Check FGA Permission

POST

/v1/mgmt/fga/check

Authorization

Descope Project ID and Management Key

AuthorizationBearer <token>

Project ID:Management Key as bearer token.

In: header

Request Body

application/json

tuples?array<Tuple>

computePaths?boolean

context?object

Optional flat key-value context map for evaluating ABAC conditions

This endpoint allows you to check if a target has a specific relation to a resource using Fine-Grained Authorization.

curl -X POST "https://api.descope.com/v1/mgmt/fga/check" \
  -H "Content-Type: application/json" \
  -d '{}'

curl -X POST "https://api.descope.com/v1/mgmt/fga/check" \  -H "Content-Type: application/json" \  -d '{}'

ResponseOK

{
  "tuples": [
    {
      "allowed": true,
      "tuple": {
        "resource": "document-123",
        "resourceType": "doc",
        "relation": "editor",
        "target": "user-456",
        "targetType": "user"
      },
      "info": {
        "direct": true,
        "path": {
          "steps": [
            {
              "stepType": 0,
              "tuple": {
                "resource": "document-123",
                "resourceType": "doc",
                "relation": "editor",
                "target": "user-456",
                "targetType": "user"
              },
              "permission": "string",
              "subPaths": [
                {
                  "steps": []
                }
              ]
            }
          ]
        },
        "conditional": true,
        "missingContext": [
          "string"
        ],
        "conditionalErr": "string"
      }
    }
  ]
}

{  "tuples": [    {      "allowed": true,      "tuple": {        "resource": "document-123",        "resourceType": "doc",        "relation": "editor",        "target": "user-456",        "targetType": "user"      },      "info": {        "direct": true,        "path": {          "steps": [            {              "stepType": 0,              "tuple": {                "resource": "document-123",                "resourceType": "doc",                "relation": "editor",                "target": "user-456",                "targetType": "user"              },              "permission": "string",              "subPaths": [                {                  "steps": []                }              ]            }          ]        },        "conditional": true,        "missingContext": [          "string"        ],        "conditionalErr": "string"      }    }  ]}

TypeScript

export interface Response {
tuples?: CheckResponseTuple[]
}
export interface CheckResponseTuple {
allowed?: boolean
tuple?: {
/**
 * The resource identifier.
 */
resource?: string
/**
 * The type of the resource.
 */
resourceType?: string
/**
 * The relation between the resource and the target.
 */
relation?: string
/**
 * The target identifier (user, group, etc.).
 */
target?: string
/**
 * The type of the target.
 */
targetType?: string
}
info?: CheckResponseInfo
}
export interface CheckResponseInfo {
/**
 * A relation is considered "direct" if, based solely on the schema, its "allowed" state can only be
 *  changed by creating or deleting relations involving its resource, its target, or both (including itself)
 */
direct?: boolean
/**
 * if the check succeeded, includes the full path of intermediate relations between the target and the resource
 */
path?: {
steps?: CheckPathStep[]
}
/**
 * true if the result was determined by evaluating a CEL condition
 */
conditional?: boolean
/**
 * when the condition could not be fully evaluated, lists the missing context variable names
 */
missingContext?: string[]
/**
 * when CEL condition evaluation failed (e.g. invalid context value type), contains the error message;
 *  the check still returns 200 with allowed=false
 */
conditionalErr?: string
}
export interface CheckPathStep {
stepType?: number
tuple?: {
/**
 * The resource identifier.
 */
resource?: string
/**
 * The type of the resource.
 */
resourceType?: string
/**
 * The relation between the resource and the target.
 */
relation?: string
/**
 * The target identifier (user, group, etc.).
 */
target?: string
/**
 * The type of the target.
 */
targetType?: string
}
permission?: string
subPaths?: CheckPath[]
}
export interface CheckPath {
steps?: CheckPathStep[]
}

export interface Response {tuples?: CheckResponseTuple[]}export interface CheckResponseTuple {allowed?: booleantuple?: {/** * The resource identifier. */resource?: string/** * The type of the resource. */resourceType?: string/** * The relation between the resource and the target. */relation?: string/** * The target identifier (user, group, etc.). */target?: string/** * The type of the target. */targetType?: string}info?: CheckResponseInfo}export interface CheckResponseInfo {/** * A relation is considered "direct" if, based solely on the schema, its "allowed" state can only be *  changed by creating or deleting relations involving its resource, its target, or both (including itself) */direct?: boolean/** * if the check succeeded, includes the full path of intermediate relations between the target and the resource */path?: {steps?: CheckPathStep[]}/** * true if the result was determined by evaluating a CEL condition */conditional?: boolean/** * when the condition could not be fully evaluated, lists the missing context variable names */missingContext?: string[]/** * when CEL condition evaluation failed (e.g. invalid context value type), contains the error message; *  the check still returns 200 with allowed=false */conditionalErr?: string}export interface CheckPathStep {stepType?: numbertuple?: {/** * The resource identifier. */resource?: string/** * The type of the resource. */resourceType?: string/** * The relation between the resource and the target. */relation?: string/** * The target identifier (user, group, etc.). */target?: string/** * The type of the target. */targetType?: string}permission?: stringsubPaths?: CheckPath[]}export interface CheckPath {steps?: CheckPathStep[]}

Was this helpful?