docs: document FGA support in authorizer-go and authorizer-js SDKs#64
Open
lakhansamani wants to merge 8 commits into
Open
docs: document FGA support in authorizer-go and authorizer-js SDKs#64lakhansamani wants to merge 8 commits into
lakhansamani wants to merge 8 commits into
Conversation
Add fine-grained authorization (FGA) documentation to the SDK reference: - authorizer-js functions.md: new getPermissions section, required_permissions param rows + samples for getSession, validateJWTToken, validateSession - authorizer-go index.md: GetPermissions in available methods + FGA usage examples (RequiredPermissions and GetPermissions)
✅ Deploy Preview for authorizerdev-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
…ig, migration, SDKs
- New core/authorization-recipes page: how FGA fits an application (the two touchpoints — write tuples on domain events, check on reads), Express and Go middleware, list filtering with fga_list_objects, and five complete recipes: document sharing, multi-tenant org→project→resource hierarchy (grant once, inherit everywhere, fine-grained exceptions), job-role approval workflow, time-bound contractor access, and block lists. Every DSL block is validated against the embedded OpenFGA engine. - authorization.md: identify subjects by user:<id> (not names), app roles vs FGA relations are decoupled, cross-link the recipes page.
- Merge authorization-recipes into authorization.md (§8 Using FGA from your application, §9 Real-world recipes, §10 Cheat sheet) — one page instead of two near-identically named sidebar entries. - Identify everything by id: user:<id> for subjects and numeric ids for objects (organization:101, project:201, resource:301…) across authorization, graphql-api, SDK pages and the migration guide. role:* objects stay keyed by role name by design. - Model builder copy: starts from admin/editor/viewer; configured roles are one-click additions.
The public FGA surface is now exactly two operations (fga_check, fga_batch_check and fga_list_objects are gone — never released): - check_permissions: one or many checks per call; results positional and echoing each pair. list_permissions: objects the subject holds a permission on. - Subject defaults to the caller's token; an explicit user is honored only for super-admins or when it equals the caller's own subject. - Access Tester docs replaced by Users → View Permissions (the dashboard's per-user list_permissions modal). - Updated: authorization (§4, middleware, recipes, cheat sheet), graphql-api, metrics labels, security, migration, and both SDK pages (CheckPermissions/ ListPermissions, checkPermissions/listPermissions).
FGA/OpenFGA migration plan, agentic delegation design, enterprise authz model, implementation agents, migration-tool design, and the ReBAC guide now live here — the server repo no longer carries design docs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents the client-facing Fine-Grained Authorization (FGA) capabilities added to the Go and JS SDKs (authorizer-go#16, authorizer-js#36), plus a small dashboard note on the authorization page.
Changes
docs/sdks/authorizer-js/functions.mdgetPermissionssection (params,resource/scoperesponse table, browser + Node samples) and a Table of Contents entry.required_permissionsrows + FGA samples tovalidateJWTTokenandvalidateSession.getSessiondescription and added an FGA sample.docs/sdks/authorizer-go/index.mdRequiredPermissionsandGetPermissionsexamples.GetPermissions; annotatedValidateJWTToken/GetSession/ValidateSessionwith the FGA option.docs/core/authorization.md_authz_admin mutations are also available from the dashboard UI.Naming kept aligned with the API and SDKs throughout:
getPermissions/GetPermissions,required_permissions/RequiredPermissions,{ resource, scope }.Verification
npm run build(Docusaurus) ✅ — compiles successfully. Pre-existing broken-link warnings on/core/sso-guideare unrelated to these changes.