All URIs are relative to http://localhost
| Method | HTTP request | Description |
|---|---|---|
| BatchCheck | POST /stores/{store_id}/batch-check | Send a list of `check` operations in a single request |
| Check | POST /stores/{store_id}/check | Check whether a user is authorized to access an object |
| CreateStore | POST /stores | Create a store |
| DeleteStore | DELETE /stores/{store_id} | Delete a store |
| Expand | POST /stores/{store_id}/expand | Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a certain relationship |
| GetStore | GET /stores/{store_id} | Get a store |
| ListObjects | POST /stores/{store_id}/list-objects | List all objects of the given type that the user has a relation with |
| ListStores | GET /stores | List all stores |
| ListUsers | POST /stores/{store_id}/list-users | List the users matching the provided filter who have a certain relation to a particular type. |
| Read | POST /stores/{store_id}/read | Get tuples from the store that matches a query, without following userset rewrite rules |
| ReadAssertions | GET /stores/{store_id}/assertions/{authorization_model_id} | Read assertions for an authorization model ID |
| ReadAuthorizationModel | GET /stores/{store_id}/authorization-models/{id} | Return a particular version of an authorization model |
| ReadAuthorizationModels | GET /stores/{store_id}/authorization-models | Return all the authorization models for a particular store |
| ReadChanges | GET /stores/{store_id}/changes | Return a list of all the tuple changes |
| Write | POST /stores/{store_id}/write | Add or delete tuples from the store |
| WriteAssertions | PUT /stores/{store_id}/assertions/{authorization_model_id} | Upsert assertions for an authorization model ID |
| WriteAuthorizationModel | POST /stores/{store_id}/authorization-models | Create a new authorization model |
BatchCheckResponse BatchCheck (BatchCheckRequest body)
Send a list of check operations in a single request
The BatchCheck API functions nearly identically to Check, but instead of checking a single user-object relationship BatchCheck accepts a list of relationships to check and returns a map containing BatchCheckItem response for each check it received. An associated correlation_id is required for each check in the batch. This ID is used to correlate a check to the appropriate response. It is a string consisting of only alphanumeric characters or hyphens with a maximum length of 36 characters. This correlation_id is used to map the result of each check to the item which was checked, so it must be unique for each item in the batch. We recommend using a UUID or ULID as the correlation_id, but you can use whatever unique identifier you need as long as it matches this regex pattern: ^[\\w\\d-]{1,36}$ NOTE: The maximum number of checks that can be passed in the BatchCheck API is configurable via the OPENFGA_MAX_CHECKS_PER_BATCH_CHECK environment variable. If BatchCheck is called using the SDK, the SDK can split the batch check requests for you. For more details on how Check functions, see the docs for /check. ### Examples #### A BatchCheckRequest json { \"checks\": [ { \"tuple_key\": { \"object\": \"document:2021-budget\" \"relation\": \"reader\", \"user\": \"user:anne\", }, \"contextual_tuples\": {...} \"context\": {} \"correlation_id\": \"01JA8PM3QM7VBPGB8KMPK8SBD5\" }, { \"tuple_key\": { \"object\": \"document:2021-budget\" \"relation\": \"reader\", \"user\": \"user:bob\", }, \"contextual_tuples\": {...} \"context\": {} \"correlation_id\": \"01JA8PMM6A90NV5ET0F28CYSZQ\" } ] } Below is a possible response to the above request. Note that the result map's keys are the correlation_id values from the checked items in the request: json { \"result\": { \"01JA8PMM6A90NV5ET0F28CYSZQ\": { \"allowed\": false, \"error\": {\"message\": \"\"} }, \"01JA8PM3QM7VBPGB8KMPK8SBD5\": { \"allowed\": true, \"error\": {\"message\": \"\"} } }
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class BatchCheckExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new BatchCheckRequest(); // BatchCheckRequest |
try
{
// Send a list of `check` operations in a single request
BatchCheckResponse response = await openFgaApi.BatchCheck(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.BatchCheck: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | BatchCheckRequest| |
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
CheckResponse Check (CheckRequest body)
Check whether a user is authorized to access an object
The Check API returns whether a given user has a relationship with a given object in a given store. The user field of the request can be a specific target, such as user:anne, or a userset (set of users) such as group:marketing#member or a type-bound public access user:*. To arrive at a result, the API uses: an authorization model, explicit tuples written through the Write API, contextual tuples present in the request, and implicit tuples that exist by virtue of applying set theory (such as document:2021-budget#viewer@document:2021-budget#viewer; the set of users who are viewers of document:2021-budget are the set of users who are the viewers of document:2021-budget). A contextual_tuples object may also be included in the body of the request. This object contains one field tuple_keys, which is an array of tuple keys. Each of these tuples may have an associated condition. You may also provide an authorization_model_id in the body. This will be used to assert that the input tuple_key is valid for the model specified. If not specified, the assertion will be made against the latest authorization model ID. It is strongly recommended to specify authorization model id for better performance. You may also provide a context object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly. By default, the Check API caches results for a short time to optimize performance. You may specify a value of HIGHER_CONSISTENCY for the optional consistency parameter in the body to inform the server that higher conisistency is preferred at the expense of increased latency. Consideration should be given to the increased latency if requesting higher consistency. The response will return whether the relationship exists in the field allowed. Some exceptions apply, but in general, if a Check API responds with {allowed: true}, then you can expect the equivalent ListObjects query to return the object, and viceversa. For example, if Check(user:anne, reader, document:2021-budget) responds with {allowed: true}, then ListObjects(user:anne, reader, document) may include document:2021-budget in the response. ## Examples ### Querying with contextual tuples In order to check if user user:anne of type user has a reader relationship with object document:2021-budget given the following contextual tuple json { \"user\": \"user:anne\", \"relation\": \"member\", \"object\": \"time_slot:office_hours\" } the Check API can be used with the following request body: json { \"tuple_key\": { \"user\": \"user:anne\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, \"contextual_tuples\": { \"tuple_keys\": [ { \"user\": \"user:anne\", \"relation\": \"member\", \"object\": \"time_slot:office_hours\" } ] }, \"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\" } ### Querying usersets Some Checks will always return true, even without any tuples. For example, for the following authorization model python model schema 1.1 type user type document relations define reader: [user] the following query json { \"tuple_key\": { \"user\": \"document:2021-budget#reader\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" } } will always return { \"allowed\": true }. This is because usersets are self-defining: the userset document:2021-budget#reader will always have the reader relation with document:2021-budget. ### Querying usersets with difference in the model A Check for a userset can yield results that must be treated carefully if the model involves difference. For example, for the following authorization model python model schema 1.1 type user type group relations define member: [user] type document relations define blocked: [user] define reader: [group#member] but not blocked the following query json { \"tuple_key\": { \"user\": \"group:finance#member\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, \"contextual_tuples\": { \"tuple_keys\": [ { \"user\": \"user:anne\", \"relation\": \"member\", \"object\": \"group:finance\" }, { \"user\": \"group:finance#member\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, { \"user\": \"user:anne\", \"relation\": \"blocked\", \"object\": \"document:2021-budget\" } ] }, } will return { \"allowed\": true }, even though a specific user of the userset group:finance#member does not have the reader relationship with the given object. ### Requesting higher consistency By default, the Check API caches results for a short time to optimize performance. You may request higher consistency to inform the server that higher consistency should be preferred at the expense of increased latency. Care should be taken when requesting higher consistency due to the increased latency. json { \"tuple_key\": { \"user\": \"group:finance#member\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, \"consistency\": \"HIGHER_CONSISTENCY\" }
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class CheckExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new CheckRequest(); // CheckRequest |
try
{
// Check whether a user is authorized to access an object
CheckResponse response = await openFgaApi.Check(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.Check: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | CheckRequest| |
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
CreateStoreResponse CreateStore ()
Create a store
Create a unique OpenFGA store which will be used to store authorization models and relationship tuples.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class CreateStoreExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
try
{
// Create a store
CreateStoreResponse response = await openFgaApi.CreateStore();
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.CreateStore: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 201 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
void DeleteStore ()
Delete a store
Delete an OpenFGA store. This does not delete the data associated with the store, like tuples or authorization models.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class DeleteStoreExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
try
{
// Delete a store
openFgaApi.DeleteStore();
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.DeleteStore: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
void (empty response body)
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 204 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ExpandResponse Expand (ExpandRequest body)
Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a certain relationship
The Expand API will return all users and usersets that have certain relationship with an object in a certain store. This is different from the /stores/{store_id}/read API in that both users and computed usersets are returned. Body parameters tuple_key.object and tuple_key.relation are all required. A contextual_tuples object may also be included in the body of the request. This object contains one field tuple_keys, which is an array of tuple keys. Each of these tuples may have an associated condition. The response will return a tree whose leaves are the specific users and usersets. Union, intersection and difference operator are located in the intermediate nodes. ## Example To expand all users that have the reader relationship with object document:2021-budget, use the Expand API with the following request body json { \"tuple_key\": { \"object\": \"document:2021-budget\", \"relation\": \"reader\" }, \"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\" } OpenFGA's response will be a userset tree of the users and usersets that have read access to the document. json { \"tree\":{ \"root\":{ \"type\":\"document:2021-budget#reader\", \"union\":{ \"nodes\":[ { \"type\":\"document:2021-budget#reader\", \"leaf\":{ \"users\":{ \"users\":[ \"user:bob\" ] } } }, { \"type\":\"document:2021-budget#reader\", \"leaf\":{ \"computed\":{ \"userset\":\"document:2021-budget#writer\" } } } ] } } } } The caller can then call expand API for the writer relationship for the document:2021-budget. ### Expand Request with Contextual Tuples Given the model python model schema 1.1 type user type folder relations define owner: [user] type document relations define parent: [folder] define viewer: [user] or writer define writer: [user] or owner from parent and the initial tuples json [{ \"user\": \"user:bob\", \"relation\": \"owner\", \"object\": \"folder:1\" }] To expand all writers of document:1 when document:1 is put in folder:1, the first call could be json { \"tuple_key\": { \"object\": \"document:1\", \"relation\": \"writer\" }, \"contextual_tuples\": { \"tuple_keys\": [ { \"user\": \"folder:1\", \"relation\": \"parent\", \"object\": \"document:1\" } ] } } this returns: json { \"tree\": { \"root\": { \"name\": \"document:1#writer\", \"union\": { \"nodes\": [ { \"name\": \"document:1#writer\", \"leaf\": { \"users\": { \"users\": [] } } }, { \"name\": \"document:1#writer\", \"leaf\": { \"tupleToUserset\": { \"tupleset\": \"document:1#parent\", \"computed\": [ { \"userset\": \"folder:1#owner\" } ] } } } ] } } } } This tells us that the owner of folder:1 may also be a writer. So our next call could be to find the owners of folder:1 json { \"tuple_key\": { \"object\": \"folder:1\", \"relation\": \"owner\" } } which gives json { \"tree\": { \"root\": { \"name\": \"folder:1#owner\", \"leaf\": { \"users\": { \"users\": [ \"user:bob\" ] } } } } }
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ExpandExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new ExpandRequest(); // ExpandRequest |
try
{
// Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a certain relationship
ExpandResponse response = await openFgaApi.Expand(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.Expand: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | ExpandRequest| |
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
GetStoreResponse GetStore ()
Get a store
Returns an OpenFGA store by its identifier
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class GetStoreExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
try
{
// Get a store
GetStoreResponse response = await openFgaApi.GetStore();
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.GetStore: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ListObjectsResponse ListObjects (ListObjectsRequest body)
List all objects of the given type that the user has a relation with
The ListObjects API returns a list of all the objects of the given type that the user has a relation with. To arrive at a result, the API uses: an authorization model, explicit tuples written through the Write API, contextual tuples present in the request, and implicit tuples that exist by virtue of applying set theory (such as document:2021-budget#viewer@document:2021-budget#viewer; the set of users who are viewers of document:2021-budget are the set of users who are the viewers of document:2021-budget). An authorization_model_id may be specified in the body. If it is not specified, the latest authorization model ID will be used. It is strongly recommended to specify authorization model id for better performance. You may also specify contextual_tuples that will be treated as regular tuples. Each of these tuples may have an associated condition. You may also provide a context object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly. By default, the Check API caches results for a short time to optimize performance. You may specify a value of HIGHER_CONSISTENCY for the optional consistency parameter in the body to inform the server that higher conisistency is preferred at the expense of increased latency. Consideration should be given to the increased latency if requesting higher consistency. The response will contain the related objects in an array in the "objects" field of the response and they will be strings in the object format <type>:<id> (e.g. "document:roadmap"). The number of objects in the response array will be limited by the execution timeout specified in the flag OPENFGA_LIST_OBJECTS_DEADLINE and by the upper bound specified in the flag OPENFGA_LIST_OBJECTS_MAX_RESULTS, whichever is hit first. The objects given will not be sorted, and therefore two identical calls can give a given different set of objects.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ListObjectsExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new ListObjectsRequest(); // ListObjectsRequest |
try
{
// List all objects of the given type that the user has a relation with
ListObjectsResponse response = await openFgaApi.ListObjects(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ListObjects: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | ListObjectsRequest| |
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ListStoresResponse ListStores (string? continuationToken = null, string? name = null)
List all stores
Returns a paginated list of OpenFGA stores and a continuation token to get additional stores. The continuation token will be empty if there are no more stores.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ListStoresExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var continuationToken = "continuationToken_example"; // string? | (optional)
var name = "name_example"; // string? | The name parameter instructs the API to only include results that match that name.Multiple results may be returned. Only exact matches will be returned; substring matches and regexes will not be evaluated (optional)
try
{
// List all stores
ListStoresResponse response = await openFgaApi.ListStores(continuationToken, name);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ListStores: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
continuationToken | string?| | [optional] name | string?| The name parameter instructs the API to only include results that match that name.Multiple results may be returned. Only exact matches will be returned; substring matches and regexes will not be evaluated | [optional]
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ListUsersResponse ListUsers (ListUsersRequest body)
List the users matching the provided filter who have a certain relation to a particular type.
The ListUsers API returns a list of all the users of a specific type that have a relation to a given object. To arrive at a result, the API uses: an authorization model, explicit tuples written through the Write API, contextual tuples present in the request, and implicit tuples that exist by virtue of applying set theory (such as document:2021-budget#viewer@document:2021-budget#viewer; the set of users who are viewers of document:2021-budget are the set of users who are the viewers of document:2021-budget). An authorization_model_id may be specified in the body. If it is not specified, the latest authorization model ID will be used. It is strongly recommended to specify authorization model id for better performance. You may also specify contextual_tuples that will be treated as regular tuples. Each of these tuples may have an associated condition. You may also provide a context object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly. The response will contain the related users in an array in the "users" field of the response. These results may include specific objects, usersets or type-bound public access. Each of these types of results is encoded in its own type and not represented as a string.In cases where a type-bound public access result is returned (e.g. user:*), it cannot be inferred that all subjects of that type have a relation to the object; it is possible that negations exist and checks should still be queried on individual subjects to ensure access to that document.The number of users in the response array will be limited by the execution timeout specified in the flag OPENFGA_LIST_USERS_DEADLINE and by the upper bound specified in the flag OPENFGA_LIST_USERS_MAX_RESULTS, whichever is hit first. The returned users will not be sorted, and therefore two identical calls may yield different sets of users.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ListUsersExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new ListUsersRequest(); // ListUsersRequest |
try
{
// List the users matching the provided filter who have a certain relation to a particular type.
ListUsersResponse response = await openFgaApi.ListUsers(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ListUsers: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | ListUsersRequest| |
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ReadResponse Read (ReadRequest body)
Get tuples from the store that matches a query, without following userset rewrite rules
The Read API will return the tuples for a certain store that match a query filter specified in the body of the request. The API doesn't guarantee order by any field. It is different from the /stores/{store_id}/expand API in that it only returns relationship tuples that are stored in the system and satisfy the query. In the body: 1. tuple_key is optional. If not specified, it will return all tuples in the store. 2. tuple_key.object is mandatory if tuple_key is specified. It can be a full object (e.g., type:object_id) or type only (e.g., type:). 3. tuple_key.user is mandatory if tuple_key is specified in the case the tuple_key.object is a type only. If tuple_key.user is specified, it needs to be a full object (e.g., type:user_id). ## Examples ### Query for all objects in a type definition To query for all objects that user:bob has reader relationship in the document type definition, call read API with body of json { \"tuple_key\": { \"user\": \"user:bob\", \"relation\": \"reader\", \"object\": \"document:\" } } The API will return tuples and a continuation token, something like json { \"tuples\": [ { \"key\": { \"user\": \"user:bob\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, \"timestamp\": \"2021-10-06T15:32:11.128Z\" } ], \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\" } This means that user:bob has a reader relationship with 1 document document:2021-budget. Note that this API, unlike the List Objects API, does not evaluate the tuples in the store. The continuation token will be empty if there are no more tuples to query. ### Query for all stored relationship tuples that have a particular relation and object To query for all users that have reader relationship with document:2021-budget, call read API with body of json { \"tuple_key\": { \"object\": \"document:2021-budget\", \"relation\": \"reader\" } } The API will return something like json { \"tuples\": [ { \"key\": { \"user\": \"user:bob\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, \"timestamp\": \"2021-10-06T15:32:11.128Z\" } ], \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\" } This means that document:2021-budget has 1 reader (user:bob). Note that, even if the model said that all writers are also readers, the API will not return writers such as user:anne because it only returns tuples and does not evaluate them. ### Query for all users with all relationships for a particular document To query for all users that have any relationship with document:2021-budget, call read API with body of json { \"tuple_key\": { \"object\": \"document:2021-budget\" } } The API will return something like json { \"tuples\": [ { \"key\": { \"user\": \"user:anne\", \"relation\": \"writer\", \"object\": \"document:2021-budget\" }, \"timestamp\": \"2021-10-05T13:42:12.356Z\" }, { \"key\": { \"user\": \"user:bob\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" }, \"timestamp\": \"2021-10-06T15:32:11.128Z\" } ], \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\" } This means that document:2021-budget has 1 reader (user:bob) and 1 writer (user:anne).
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ReadExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new ReadRequest(); // ReadRequest |
try
{
// Get tuples from the store that matches a query, without following userset rewrite rules
ReadResponse response = await openFgaApi.Read(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.Read: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | ReadRequest| |
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ReadAssertionsResponse ReadAssertions (string authorizationModelId)
Read assertions for an authorization model ID
The ReadAssertions API will return, for a given authorization model id, all the assertions stored for it.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ReadAssertionsExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var authorizationModelId = "authorizationModelId_example"; // string |
try
{
// Read assertions for an authorization model ID
ReadAssertionsResponse response = await openFgaApi.ReadAssertions(authorizationModelId);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ReadAssertions: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
authorizationModelId | string| |
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ReadAuthorizationModelResponse ReadAuthorizationModel (string id)
Return a particular version of an authorization model
The ReadAuthorizationModel API returns an authorization model by its identifier. The response will return the authorization model for the particular version. ## Example To retrieve the authorization model with ID 01G5JAVJ41T49E9TT3SKVS7X1J for the store, call the GET authorization-models by ID API with 01G5JAVJ41T49E9TT3SKVS7X1J as the id path parameter. The API will return: json { \"authorization_model\":{ \"id\":\"01G5JAVJ41T49E9TT3SKVS7X1J\", \"type_definitions\":[ { \"type\":\"user\" }, { \"type\":\"document\", \"relations\":{ \"reader\":{ \"union\":{ \"child\":[ { \"this\":{} }, { \"computedUserset\":{ \"object\":\"\", \"relation\":\"writer\" } } ] } }, \"writer\":{ \"this\":{} } } } ] } } In the above example, there are 2 types (user and document). The document type has 2 relations (writer and reader).
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ReadAuthorizationModelExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var id = "id_example"; // string |
try
{
// Return a particular version of an authorization model
ReadAuthorizationModelResponse response = await openFgaApi.ReadAuthorizationModel(id);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ReadAuthorizationModel: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
id | string| |
ReadAuthorizationModelResponse
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ReadAuthorizationModelsResponse ReadAuthorizationModels (int? pageSize = null, string? continuationToken = null)
Return all the authorization models for a particular store
The ReadAuthorizationModels API will return all the authorization models for a certain store. OpenFGA's response will contain an array of all authorization models, sorted in descending order of creation. ## Example Assume that a store's authorization model has been configured twice. To get all the authorization models that have been created in this store, call GET authorization-models. The API will return a response that looks like: json { \"authorization_models\": [ { \"id\": \"01G50QVV17PECNVAHX1GG4Y5NC\", \"type_definitions\": [...] }, { \"id\": \"01G4ZW8F4A07AKQ8RHSVG9RW04\", \"type_definitions\": [...] }, ], \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\" } If there are no more authorization models available, the continuation_token field will be empty json { \"authorization_models\": [ { \"id\": \"01G50QVV17PECNVAHX1GG4Y5NC\", \"type_definitions\": [...] }, { \"id\": \"01G4ZW8F4A07AKQ8RHSVG9RW04\", \"type_definitions\": [...] }, ], \"continuation_token\": \"\" }
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ReadAuthorizationModelsExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var pageSize = 56; // int? | (optional)
var continuationToken = "continuationToken_example"; // string? | (optional)
try
{
// Return all the authorization models for a particular store
ReadAuthorizationModelsResponse response = await openFgaApi.ReadAuthorizationModels(pageSize, continuationToken);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ReadAuthorizationModels: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
pageSize | int?| | [optional] continuationToken | string?| | [optional]
ReadAuthorizationModelsResponse
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ReadChangesResponse ReadChanges (string? type = null, int? pageSize = null, string? continuationToken = null, DateTime? startTime = null)
Return a list of all the tuple changes
The ReadChanges API will return a paginated list of tuple changes (additions and deletions) that occurred in a given store, sorted by ascending time. The response will include a continuation token that is used to get the next set of changes. If there are no changes after the provided continuation token, the same token will be returned in order for it to be used when new changes are recorded. If the store never had any tuples added or removed, this token will be empty. You can use the type parameter to only get the list of tuple changes that affect objects of that type. When reading a write tuple change, if it was conditioned, the condition will be returned. When reading a delete tuple change, the condition will NOT be returned regardless of whether it was originally conditioned or not.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class ReadChangesExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var type = "type_example"; // string? | (optional)
var pageSize = 56; // int? | (optional)
var continuationToken = "continuationToken_example"; // string? | (optional)
var startTime = DateTime.Parse("2013-10-20T19:20:30+01:00"); // DateTime? | Start date and time of changes to read. Format: ISO 8601 timestamp (e.g., 2022-01-01T00:00:00Z) If a continuation_token is provided along side start_time, the continuation_token will take precedence over start_time. (optional)
try
{
// Return a list of all the tuple changes
ReadChangesResponse response = await openFgaApi.ReadChanges(type, pageSize, continuationToken, startTime);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.ReadChanges: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
type | string?| | [optional] pageSize | int?| | [optional] continuationToken | string?| | [optional] startTime | DateTime?| Start date and time of changes to read. Format: ISO 8601 timestamp (e.g., 2022-01-01T00:00:00Z) If a continuation_token is provided along side start_time, the continuation_token will take precedence over start_time. | [optional]
- Content-Type: Not defined
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
Object Write (WriteRequest body)
Add or delete tuples from the store
The Write API will transactionally update the tuples for a certain store. Tuples and type definitions allow OpenFGA to determine whether a relationship exists between an object and an user. In the body, writes adds new tuples and deletes removes existing tuples. When deleting a tuple, any condition specified with it is ignored. The API is not idempotent by default: if, later on, you try to add the same tuple key (even if the condition is different), or if you try to delete a non-existing tuple, it will throw an error. To allow writes when an identical tuple already exists in the database, set \"on_duplicate\": \"ignore\" on the writes object. To allow deletes when a tuple was already removed from the database, set \"on_missing\": \"ignore\" on the deletes object. If a Write request contains both idempotent (ignore) and non-idempotent (error) operations, the most restrictive action (error) will take precedence. If a condition fails for a sub-request with an error flag, the entire transaction will be rolled back. This gives developers explicit control over the atomicity of the requests. The API will not allow you to write tuples such as document:2021-budget#viewer@document:2021-budget#viewer, because they are implicit. An authorization_model_id may be specified in the body. If it is, it will be used to assert that each written tuple (not deleted) is valid for the model specified. If it is not specified, the latest authorization model ID will be used. ## Example ### Adding relationships To add user:anne as a writer for document:2021-budget, call write API with the following json { \"writes\": { \"tuple_keys\": [ { \"user\": \"user:anne\", \"relation\": \"writer\", \"object\": \"document:2021-budget\" } ], \"on_duplicate\": \"ignore\" }, \"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\" } ### Removing relationships To remove user:bob as a reader for document:2021-budget, call write API with the following json { \"deletes\": { \"tuple_keys\": [ { \"user\": \"user:bob\", \"relation\": \"reader\", \"object\": \"document:2021-budget\" } ], \"on_missing\": \"ignore\" } }
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class WriteExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new WriteRequest(); // WriteRequest |
try
{
// Add or delete tuples from the store
Object response = await openFgaApi.Write(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.Write: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | WriteRequest| |
Object
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 200 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
void WriteAssertions (string authorizationModelId, WriteAssertionsRequest body)
Upsert assertions for an authorization model ID
The WriteAssertions API will upsert new assertions for an authorization model id, or overwrite the existing ones. An assertion is an object that contains a tuple key, the expectation of whether a call to the Check API of that tuple key will return true or false, and optionally a list of contextual tuples.
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class WriteAssertionsExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var authorizationModelId = "authorizationModelId_example"; // string |
var body = new WriteAssertionsRequest(); // WriteAssertionsRequest |
try
{
// Upsert assertions for an authorization model ID
openFgaApi.WriteAssertions(authorizationModelId, body);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.WriteAssertions: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
authorizationModelId | string| | body | WriteAssertionsRequest| |
void (empty response body)
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 204 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]
WriteAuthorizationModelResponse WriteAuthorizationModel (WriteAuthorizationModelRequest body)
Create a new authorization model
The WriteAuthorizationModel API will add a new authorization model to a store. Each item in the type_definitions array is a type definition as specified in the field type_definition. The response will return the authorization model's ID in the id field. ## Example To add an authorization model with user and document type definitions, call POST authorization-models API with the body: json { \"type_definitions\":[ { \"type\":\"user\" }, { \"type\":\"document\", \"relations\":{ \"reader\":{ \"union\":{ \"child\":[ { \"this\":{} }, { \"computedUserset\":{ \"object\":\"\", \"relation\":\"writer\" } } ] } }, \"writer\":{ \"this\":{} } } } ] } OpenFGA's response will include the version id for this authorization model, which will look like {\"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\"}
using System.Collections.Generic;
using System.Diagnostics;
using System.Net.Http;
using OpenFga.Sdk.Api;
using OpenFga.Sdk.Client;
using OpenFga.Sdk.Configuration;
using OpenFga.Sdk.Model;
namespace Example
{
public class WriteAuthorizationModelExample
{
public static void Main()
{
var configuration = new Configuration() {
ApiScheme = Environment.GetEnvironmentVariable("OPENFGA_API_SCHEME"), // optional, defaults to "https"
ApiHost = Environment.GetEnvironmentVariable("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
StoreId = Environment.GetEnvironmentVariable("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
};
HttpClient httpClient = new HttpClient();
var openFgaApi = new OpenFgaApi(config, httpClient);
var body = new WriteAuthorizationModelRequest(); // WriteAuthorizationModelRequest |
try
{
// Create a new authorization model
WriteAuthorizationModelResponse response = await openFgaApi.WriteAuthorizationModel(body);
Debug.WriteLine(response);
}
catch (ApiException e)
{
Debug.Print("Exception when calling OpenFgaApi.WriteAuthorizationModel: " + e.Message );
Debug.Print("Status Code: "+ e.ErrorCode);
Debug.Print(e.StackTrace);
}
}
}
}| Name | Type | Description | Notes |
|---|
body | WriteAuthorizationModelRequest| |
WriteAuthorizationModelResponse
- Content-Type: application/json
- Accept: application/json
| Status code | Description | Response headers |
|---|---|---|
| 201 | A successful response. | - |
| 400 | Request failed due to invalid input. | - |
| 401 | Not authenticated. | - |
| 403 | Forbidden. | - |
| 404 | Request failed due to incorrect path. | - |
| 409 | Request was aborted due a transaction conflict. | - |
| 422 | Request timed out due to excessive request throttling. | - |
| 500 | Request failed due to internal server error. | - |
[Back to top] [Back to API list] [Back to Model list] [Back to README]