POST
/v1/mgmt/fga/checkAuthorization
Descope Project ID and Management Key AuthorizationBearer <token>
Project ID:Management Key as bearer token.
In: header
Request Body
application/json
tuples?array<Tuple>
Deprecated: prefer checkTuples; kept for backwards compatibility.
computePaths?boolean
context?object
Optional flat key-value context map for evaluating ABAC conditions; applies to all tuples unless a checkTuples entry carries its own context.
checkTuples?array<CheckTuple>
Optional per-tuple-context variant. Set either tuples or checkTuples (not both); each checkTuple's context overrides the request-level context above.
Check FGA permission
This endpoint allows you to check if a target has a specific relation to a resource using Fine-Grained Authorization.
curl -X POST "https://api.descope.com/v1/mgmt/fga/check" \ -H "Content-Type: application/json" \ -d '{}'{ "tuples": [ { "allowed": true, "tuple": { "resource": "document-123", "resourceType": "doc", "relation": "editor", "target": "user-456", "targetType": "user" }, "info": { "direct": true, "path": { "steps": [ { "stepType": 0, "tuple": { "resource": "document-123", "resourceType": "doc", "relation": "editor", "target": "user-456", "targetType": "user" }, "permission": "string", "subPaths": [ { "steps": [] } ] } ] }, "conditional": true, "missingContext": [ "string" ], "conditionalErr": "string", "error": { "status": 0, "message": "string" } } } ]}export interface Response {tuples?: CheckResponseTuple[]}export interface CheckResponseTuple {allowed?: booleantuple?: {/** * The resource identifier. */resource?: string/** * The type of the resource. */resourceType?: string/** * The relation between the resource and the target. */relation?: string/** * The target identifier (user, group, etc.). */target?: string/** * The type of the target. */targetType?: string}info?: CheckResponseInfo}export interface CheckResponseInfo {/** * A relation is considered "direct" if, based solely on the schema, its "allowed" state can only be * changed by creating or deleting relations involving its resource, its target, or both (including itself) */direct?: boolean/** * if the check succeeded, includes the full path of intermediate relations between the target and the resource */path?: {steps?: CheckPathStep[]}/** * true if the result was determined by evaluating a CEL condition */conditional?: boolean/** * when the condition could not be fully evaluated, lists the missing context variable names */missingContext?: string[]/** * when CEL condition evaluation failed (e.g. invalid context value type), contains the error message; * the check still returns 200 with allowed=false */conditionalErr?: string/** * per-tuple error when the tuple is invalid; currently surfaced via AuthZEN's context.error (spec ยง7.2.1) */error?: CheckResponseError}export interface CheckPathStep {stepType?: numbertuple?: {/** * The resource identifier. */resource?: string/** * The type of the resource. */resourceType?: string/** * The relation between the resource and the target. */relation?: string/** * The target identifier (user, group, etc.). */target?: string/** * The type of the target. */targetType?: string}permission?: stringsubPaths?: CheckPath[]}export interface CheckPath {steps?: CheckPathStep[]}export interface CheckResponseError {status?: numbermessage?: string} Was this helpful?