All URIs are relative to http://localhost
| Method | HTTP request | Description |
|---|---|---|
| Check | POST /stores/{store_id}/check | Check whether a user is authorized to access an object |
| CreateStore | POST /stores | Create a store |
| DeleteStore | DELETE /stores/{store_id} | Delete a store |
| Expand | POST /stores/{store_id}/expand | Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a certain relationship |
| GetStore | GET /stores/{store_id} | Get a store |
| ListObjects | POST /stores/{store_id}/list-objects | List all objects of the given type that the user has a relation with |
| ListStores | GET /stores | List all stores |
| ListUsers | POST /stores/{store_id}/list-users | List all users of the given type that the object has a relation with |
| Read | POST /stores/{store_id}/read | Get tuples from the store that matches a query, without following userset rewrite rules |
| ReadAssertions | GET /stores/{store_id}/assertions/{authorization_model_id} | Read assertions for an authorization model ID |
| ReadAuthorizationModel | GET /stores/{store_id}/authorization-models/{id} | Return a particular version of an authorization model |
| ReadAuthorizationModels | GET /stores/{store_id}/authorization-models | Return all the authorization models for a particular store |
| ReadChanges | GET /stores/{store_id}/changes | Return a list of all the tuple changes |
| Write | POST /stores/{store_id}/write | Add or delete tuples from the store |
| WriteAssertions | PUT /stores/{store_id}/assertions/{authorization_model_id} | Upsert assertions for an authorization model ID |
| WriteAuthorizationModel | POST /stores/{store_id}/authorization-models | Create a new authorization model |
CheckResponse Check (CheckRequest body)
Check whether a user is authorized to access an object
The Check API returns whether a given user has a relationship with a given object in a given store. The user field of the request can be a specific target, such as user:anne, or a userset (set of users) such as group:marketing#member or a type-bound public access user:*. To arrive at a result, the API uses: an authorization model, explicit tuples written through the Write API, contextual tuples present in the request, and implicit tuples that exist by virtue of applying set theory (such as document:2021-budget#viewer@document:2021-budget#viewer; the set of users who are viewers of document:2021-budget are the set of users who are the viewers of document:2021-budget). A contextual_tuples object may also be included in the body of the request. This object contains one field tuple_keys, which is an array of tuple keys. Each of these tuples may have an associated condition. You may also provide an authorization_model_id in the body. This will be used to assert that the input tuple_key is valid for the model specified. If not specified, the assertion will be made against the latest authorization model ID. It is strongly recommended to specify authorization model id for better performance. You may also provide a context object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly. The response will return whether the relationship exists in the field allowed. Some exceptions apply, but in general, if a Check API responds with {allowed: true}, then you can expect the equivalent ListObjects query to return the object, and viceversa. For example, if Check(user:anne, reader, document:2021-budget) responds with {allowed: true}, then ListObjects(user:anne, reader, document) may include document:2021-budget in the response. ## Examples ### Querying with contextual tuples In order to check if user user:anne of type user has a reader relationship with object document:2021-budget given the following contextual tuple json { \"user\": \"user:anne\", \"relation\": \"member\", \"object\": \"time_slot:office_hours\" } the Check API can be used with the following request body: json { \"tuple_key\": { \"user\": \"user:anne\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, \"contextual_tuples\": { \"tuple_keys\": [ { \"user\": \"user:anne\", \"relation\": \"member\", \"object\": \"time_slot:office_hours\" } ] }, \"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\" } ### Querying usersets Some Checks will always return true, even without any tuples. For example, for the following authorization model python model schema 1.1 type user type document relations define reader: [user] the following query json { \"tuple_key\": { \"user\": \"document:2021-budget#reader\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" } } will always return { \"allowed\": true }. This is because usersets are self-defining: the userset document:2021-budget#reader will always have the reader relation with document:2021-budget. ### Querying usersets with exclusion in the model A Check for a userset can yield results that must be treated carefully if the model involves exclusion. For example, for the following authorization model python model schema 1.1 type user type group relations define member: [user] type document relations define blocked: [user] define reader: [group#member] but not blocked the following query json { \"tuple_key\": { \"user\": \"group:finance#member\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, \"contextual_tuples\": { \"tuple_keys\": [ { \"user\": \"user:anne\", \"relation\": \"member\", \"object\": \"group:finance\" }, { \"user\": \"group:finance#member\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, { \"user\": \"user:anne\", \"relation\": \"blocked\", \"object\": \"document:2021-budget\" } ] }, } will return { \"allowed\": true }, even though a specific user of the userset group:finance#member does not have the reader relationship with the given object.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class CheckExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new CheckRequest(); // CheckRequest |
try
{
// Check whether a user is authorized to access an object
CheckResponse response = await openFgaApi.Check(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.Check: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | CheckRequest| |
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
CreateStoreResponse CreateStore ()
Create a store
Create a unique OpenFGA store which will be used to store authorization models and relationship tuples.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class CreateStoreExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
try
{
// Create a store
CreateStoreResponse response = await openFgaApi.CreateStore();
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.CreateStore: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 201 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
void DeleteStore ()
Delete a store
Delete an OpenFGA store. This does not delete the data associated with the store, like tuples or authorization models.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class DeleteStoreExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
try
{
// Delete a store
openFgaApi.DeleteStore();
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.DeleteStore: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
void (empty response body)
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 204 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ExpandResponse Expand (ExpandRequest body)
Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a certain relationship
The Expand API will return all users and usersets that have certain relationship with an object in a certain store. This is different from the /stores/{store_id}/read API in that both users and computed usersets are returned. Body parameters tuple_key.object and tuple_key.relation are all required. The response will return a tree whose leaves are the specific users and usersets. Union, intersection and difference operator are located in the intermediate nodes. ## Example To expand all users that have the reader relationship with object document:2021-budget, use the Expand API with the following request body json { \"tuple_key\": { \"object\": \"document:2021-budget\", \"relation\": \"reader\" }, \"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\" } OpenFGA's response will be a userset tree of the users and usersets that have read access to the document. json { \"tree\":{ \"root\":{ \"type\":\"document:2021-budget#reader\", \"union\":{ \"nodes\":[ { \"type\":\"document:2021-budget#reader\", \"leaf\":{ \"users\":{ \"users\":[ \"user:bob\" ] } } }, { \"type\":\"document:2021-budget#reader\", \"leaf\":{ \"computed\":{ \"userset\":\"document:2021-budget#writer\" } } } ] } } } } The caller can then call expand API for the writer relationship for the document:2021-budget.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ExpandExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new ExpandRequest(); // ExpandRequest |
try
{
// Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a certain relationship
ExpandResponse response = await openFgaApi.Expand(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.Expand: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | ExpandRequest| |
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
GetStoreResponse GetStore ()
Get a store
Returns an OpenFGA store by its identifier
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class GetStoreExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
try
{
// Get a store
GetStoreResponse response = await openFgaApi.GetStore();
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.GetStore: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ListObjectsResponse ListObjects (ListObjectsRequest body)
List all objects of the given type that the user has a relation with
The ListObjects API returns a list of all the objects of the given type that the user has a relation with. To arrive at a result, the API uses: an authorization model, explicit tuples written through the Write API, contextual tuples present in the request, and implicit tuples that exist by virtue of applying set theory (such as document:2021-budget#viewer@document:2021-budget#viewer; the set of users who are viewers of document:2021-budget are the set of users who are the viewers of document:2021-budget). An authorization_model_id may be specified in the body. If it is not specified, the latest authorization model ID will be used. It is strongly recommended to specify authorization model id for better performance. You may also specify contextual_tuples that will be treated as regular tuples. Each of these tuples may have an associated condition. You may also provide a context object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly. The response will contain the related objects in an array in the "objects" field of the response and they will be strings in the object format <type>:<id> (e.g. "document:roadmap"). The number of objects in the response array will be limited by the execution timeout specified in the flag OPENFGA_LIST_OBJECTS_DEADLINE and by the upper bound specified in the flag OPENFGA_LIST_OBJECTS_MAX_RESULTS, whichever is hit first. The objects given will not be sorted, and therefore two identical calls can give a given different set of objects.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ListObjectsExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new ListObjectsRequest(); // ListObjectsRequest |
try
{
// List all objects of the given type that the user has a relation with
ListObjectsResponse response = await openFgaApi.ListObjects(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ListObjects: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | ListObjectsRequest| |
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ListStoresResponse ListStores (string? continuationToken = null)
List all stores
Returns a paginated list of OpenFGA stores and a continuation token to get additional stores. The continuation token will be empty if there are no more stores.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ListStoresExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var continuationToken = "continuationToken_example"; // string? | (optional)
try
{
// List all stores
ListStoresResponse response = await openFgaApi.ListStores(continuationToken);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ListStores: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
continuationToken | string?| | [optional]
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ListUsersResponse ListUsers (ListUsersRequest body)
List all users of the given type that the object has a relation with
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ListUsersExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new ListUsersRequest(); // ListUsersRequest |
try
{
// List all users of the given type that the object has a relation with
ListUsersResponse response = await openFgaApi.ListUsers(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ListUsers: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | ListUsersRequest| |
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ReadResponse Read (ReadRequest body)
Get tuples from the store that matches a query, without following userset rewrite rules
The Read API will return the tuples for a certain store that match a query filter specified in the body of the request. The API doesn't guarantee order by any field. It is different from the /stores/{store_id}/expand API in that it only returns relationship tuples that are stored in the system and satisfy the query. In the body: 1. tuple_key is optional. If not specified, it will return all tuples in the store. 2. tuple_key.object is mandatory if tuple_key is specified. It can be a full object (e.g., type:object_id) or type only (e.g., type:). 3. tuple_key.user is mandatory if tuple_key is specified in the case the tuple_key.object is a type only. ## Examples ### Query for all objects in a type definition To query for all objects that user:bob has reader relationship in the document type definition, call read API with body of json { \"tuple_key\": { \"user\": \"user:bob\", \"relation\": \"reader\", \"object\": \"document:\" } } The API will return tuples and a continuation token, something like json { \"tuples\": [ { \"key\": { \"user\": \"user:bob\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, \"timestamp\": \"2021-10-06T15:32:11.128Z\" } ], \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\" } This means that user:bob has a reader relationship with 1 document document:2021-budget. Note that this API, unlike the List Objects API, does not evaluate the tuples in the store. The continuation token will be empty if there are no more tuples to query. ### Query for all stored relationship tuples that have a particular relation and object To query for all users that have reader relationship with document:2021-budget, call read API with body of json { \"tuple_key\": { \"object\": \"document:2021-budget\", \"relation\": \"reader\" } } The API will return something like json { \"tuples\": [ { \"key\": { \"user\": \"user:bob\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, \"timestamp\": \"2021-10-06T15:32:11.128Z\" } ], \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\" } This means that document:2021-budget has 1 reader (user:bob). Note that, even if the model said that all writers are also readers, the API will not return writers such as user:anne because it only returns tuples and does not evaluate them. ### Query for all users with all relationships for a particular document To query for all users that have any relationship with document:2021-budget, call read API with body of json { \"tuple_key\": { \"object\": \"document:2021-budget\" } } The API will return something like json { \"tuples\": [ { \"key\": { \"user\": \"user:anne\", \"relation\": \"writer\", \"object\": \"document:2021-budget\" }, \"timestamp\": \"2021-10-05T13:42:12.356Z\" }, { \"key\": { \"user\": \"user:bob\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, \"timestamp\": \"2021-10-06T15:32:11.128Z\" } ], \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\" } This means that document:2021-budget has 1 reader (user:bob) and 1 writer (user:anne).
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ReadExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new ReadRequest(); // ReadRequest |
try
{
// Get tuples from the store that matches a query, without following userset rewrite rules
ReadResponse response = await openFgaApi.Read(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.Read: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | ReadRequest| |
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ReadAssertionsResponse ReadAssertions (string authorizationModelId)
Read assertions for an authorization model ID
The ReadAssertions API will return, for a given authorization model id, all the assertions stored for it. An assertion is an object that contains a tuple key, and the expectation of whether a call to the Check API of that tuple key will return true or false.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ReadAssertionsExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var authorizationModelId = "authorizationModelId_example"; // string |
try
{
// Read assertions for an authorization model ID
ReadAssertionsResponse response = await openFgaApi.ReadAssertions(authorizationModelId);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ReadAssertions: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
authorizationModelId | string| |
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ReadAuthorizationModelResponse ReadAuthorizationModel (string id)
Return a particular version of an authorization model
The ReadAuthorizationModel API returns an authorization model by its identifier. The response will return the authorization model for the particular version. ## Example To retrieve the authorization model with ID 01G5JAVJ41T49E9TT3SKVS7X1J for the store, call the GET authorization-models by ID API with 01G5JAVJ41T49E9TT3SKVS7X1J as the id path parameter. The API will return: json { \"authorization_model\":{ \"id\":\"01G5JAVJ41T49E9TT3SKVS7X1J\", \"type_definitions\":[ { \"type\":\"user\" }, { \"type\":\"document\", \"relations\":{ \"reader\":{ \"union\":{ \"child\":[ { \"this\":{} }, { \"computedUserset\":{ \"object\":\"\", \"relation\":\"writer\" } } ] } }, \"writer\":{ \"this\":{} } } } ] } } In the above example, there are 2 types (user and document). The document type has 2 relations (writer and reader).
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ReadAuthorizationModelExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var id = "id_example"; // string |
try
{
// Return a particular version of an authorization model
ReadAuthorizationModelResponse response = await openFgaApi.ReadAuthorizationModel(id);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ReadAuthorizationModel: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
id | string| |
ReadAuthorizationModelResponse
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ReadAuthorizationModelsResponse ReadAuthorizationModels (int? pageSize = null, string? continuationToken = null)
Return all the authorization models for a particular store
The ReadAuthorizationModels API will return all the authorization models for a certain store. OpenFGA's response will contain an array of all authorization models, sorted in descending order of creation. ## Example Assume that a store's authorization model has been configured twice. To get all the authorization models that have been created in this store, call GET authorization-models. The API will return a response that looks like: json { \"authorization_models\": [ { \"id\": \"01G50QVV17PECNVAHX1GG4Y5NC\", \"type_definitions\": [...] }, { \"id\": \"01G4ZW8F4A07AKQ8RHSVG9RW04\", \"type_definitions\": [...] }, ], \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\" } If there are no more authorization models available, the continuation_token field will be empty json { \"authorization_models\": [ { \"id\": \"01G50QVV17PECNVAHX1GG4Y5NC\", \"type_definitions\": [...] }, { \"id\": \"01G4ZW8F4A07AKQ8RHSVG9RW04\", \"type_definitions\": [...] }, ], \"continuation_token\": \"\" }
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ReadAuthorizationModelsExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var pageSize = 56; // int? | (optional)
var continuationToken = "continuationToken_example"; // string? | (optional)
try
{
// Return all the authorization models for a particular store
ReadAuthorizationModelsResponse response = await openFgaApi.ReadAuthorizationModels(pageSize, continuationToken);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ReadAuthorizationModels: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
pageSize | int?| | [optional] continuationToken | string?| | [optional]
ReadAuthorizationModelsResponse
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ReadChangesResponse ReadChanges (string? type = null, int? pageSize = null, string? continuationToken = null)
Return a list of all the tuple changes
The ReadChanges API will return a paginated list of tuple changes (additions and deletions) that occurred in a given store, sorted by ascending time. The response will include a continuation token that is used to get the next set of changes. If there are no changes after the provided continuation token, the same token will be returned in order for it to be used when new changes are recorded. If the store never had any tuples added or removed, this token will be empty. You can use the type parameter to only get the list of tuple changes that affect objects of that type. When reading a write tuple change, if it was conditioned, the condition will be returned. When reading a delete tuple change, the condition will NOT be returned regardless of whether it was originally conditioned or not.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ReadChangesExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var type = "type_example"; // string? | (optional)
var pageSize = 56; // int? | (optional)
var continuationToken = "continuationToken_example"; // string? | (optional)
try
{
// Return a list of all the tuple changes
ReadChangesResponse response = await openFgaApi.ReadChanges(type, pageSize, continuationToken);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ReadChanges: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
type | string?| | [optional] pageSize | int?| | [optional] continuationToken | string?| | [optional]
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
Object Write (WriteRequest body)
Add or delete tuples from the store
The Write API will transactionally update the tuples for a certain store. Tuples and type definitions allow OpenFGA to determine whether a relationship exists between an object and an user. In the body, writes adds new tuples and deletes removes existing tuples. When deleting a tuple, any condition specified with it is ignored. The API is not idempotent: if, later on, you try to add the same tuple key (even if the condition is different), or if you try to delete a non-existing tuple, it will throw an error. The API will not allow you to write tuples such as document:2021-budget#viewer@document:2021-budget#viewer, because they are implicit. An authorization_model_id may be specified in the body. If it is, it will be used to assert that each written tuple (not deleted) is valid for the model specified. If it is not specified, the latest authorization model ID will be used. ## Example ### Adding relationships To add user:anne as a writer for document:2021-budget, call write API with the following json { \"writes\": { \"tuple_keys\": [ { \"user\": \"user:anne\", \"relation\": \"writer\", \"object\": \"document:2021-budget\" } ] }, \"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\" } ### Removing relationships To remove user:bob as a reader for document:2021-budget, call write API with the following json { \"deletes\": { \"tuple_keys\": [ { \"user\": \"user:bob\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" } ] } }
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class WriteExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new WriteRequest(); // WriteRequest |
try
{
// Add or delete tuples from the store
Object response = await openFgaApi.Write(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.Write: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | WriteRequest| |
Object
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
void WriteAssertions (string authorizationModelId, WriteAssertionsRequest body)
Upsert assertions for an authorization model ID
The WriteAssertions API will upsert new assertions for an authorization model id, or overwrite the existing ones. An assertion is an object that contains a tuple key, and the expectation of whether a call to the Check API of that tuple key will return true or false.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class WriteAssertionsExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var authorizationModelId = "authorizationModelId_example"; // string |
var body = new WriteAssertionsRequest(); // WriteAssertionsRequest |
try
{
// Upsert assertions for an authorization model ID
openFgaApi.WriteAssertions(authorizationModelId, body);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.WriteAssertions: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
authorizationModelId | string| | body | WriteAssertionsRequest| |
void (empty response body)
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 204 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
WriteAuthorizationModelResponse WriteAuthorizationModel (WriteAuthorizationModelRequest body)
Create a new authorization model
The WriteAuthorizationModel API will add a new authorization model to a store. Each item in the type_definitions array is a type definition as specified in the field type_definition. The response will return the authorization model's ID in the id field. ## Example To add an authorization model with user and document type definitions, call POST authorization-models API with the body: json { \"type_definitions\":[ { \"type\":\"user\" }, { \"type\":\"document\", \"relations\":{ \"reader\":{ \"union\":{ \"child\":[ { \"this\":{} }, { \"computedUserset\":{ \"object\":\"\", \"relation\":\"writer\" } } ] } }, \"writer\":{ \"this\":{} } } } ] } OpenFGA's response will include the version id for this authorization model, which will look like {\"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\"}
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class WriteAuthorizationModelExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new WriteAuthorizationModelRequest(); // WriteAuthorizationModelRequest |
try
{
// Create a new authorization model
WriteAuthorizationModelResponse response = await openFgaApi.WriteAuthorizationModel(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.WriteAuthorizationModel: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | WriteAuthorizationModelRequest| |
WriteAuthorizationModelResponse
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 201 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]