JavaScript and Node.js SDK for Auth0 Fine Grained Authorization (FGA)

This is an autogenerated JavaScript SDK for Auth0 Fine Grained Authorization (FGA). It provides a wrapper around the Auth0 Fine Grained Authorization API, and includes TS typings.

Warning: This SDK comes with no SLAs and is not production-ready!

Table of Contents

• About Auth0 Fine Grained Authorization (FGA)
• Resources
• Installation
• Getting Started
  • Initializing the API Client
  • Getting your Store ID, Client ID and Client Secret
  • Calling the API
    • Write Authorization Model
    • Read a Single Authorization Model
    • Read Authorization Model IDs
    • Check
    • Write Tuples
    • Delete Tuples
    • Expand
    • Read
    • Read Changes (Watch)
    • List Objects
  • API Endpoints
  • Models
• Contributing
  • Issues
  • Pull Requests [Note: We are not accepting Pull Requests at this time!]
• License

About

Auth0 Fine Grained Authorization (FGA) is an open source Fine-Grained Authorization solution inspired by Google's Zanzibar paper. It was created by the FGA team at Auth0 based on Auth0 Fine-Grained Authorization (FGA), available under a permissive license (Apache-2) and welcomes community contributions.

Auth0 Fine Grained Authorization (FGA) is designed to make it easy for application builders to model their permission layer, and to add and integrate fine-grained authorization into their applications. Auth0 Fine Grained Authorization (FGA)’s design is optimized for reliability and low latency at a high scale.

It allows in-memory data storage for quick development, as well as pluggable database modules - with initial support for PostgreSQL.

It offers an HTTP API and has SDKs for programming languages including Node.js/JavaScript, GoLang and .NET.

More SDKs and integrations such as Rego are planned for the future.

Resources

• Auth0 Fine Grained Authorization (FGA) Documentation
• Auth0 Fine Grained Authorization (FGA) API Documentation
• Twitter
• Auth0 Fine Grained Authorization (FGA) Discord Community
• Zanzibar Academy
• Google's Zanzibar Paper (2019)

Installation

Using npm:

npm install @auth0/fga

Using yarn:

yarn add @auth0/fga

Getting Started

Initializing the API Client

const { Auth0FgaApi } = require('@auth0/fga'); // OR import { Auth0FgaApi } from '@auth0/fga';

// See https://github.com/auth0-lab/fga-js-sdk#getting-your-store-id-client-id-and-client-secret
const auth0Fga = new Auth0FgaApi({
  environment: AUTH0_FGA_ENVIRONMENT, // can be: "us"/"staging"/"playground"
  storeId: AUTH0_FGA_STORE_ID,
  clientId: AUTH0_FGA_CLIENT_ID, // Required for all environments except playground
  clientSecret: AUTH0_FGA_CLIENT_SECRET, // Required for all environments except playground
});

Getting your Store ID, Client ID and Client Secret

Production

Make sure you have created your credentials on the Auth0 FGA Dashboard. Learn how ➡

You will need to set the AUTH0_FGA_ENVIRONMENT variable to "us". Provide the store id, client id and client secret you have created on the Dashboard.

Playground

If you are testing this on the public playground, you need to set your AUTH0_FGA_ENVIRONMENT to "playground".

To get your store id, you may copy it from the store you have created on the Playground. Learn how ➡

In the playground environment, you do not need to provide a client id and client secret.

Calling the API

Write Authorization Model

API Documentation

Note: To learn how to build your authorization model, check the Docs at https://docs.fga.dev.

Learn more about the Auth0 Fine Grained Authorization (FGA) configuration language.

const { authorization_model_id: id } = await auth0Fga.writeAuthorizationModel({
  type_definitions: [{
      type: "user",
    }, {
    type: "document",
    relations: {
      "writer": { "this": {} },
      "viewer": {
        "union": {
          "child": [
            { "this": {} },
            { "computedUserset": {
               "object": "",
              "relation": "writer" }
            }
          ]
        }
      }
    } }],
});

// id = "1uHxCSuTP0VKPYSnkq1pbb1jeZw"

Read a Single Authorization Model

API Documentation

// Assuming `1uHxCSuTP0VKPYSnkq1pbb1jeZw` is an id of a single model
const { authorization_model: authorizationModel } = await auth0Fga.readAuthorizationModel('1uHxCSuTP0VKPYSnkq1pbb1jeZw');

// authorizationModel = { id: "1uHxCSuTP0VKPYSnkq1pbb1jeZw", type_definitions: [...] }

Read Authorization Model IDs

API Documentation

const { authorization_model_ids: authorizationModelIds } = await auth0Fga.readAuthorizationModels();

// authorizationModelIds = ["1uHxCSuTP0VKPYSnkq1pbb1jeZw", "GtQpMohWezFmIbyXxVEocOCxxgq"];

Check

API Documentation

Provide a tuple and ask the Auth0 Fine Grained Authorization (FGA) API to check for a relationship

const result = await auth0Fga.check({
  tuple_key: {
    user: "user:81684243-9356-4421-8fbf-a4f8d36aa31b",
    relation: "viewer",
    object: "document:roadmap",
  },
  authorization_model_id: "1uHxCSuTP0VKPYSnkq1pbb1jeZw",
});

// result = { allowed: true, resolution: "" }

Write Tuples

API Documentation

await auth0Fga.write({
  writes: {
    tuple_keys: [{ user: "user:81684243-9356-4421-8fbf-a4f8d36aa31b", relation: "viewer", object: "document:roadmap" }],
  },
  authorization_model_id: "1uHxCSuTP0VKPYSnkq1pbb1jeZw",
});

Delete Tuples

API Documentation

await auth0Fga.write({
  deletes: {
    tuple_keys: [{ user: "user:81684243-9356-4421-8fbf-a4f8d36aa31b", relation: "viewer", object: "document:roadmap" }],
  },
  authorization_model_id: "1uHxCSuTP0VKPYSnkq1pbb1jeZw",
});

Expand

API Documentation

const { tree } = await auth0Fga.expand({
  tuple_key: {
    relation: "viewer",
    object: "document:roadmap",
  },
  authorization_model_id: "1uHxCSuTP0VKPYSnkq1pbb1jeZw",
});

// tree  = { root: { name: "document:roadmap#viewer", leaf: { users: { users: ["user:81684243-9356-4421-8fbf-a4f8d36aa31b", "user:f52a4f7a-054d-47ff-bb6e-3ac81269988f"] } } } }

Read Tuples

API Documentation

// Find if a relationship tuple stating that a certain user is a viewer of a certain document
const body = {
  tuple_key: {
    user: "user:81684243-9356-4421-8fbf-a4f8d36aa31b",
    relation: "viewer",
    object: "document:roadmap",
  },
};

// Find all relationship tuples where a certain user has a relationship as any relation to a certain document
const body = {
  tuple_key: {
    user: "user:81684243-9356-4421-8fbf-a4f8d36aa31b",
    object: "document:roadmap",
  },
};

// Find all relationship tuples where a certain user is a viewer of any document
const body = {
  tuple_key: {
    user: "user:81684243-9356-4421-8fbf-a4f8d36aa31b",
    relation: "viewer",
    object: "document:",
  },
};

// Find all relationship tuples where any user has a relationship as any relation with a particular document
const body = {
  tuple_key: {
    object: "document:roadmap",
  },
};

// Read all stored relationship tuples
body := {};

const { tuples } = await auth0Fga.read(body);

// In all the above situations, the response will be of the form:
// tuples = [{ key: { user, relation, object }, timestamp: ... }]

Read Changes (Watch)

API Documentation

const type = 'document';
const pageSize = 25;
const continuationToken = 'eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==';
const response = await auth0Fga.readChanges(type, pageSize, continuationToken);

// response.continuation_token = ...
// response.changes = [
//   { tuple_key: { user, relation, object }, operation: "writer", timestamp: ... },
//   { tuple_key: { user, relation, object }, operation: "viewer", timestamp: ... }
// ]

List Objects

API Documentation

const response = await auth0Fga.listObjects({
  authorization_model_id: "01GAHCE4YVKPQEKZQHT2R89MQV",
  user: "user:81684243-9356-4421-8fbf-a4f8d36aa31b",
  relation: "viewer",
  type: "document",
  contextual_tuples: {
    tuple_keys:
      [{
        user: "user:81684243-9356-4421-8fbf-a4f8d36aa31b",
        relation: "writer",
        object: "document:budget"
      }]
  }
});

// response.objects = ["document:roadmap"]

API Endpoints

check

Return type

CheckResponse

expand

Return type

ExpandResponse

listObjects

Return type

ListObjectsResponse

read

Return type

ReadResponse

readAssertions

Return type

ReadAssertionsResponse

readAuthorizationModel

Return type

ReadAuthorizationModelResponse

readAuthorizationModels

Return type

ReadAuthorizationModelsResponse

readChanges

Return type

ReadChangesResponse

write

Return type

object

writeAssertions

Return type

(empty response body)

writeAuthorizationModel

Return type

WriteAuthorizationModelResponse

Models

• Any
• Assertion
• AuthErrorCode
• AuthenticationErrorMessageResponse
• AuthorizationModel
• CheckRequest
• CheckResponse
• Computed
• ContextualTupleKeys
• Difference
• ErrorCode
• ExpandRequest
• ExpandResponse
• InternalErrorCode
• InternalErrorMessageResponse
• Leaf
• ListObjectsRequest
• ListObjectsResponse
• Metadata
• Node
• Nodes
• NotFoundErrorCode
• ObjectRelation
• PathUnknownErrorMessageResponse
• ReadAssertionsResponse
• ReadAuthorizationModelResponse
• ReadAuthorizationModelsResponse
• ReadChangesResponse
• ReadRequest
• ReadResponse
• RelationMetadata
• RelationReference
• ResourceExhaustedErrorCode
• ResourceExhaustedErrorMessageResponse
• Status
• Tuple
• TupleChange
• TupleKey
• TupleKeys
• TupleOperation
• TupleToUserset
• TypeDefinition
• Users
• Userset
• UsersetTree
• UsersetTreeDifference
• UsersetTreeTupleToUserset
• Usersets
• ValidationErrorMessageResponse
• WriteAssertionsRequest
• WriteAuthorizationModelRequest
• WriteAuthorizationModelResponse
• WriteRequest

Any

Properties

Assertion

Properties

AuthErrorCode

Enum

• NoAuthError (value: 'no_auth_error')

• AuthFailure (value: 'auth_failure')

• AuthFailedInvalidSubject (value: 'auth_failed_invalid_subject')

• AuthFailedInvalidAudience (value: 'auth_failed_invalid_audience')

• AuthFailedInvalidIssuer (value: 'auth_failed_invalid_issuer')

• InvalidClaims (value: 'invalid_claims')

• AuthFailedInvalidBearerToken (value: 'auth_failed_invalid_bearer_token')

• MissingCustomerInBearerToken (value: 'missing_customer_in_bearer_token')

• MissingStoreInBearerToken (value: 'missing_store_in_bearer_token')

• StoreMismatchInBearerToken (value: 'store_mismatch_in_bearer_token')

• CustomerMismatchInBearerToken (value: 'customer_mismatch_in_bearer_token')

• BearerTokenMissing (value: 'bearer_token_missing')

• MissingUserInBearerToken (value: 'missing_user_in_bearer_token')

• Unauthenticated (value: 'unauthenticated')

• InsufficientPermissions (value: 'insufficient_permissions')

• UnauthorizedPrincipal (value: 'unauthorized_principal')

AuthenticationErrorMessageResponse

Properties

AuthorizationModel

Properties

CheckRequest

Properties

CheckResponse

Properties

Computed

Properties

ContextualTupleKeys

Properties

Difference

Properties

ErrorCode

Enum

• NoError (value: 'no_error')

• ValidationError (value: 'validation_error')

• AuthorizationModelNotFound (value: 'authorization_model_not_found')

• AuthorizationModelResolutionTooComplex (value: 'authorization_model_resolution_too_complex')

• InvalidWriteInput (value: 'invalid_write_input')

• CannotAllowDuplicateTuplesInOneRequest (value: 'cannot_allow_duplicate_tuples_in_one_request')

• CannotAllowDuplicateTypesInOneRequest (value: 'cannot_allow_duplicate_types_in_one_request')

• CannotAllowMultipleReferencesToOneRelation (value: 'cannot_allow_multiple_references_to_one_relation')

• InvalidContinuationToken (value: 'invalid_continuation_token')

• InvalidTupleSet (value: 'invalid_tuple_set')

• InvalidCheckInput (value: 'invalid_check_input')

• InvalidExpandInput (value: 'invalid_expand_input')

• UnsupportedUserSet (value: 'unsupported_user_set')

• InvalidObjectFormat (value: 'invalid_object_format')

• TokenIssuerAlreadyRegistered (value: 'token_issuer_already_registered')

• TosAgreementAlreadySigned (value: 'tos_agreement_already_signed')

• WriteFailedDueToInvalidInput (value: 'write_failed_due_to_invalid_input')

• AuthorizationModelAssertionsNotFound (value: 'authorization_model_assertions_not_found')

• LatestAuthorizationModelNotFound (value: 'latest_authorization_model_not_found')

• TypeNotFound (value: 'type_not_found')

• RelationNotFound (value: 'relation_not_found')

• EmptyRelationDefinition (value: 'empty_relation_definition')

• InvalidUser (value: 'invalid_user')

• InvalidTokenIssuer (value: 'invalid_token_issuer')

• InvalidTuple (value: 'invalid_tuple')

• UnknownRelation (value: 'unknown_relation')

• StoreIdInvalidLength (value: 'store_id_invalid_length')

• IssuerUrlInvalidUri (value: 'issuer_url_invalid_uri')

• IssuerUrlRequiredAbsolutePath (value: 'issuer_url_required_absolute_path')

• AssertionsTooManyItems (value: 'assertions_too_many_items')

• IdTooLong (value: 'id_too_long')

• InvalidEnvironment (value: 'invalid_environment')

• AuthorizationModelIdTooLong (value: 'authorization_model_id_too_long')

• TupleKeyValueNotSpecified (value: 'tuple_key_value_not_specified')

• TupleKeysTooManyOrTooFewItems (value: 'tuple_keys_too_many_or_too_few_items')

• PageSizeInvalid (value: 'page_size_invalid')

• ParamMissingValue (value: 'param_missing_value')

• DifferenceBaseMissingValue (value: 'difference_base_missing_value')

• SubtractBaseMissingValue (value: 'subtract_base_missing_value')

• ObjectTooLong (value: 'object_too_long')

• RelationTooLong (value: 'relation_too_long')

• TypeDefinitionsTooFewItems (value: 'type_definitions_too_few_items')

• TypeInvalidLength (value: 'type_invalid_length')

• TypeInvalidPattern (value: 'type_invalid_pattern')

• RelationsTooFewItems (value: 'relations_too_few_items')

• RelationsTooLong (value: 'relations_too_long')

• RelationsInvalidPattern (value: 'relations_invalid_pattern')

• ObjectInvalidPattern (value: 'object_invalid_pattern')

• QueryStringTypeContinuationTokenMismatch (value: 'query_string_type_continuation_token_mismatch')

• ExceededEntityLimit (value: 'exceeded_entity_limit')

• InvalidContextualTuple (value: 'invalid_contextual_tuple')

• DuplicateContextualTuple (value: 'duplicate_contextual_tuple')

ExpandRequest

Properties

ExpandResponse

Properties

InternalErrorCode

Enum

• NoInternalError (value: 'no_internal_error')

• InternalError (value: 'internal_error')

• AuthInternalError (value: 'auth_internal_error')

• AuthFailedErrorFetchingWellKnownJwks (value: 'auth_failed_error_fetching_well_known_jwks')

• Cancelled (value: 'cancelled')

• DeadlineExceeded (value: 'deadline_exceeded')

• AlreadyExists (value: 'already_exists')

• ResourceExhausted (value: 'resource_exhausted')

• FailedPrecondition (value: 'failed_precondition')

• Aborted (value: 'aborted')

• OutOfRange (value: 'out_of_range')

• Unavailable (value: 'unavailable')

• DataLoss (value: 'data_loss')

InternalErrorMessageResponse

Properties

Leaf

Properties

ListObjectsRequest

Properties

ListObjectsResponse

Properties

Metadata

Properties

Node

Properties

Nodes

Properties

NotFoundErrorCode

Enum

• NoNotFoundError (value: 'no_not_found_error')

• UndefinedEndpoint (value: 'undefined_endpoint')

• CustomerIdNotFound (value: 'customer_id_not_found')

• StoreIdNotFound (value: 'store_id_not_found')

• StoreClientIdNotFound (value: 'store_client_id_not_found')

• ResourceNotFound (value: 'resource_not_found')

• Unimplemented (value: 'unimplemented')

ObjectRelation

Properties

PathUnknownErrorMessageResponse

Properties

ReadAssertionsResponse

Properties

ReadAuthorizationModelResponse

Properties

ReadAuthorizationModelsResponse

Properties

ReadChangesResponse

Properties

ReadRequest

Properties

ReadResponse

Properties

RelationMetadata

Properties

RelationReference

Properties

ResourceExhaustedErrorCode

Enum

• NoResourceExhaustedError (value: 'no_resource_exhausted_error')

• RateLimitExceeded (value: 'rate_limit_exceeded')

• AuthRateLimitExceeded (value: 'auth_rate_limit_exceeded')

ResourceExhaustedErrorMessageResponse

Properties

Status

Properties

Tuple

Properties

TupleChange

Properties

TupleKey

Properties

TupleKeys

Properties

TupleOperation

Enum

• Write (value: 'TUPLE_OPERATION_WRITE')

• Delete (value: 'TUPLE_OPERATION_DELETE')

TupleToUserset

Properties

TypeDefinition

Properties

Users

Properties

Userset

Properties

UsersetTree

Properties

UsersetTreeDifference

Properties

UsersetTreeTupleToUserset

Properties

Usersets

Properties

ValidationErrorMessageResponse

Properties

WriteAssertionsRequest

Properties

WriteAuthorizationModelRequest

Properties

WriteAuthorizationModelResponse

Properties

WriteRequest

Properties

Contributing

Issues

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker.

Pull Requests

Pull Requests are not currently open, please raise an issue or contact a team member on https://discord.gg/8naAwJfWN6 if there is a feature you'd like us to implement.

Author

Auth0 FGA

License

This project is licensed under the MIT license. See the LICENSE file for more info.

The code in this repo was auto generated by OpenAPI Generator from a template based on the typescript-axios template and go template, licensed under the Apache License 2.0.