\
,\n \"access_evaluations_endpoint\": \"https://example.com/stores/01ARZ3NDEKTSV4RRFFQ69G5FAV/access/v1/evaluations\",\n \"search_subject_endpoint\": \"\
https://example.com/stores/01ARZ3NDEKTSV4RRFFQ69G5FAV/access/v1/search/subject\",\n \"search_resource_endpoint\": \"https://example.com/stores/01ARZ3NDEKTSV4RRFFQ69G5FAV/access/v1/search/resource\"\
,\n \"search_action_endpoint\": \"https://example.com/stores/01ARZ3NDEKTSV4RRFFQ69G5FAV/access/v1/search/action\"\n}\n```\n"
operationId: GetConfiguration
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/GetConfigurationResponse'
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
schema:
$ref: '#/definitions/UnauthenticatedResponse'
'403':
description: Forbidden.
schema:
$ref: '#/definitions/ForbiddenResponse'
'404':
description: Request failed due to incorrect path.
schema:
$ref: '#/definitions/PathUnknownErrorMessageResponse'
'409':
description: Request was aborted due a transaction conflict.
schema:
$ref: '#/definitions/AbortedMessageResponse'
'422':
description: Request timed out due to excessive request throttling.
schema:
$ref: '#/definitions/UnprocessableContentMessageResponse'
'500':
description: Request failed due to internal server error.
schema:
$ref: '#/definitions/InternalErrorMessageResponse'
parameters:
- name: store_id
description: 'The store ID for which to retrieve configuration.
Following the AuthZEN spec''s multi-tenant pattern, each store has its own discovery endpoint.'
in: path
required: true
type: string
tags:
- AuthZenService
/stores:
get:
summary: List all stores
description: 'Returns a paginated list of OpenFGA stores and a continuation token to get additional stores.
The continuation token will be empty if there are no more stores.
'
operationId: ListStores
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/ListStoresResponse'
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
schema:
$ref: '#/definitions/UnauthenticatedResponse'
'403':
description: Forbidden.
schema:
$ref: '#/definitions/ForbiddenResponse'
'404':
description: Request failed due to incorrect path.
schema:
$ref: '#/definitions/PathUnknownErrorMessageResponse'
'409':
description: Request was aborted due a transaction conflict.
schema:
$ref: '#/definitions/AbortedMessageResponse'
'422':
description: Request timed out due to excessive request throttling.
schema:
$ref: '#/definitions/UnprocessableContentMessageResponse'
'500':
description: Request failed due to internal server error.
schema:
$ref: '#/definitions/InternalErrorMessageResponse'
parameters:
- name: page_size
in: query
required: false
type: integer
format: int32
- name: continuation_token
in: query
required: false
type: string
- name: name
description: The name parameter instructs the API to only include results that match that name.Multiple results may be returned. Only exact matches will be
returned; substring matches and regexes will not be evaluated
in: query
required: false
type: string
tags:
- Stores
post:
summary: Create a store
description: Create a unique OpenFGA store which will be used to store authorization models and relationship tuples.
operationId: CreateStore
responses:
'201':
description: A successful response.
schema:
$ref: '#/definitions/CreateStoreResponse'
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
schema:
$ref: '#/definitions/UnauthenticatedResponse'
'403':
description: Forbidden.
schema:
$ref: '#/definitions/ForbiddenResponse'
'404':
description: Request failed due to incorrect path.
schema:
$ref: '#/definitions/PathUnknownErrorMessageResponse'
'409':
description: Request was aborted due a transaction conflict.
schema:
$ref: '#/definitions/AbortedMessageResponse'
'422':
description: Request timed out due to excessive request throttling.
schema:
$ref: '#/definitions/UnprocessableContentMessageResponse'
'500':
description: Request failed due to internal server error.
schema:
$ref: '#/definitions/InternalErrorMessageResponse'
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/CreateStoreRequest'
tags:
- Stores
/stores/{store_id}:
get:
summary: Get a store
description: Returns an OpenFGA store by its identifier
operationId: GetStore
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/GetStoreResponse'
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
schema:
$ref: '#/definitions/UnauthenticatedResponse'
'403':
description: Forbidden.
schema:
$ref: '#/definitions/ForbiddenResponse'
'404':
description: Request failed due to incorrect path.
schema:
$ref: '#/definitions/PathUnknownErrorMessageResponse'
'409':
description: Request was aborted due a transaction conflict.
schema:
$ref: '#/definitions/AbortedMessageResponse'
'422':
description: Request timed out due to excessive request throttling.
schema:
$ref: '#/definitions/UnprocessableContentMessageResponse'
'500':
description: Request failed due to internal server error.
schema:
$ref: '#/definitions/InternalErrorMessageResponse'
parameters:
- name: store_id
in: path
required: true
type: string
tags:
- Stores
delete:
summary: Delete a store
description: Delete an OpenFGA store. This does not delete the data associated with the store, like tuples or authorization models.
operationId: DeleteStore
responses:
'204':
description: A successful response.
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
schema:
$ref: '#/definitions/UnauthenticatedResponse'
'403':
description: Forbidden.
schema:
$ref: '#/definitions/ForbiddenResponse'
'404':
description: Request failed due to incorrect path.
schema:
$ref: '#/definitions/PathUnknownErrorMessageResponse'
'409':
description: Request was aborted due a transaction conflict.
schema:
$ref: '#/definitions/AbortedMessageResponse'
'422':
description: Request timed out due to excessive request throttling.
schema:
$ref: '#/definitions/UnprocessableContentMessageResponse'
'500':
description: Request failed due to internal server error.
schema:
$ref: '#/definitions/InternalErrorMessageResponse'
parameters:
- name: store_id
in: path
required: true
type: string
tags:
- Stores
/stores/{store_id}/access/v1/evaluation:
post:
summary: '[Experimental] Evaluate whether a subject can perform an action on a resource'
description: "[Experimental] The Evaluation API determines whether a subject is authorized to perform an action on a resource. This endpoint implements the\
\ AuthZEN Access Evaluation API specification.\n\n## Request Structure\nThe request requires three components:\n- **subject**: The entity requesting access\
\ (e.g., a user or service)\n- **action**: The operation being performed (maps to a relation in the authorization model)\n- **resource**: The object being\
\ accessed\n\nEach component has a `type` and `id` field, and may include optional `properties` for ABAC (Attribute-Based Access Control) conditions.\n\n\
## Response\nThe response contains a `decision` field (boolean) indicating whether access is permitted, and an optional `context` object with additional information\
\ such as the evaluation ID or error details.\n\n## ABAC Support\nProperties on subject, action, and resource are automatically merged into the evaluation\
\ context with prefixes:\n- Subject properties: `subject_<property_name>`\n- Resource properties: `resource_<property_name>`\n- Action properties: `action_<property_name>`\n\
\nThese merged properties can be used in conditions defined in your authorization model.\n\n## Examples\n### Basic authorization check\nCheck if user Anne\
\ can read a document:\n```json\n{\n \"subject\": {\"type\": \"user\", \"id\": \"anne\"},\n \"action\": {\"name\": \"can_read\"},\n \"resource\": {\"type\"\
: \"document\", \"id\": \"roadmap\"}\n}\n```\nResponse when authorized:\n```json\n{\n \"decision\": true\n}\n```\n### Using properties for ABAC\nCheck access\
\ with subject and resource attributes:\n```json\n{\n \"subject\": {\n \"type\": \"user\",\n \"id\": \"anne\",\n \"properties\": {\"department\"\
: \"engineering\", \"clearance_level\": 3}\n },\n \"action\": {\"name\": \"can_read\"},\n \"resource\": {\n \"type\": \"document\",\n \"id\": \"\
secret-project\",\n \"properties\": {\"classification\": \"confidential\", \"required_clearance\": 2}\n }\n}\n```\n### Using request context\nProvide\
\ additional context for time-based or environmental conditions:\n```json\n{\n \"subject\": {\"type\": \"user\", \"id\": \"bob\"},\n \"action\": {\"name\"\
: \"can_access\"},\n \"resource\": {\"type\": \"system\", \"id\": \"production\"},\n \"context\": {\n \"current_time\": \"2024-01-15T14:30:00Z\",\n \
\ \"ip_address\": \"192.168.1.100\",\n \"is_vpn_connected\": true\n }\n}\n```\n### Specifying authorization model\nPin the evaluation to a specific\
\ authorization model version using the `Openfga-Authorization-Model-Id` header:\n```\nPOST /stores/{store_id}/access/v1/evaluation\nOpenfga-Authorization-Model-Id:\
\ 01G50QVV17PECNVAHX1GG4Y5NC\n\n{\n \"subject\": {\"type\": \"user\", \"id\": \"anne\"},\n \"action\": {\"name\": \"can_write\"},\n \"resource\": {\"type\"\
: \"document\", \"id\": \"budget-2024\"}\n}\n```\n"
operationId: Evaluation
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/EvaluationResponse'
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
schema:
$ref: '#/definitions/UnauthenticatedResponse'
'403':
description: Forbidden.
schema:
$ref: '#/definitions/ForbiddenResponse'
'404':
description: Request failed due to incorrect path.
schema:
$ref: '#/definitions/PathUnknownErrorMessageResponse'
'409':
description: Request was aborted due a transaction conflict.
schema:
$ref: '#/definitions/AbortedMessageResponse'
'422':
description: Request timed out due to excessive request throttling.
schema:
$ref: '#/definitions/UnprocessableContentMessageResponse'
'500':
description: Request failed due to internal server error.
schema:
$ref: '#/definitions/InternalErrorMessageResponse'
parameters:
- name: store_id
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
type: object
properties:
subject:
$ref: '#/definitions/Subject'
resource:
$ref: '#/definitions/Resource'
action:
$ref: '#/definitions/Action'
context:
type: object
required:
- subject
- resource
- action
tags:
- AuthZenService
/stores/{store_id}/access/v1/evaluations:
post:
summary: '[Experimental] Check whether one or more users are authorized to access resources'
description: "[Experimental] The Evaluations API allows batch authorization checks in a single request. It supports request-level defaults for subject, action,\
\ resource, and context that can be overridden per evaluation item.\n\n## Evaluation Semantics\nThe `options.evaluations_semantic` field controls how evaluations\
\ are processed:\n- `execute_all` (default): Execute all evaluations and return all results\n- `deny_on_first_deny`: Stop processing on first deny decision\n\
- `permit_on_first_permit`: Stop processing on first permit decision\n\nWhen using `deny_on_first_deny` or `permit_on_first_permit`, the response may include\
\ fewer items than the request because processing short-circuits when the condition is met.\n\n## Authorization Model Selection\nTo pin evaluations to a specific\
\ authorization model version, send the `Openfga-Authorization-Model-Id` header. If the header is not provided, the latest model is used.\n\n## Examples\n\
### Basic batch evaluation\nCheck if a user can perform multiple actions on a document:\n```json\n{\n \"subject\": {\"type\": \"user\", \"id\": \"anne\"\
},\n \"resource\": {\"type\": \"document\", \"id\": \"roadmap\"},\n \"evaluations\": [\n {\"action\": {\"name\": \"can_read\"}},\n {\"action\": {\"\
name\": \"can_write\"}},\n {\"action\": {\"name\": \"can_delete\"}}\n ]\n}\n```\n### Using evaluation semantics\nStop on first permitted action (useful\
\ for finding any valid permission):\n```json\n{\n \"subject\": {\"type\": \"user\", \"id\": \"anne\"},\n \"resource\": {\"type\": \"document\", \"id\"\
: \"roadmap\"},\n \"evaluations\": [\n {\"action\": {\"name\": \"can_read\"}},\n {\"action\": {\"name\": \"can_write\"}}\n ],\n \"options\": {\n\
\ \"evaluations_semantic\": \"permit_on_first_permit\"\n }\n}\n```\n### Overriding defaults per evaluation\nCheck permissions across multiple resources:\n\
```json\n{\n \"subject\": {\"type\": \"user\", \"id\": \"anne\"},\n \"action\": {\"name\": \"can_read\"},\n \"evaluations\": [\n {\"resource\": {\"\
type\": \"document\", \"id\": \"doc1\"}},\n {\"resource\": {\"type\": \"document\", \"id\": \"doc2\"}},\n {\"resource\": {\"type\": \"folder\", \"id\"\
: \"folder1\"}}\n ]\n}\n```\n"
operationId: Evaluations
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/EvaluationsResponse'
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
schema:
$ref: '#/definitions/UnauthenticatedResponse'
'403':
description: Forbidden.
schema:
$ref: '#/definitions/ForbiddenResponse'
'404':
description: Request failed due to incorrect path.
schema:
$ref: '#/definitions/PathUnknownErrorMessageResponse'
'409':
description: Request was aborted due a transaction conflict.
schema:
$ref: '#/definitions/AbortedMessageResponse'
'422':
description: Request timed out due to excessive request throttling.
schema:
$ref: '#/definitions/UnprocessableContentMessageResponse'
'500':
description: Request failed due to internal server error.
schema:
$ref: '#/definitions/InternalErrorMessageResponse'
parameters:
- name: store_id
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
type: object
properties:
subject:
$ref: '#/definitions/Subject'
action:
$ref: '#/definitions/Action'
resource:
$ref: '#/definitions/Resource'
context:
type: object
evaluations:
type: array
items:
type: object
$ref: '#/definitions/EvaluationsItemRequest'
description: Optional. If omitted or empty, behaves like a single Access Evaluation request.
options:
$ref: '#/definitions/EvaluationsOptions'
title: Options for batch evaluation semantics
tags:
- AuthZenService
/stores/{store_id}/access/v1/search/action:
post:
summary: '[Experimental] Search for actions a subject can perform on a resource'
description: "[Experimental] The ActionSearch API returns all actions (relations) that a subject can perform on a specific resource. This is useful for answering\
\ questions like \"What can Anne do with this document?\" or building dynamic UIs that show only the actions a user is permitted to perform.\n\n## Examples\n\
### Find all actions a user can perform on a document\n```json\n{\n \"subject\": {\"type\": \"user\", \"id\": \"anne\"},\n \"resource\": {\"type\": \"document\"\
, \"id\": \"roadmap\"}\n}\n```\nResponse:\n```json\n{\n \"results\": [\n {\"name\": \"can_read\"},\n {\"name\": \"can_write\"},\n {\"name\": \"\
can_share\"}\n ],\n \"page\": {\"count\": 3}\n}\n```\n### Search with ABAC context for time-based permissions\n```json\n{\n \"subject\": {\"type\": \"\
user\", \"id\": \"bob\"},\n \"resource\": {\"type\": \"report\", \"id\": \"quarterly-financials\"},\n \"context\": {\n \"current_time\": \"2024-01-15T14:30:00Z\"\
,\n \"user_department\": \"finance\"\n }\n}\n```\n### Paginated action search\n```json\n{\n \"subject\": {\"type\": \"user\", \"id\": \"admin\"},\n \
\ \"resource\": {\"type\": \"system\", \"id\": \"production\"},\n \"page\": {\"limit\": 50}\n}\n```\n"
operationId: ActionSearch
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/ActionSearchResponse'
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
schema:
$ref: '#/definitions/UnauthenticatedResponse'
'403':
description: Forbidden.
schema:
$ref: '#/definitions/ForbiddenResponse'
'404':
description: Request failed due to incorrect path.
schema:
$ref: '#/definitions/PathUnknownErrorMessageResponse'
'409':
description: Request was aborted due a transaction conflict.
schema:
$ref: '#/definitions/AbortedMessageResponse'
'422':
description: Request timed out due to excessive request throttling.
schema:
$ref: '#/definitions/UnprocessableContentMessageResponse'
'500':
description: Request failed due to internal server error.
schema:
$ref: '#/definitions/InternalErrorMessageResponse'
parameters:
- name: store_id
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
type: object
properties:
subject:
$ref: '#/definitions/Subject'
resource:
$ref: '#/definitions/Resource'
context:
type: object
page:
$ref: '#/definitions/PageRequest'
title: ActionSearch request
required:
- subject
- resource
tags:
- AuthZenService
/stores/{store_id}/access/v1/search/resource:
post:
summary: '[Experimental] Search for resources a subject has access to'
description: "[Experimental] The ResourceSearch API returns all resources of a given type that a subject has a specific action (relation) on. This is useful\
\ for answering questions like \"What documents can Anne read?\" or \"What folders can Bob administer?\"\n\nThe resource type filter is required. Results\
\ support pagination for large result sets.\n\n## Examples\n### Find all documents a user can read\n```json\n{\n \"subject\": {\"type\": \"user\", \"id\"\
: \"anne\"},\n \"action\": {\"name\": \"can_read\"},\n \"resource\": {\"type\": \"document\"}\n}\n```\nResponse:\n```json\n{\n \"results\": [\n {\"\
type\": \"document\", \"id\": \"roadmap\"},\n {\"type\": \"document\", \"id\": \"budget-2024\"},\n {\"type\": \"document\", \"id\": \"team-roster\"\
}\n ],\n \"page\": {\"count\": 3}\n}\n```\n### Find folders a user can administer with pagination\n```json\n{\n \"subject\": {\"type\": \"user\", \"id\"\
: \"bob\"},\n \"action\": {\"name\": \"can_admin\"},\n \"resource\": {\"type\": \"folder\"},\n \"page\": {\"limit\": 25}\n}\n```\n### Search with ABAC\
\ context\n```json\n{\n \"subject\": {\"type\": \"user\", \"id\": \"anne\"},\n \"action\": {\"name\": \"can_read\"},\n \"resource\": {\"type\": \"document\"\
},\n \"context\": {\n \"current_time\": \"2024-01-15T10:00:00Z\",\n \"ip_address\": \"192.168.1.100\"\n }\n}\n```\n"
operationId: ResourceSearch
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/ResourceSearchResponse'
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
schema:
$ref: '#/definitions/UnauthenticatedResponse'
'403':
description: Forbidden.
schema:
$ref: '#/definitions/ForbiddenResponse'
'404':
description: Request failed due to incorrect path.
schema:
$ref: '#/definitions/PathUnknownErrorMessageResponse'
'409':
description: Request was aborted due a transaction conflict.
schema:
$ref: '#/definitions/AbortedMessageResponse'
'422':
description: Request timed out due to excessive request throttling.
schema:
$ref: '#/definitions/UnprocessableContentMessageResponse'
'500':
description: Request failed due to internal server error.
schema:
$ref: '#/definitions/InternalErrorMessageResponse'
parameters:
- name: store_id
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
type: object
properties:
subject:
$ref: '#/definitions/Subject'
action:
$ref: '#/definitions/Action'
resource:
$ref: '#/definitions/ResourceFilter'
title: Filter by resource type
context:
type: object
page:
$ref: '#/definitions/PageRequest'
title: ResourceSearch request
required:
- subject
- action
- resource
tags:
- AuthZenService
/stores/{store_id}/access/v1/search/subject:
post:
summary: '[Experimental] Search for subjects with access to a resource'
description: "[Experimental] The SubjectSearch API returns all subjects that have a specific action (relation) on a given resource. This is useful for answering\
\ questions like \"Who can read this document?\" or \"Who can administer this folder?\"\n\nResults can be filtered by subject type and support pagination\
\ for large result sets.\n\n## Examples\n### Find all users who can read a document\n```json\n{\n \"resource\": {\"type\": \"document\", \"id\": \"roadmap\"\
},\n \"action\": {\"name\": \"can_read\"},\n \"subject\": {\"type\": \"user\"}\n}\n```\nResponse:\n```json\n{\n \"results\": [\n {\"type\": \"user\"\
, \"id\": \"anne\"},\n {\"type\": \"user\", \"id\": \"bob\"},\n {\"type\": \"user\", \"id\": \"charlie\"}\n ],\n \"page\": {\"count\": 3}\n}\n```\n\
### Paginated search with limit\n```json\n{\n \"resource\": {\"type\": \"folder\", \"id\": \"engineering\"},\n \"action\": {\"name\": \"can_view\"},\n \
\ \"subject\": {\"type\": \"user\"},\n \"page\": {\"limit\": 10}\n}\n```\n### Continue from previous page\n```json\n{\n \"resource\": {\"type\": \"folder\"\
, \"id\": \"engineering\"},\n \"action\": {\"name\": \"can_view\"},\n \"subject\": {\"type\": \"user\"},\n \"page\": {\"token\": \"eyJsYXN0X2lkIjoiMTAwIn0=\"\
, \"limit\": 10}\n}\n```\n"
operationId: SubjectSearch
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/SubjectSearchResponse'
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
schema:
$ref: '#/definitions/UnauthenticatedResponse'
'403':
description: Forbidden.
schema:
$ref: '#/definitions/ForbiddenResponse'
'404':
description: Request failed due to incorrect path.
schema:
$ref: '#/definitions/PathUnknownErrorMessageResponse'
'409':
description: Request was aborted due a transaction conflict.
schema:
$ref: '#/definitions/AbortedMessageResponse'
'422':
description: Request timed out due to excessive request throttling.
schema:
$ref: '#/definitions/UnprocessableContentMessageResponse'
'500':
description: Request failed due to internal server error.
schema:
$ref: '#/definitions/InternalErrorMessageResponse'
parameters:
- name: store_id
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
type: object
properties:
resource:
$ref: '#/definitions/Resource'
action:
$ref: '#/definitions/Action'
subject:
$ref: '#/definitions/SubjectFilter'
description: REQUIRED by AuthZEN Subject Search. Subject `id` may be provided but is ignored.
context:
type: object
page:
$ref: '#/definitions/PageRequest'
title: SubjectSearch request
required:
- resource
- action
- subject
tags:
- AuthZenService
/stores/{store_id}/assertions/{authorization_model_id}:
get:
summary: Read assertions for an authorization model ID
description: 'The ReadAssertions API will return, for a given authorization model id, all the assertions stored for it. '
operationId: ReadAssertions
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/ReadAssertionsResponse'
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
schema:
$ref: '#/definitions/UnauthenticatedResponse'
'403':
description: Forbidden.
schema:
$ref: '#/definitions/ForbiddenResponse'
'404':
description: Request failed due to incorrect path.
schema:
$ref: '#/definitions/PathUnknownErrorMessageResponse'
'409':
description: Request was aborted due a transaction conflict.
schema:
$ref: '#/definitions/AbortedMessageResponse'
'422':
description: Request timed out due to excessive request throttling.
schema:
$ref: '#/definitions/UnprocessableContentMessageResponse'
'500':
description: Request failed due to internal server error.
schema:
$ref: '#/definitions/InternalErrorMessageResponse'
parameters:
- name: store_id
in: path
required: true
type: string
- name: authorization_model_id
in: path
required: true
type: string
tags:
- Assertions
put:
summary: Upsert assertions for an authorization model ID
description: The WriteAssertions API will upsert new assertions for an authorization model id, or overwrite the existing ones. An assertion is an object that
contains a tuple key, the expectation of whether a call to the Check API of that tuple key will return true or false, and optionally a list of contextual
tuples.
operationId: WriteAssertions
responses:
'204':
description: A successful response.
'400':
description: Request failed due to invalid input.
schema:
$ref: '#/definitions/ValidationErrorMessageResponse'
'401':
description: Not authenticated.
# --- truncated at 32 KB (119 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/auth0/refs/heads/main/openapi/auth0-fga-openapi.yml