The CheckResources API is the primary authorization endpoint for checking whether a principal has permission to perform specific actions on resources. It supports checking multiple resources and actions in a single request.
Endpoint rpc CheckResources(CheckResourcesRequest) returns (CheckResourcesResponse)
Request Parameters Optional application-specific ID useful for correlating logs for analysis. Example: "c2db17b8-4f9f-4fb1-acfd-9162a02be42b"
Add request processing metadata to the response. When true, the response includes information about which policies matched and which derived roles were effective.
A person or application attempting to perform the actions on the set of resources. ID of the principal. Example: "alicia"
Roles assigned to this principal from your identity management system. Must contain at least one role. Example: ["user"]
Key-value pairs of contextual data about this principal that should be used during policy evaluation. Example: {"beta_tester": true}
The policy version to use to evaluate this request. If not specified, will default to the server-configured default version. Example: "default"
A dot-separated scope that describes the hierarchy this principal belongs to. This is used for determining policy inheritance. Example: "acme.corp"
List of resources and actions to check. Must contain at least one resource. Show Resource entry fields
List of actions being performed on the resource. Must contain at least one action and all actions must be unique. Example: ["view", "delete"]
The resource to check permissions for. Name of the resource kind being accessed. Example: "album:object"
ID of the resource instance. Example: "XX125"
Key-value pairs of contextual data about this resource that should be used during policy evaluation. Example: {"owner": "alicia", "public": false}
The policy version to use to evaluate this request. If not specified, will default to the server-configured default version. Example: "default"
A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance. Example: "acme.corp"
Structured auxiliary data useful for evaluating the request. JWT from the original request. JWT from the original request.
Key ID to use when decoding the token (defined in the Cerbos server configuration).
Response Fields Request ID provided in the request. Example: "c2db17b8-4f9f-4fb1-acfd-9162a02be42b"
Result for each resource. Information about the resource that was checked. ID of the resource instance. Example: "XX125"
Name of the resource kind being accessed. Example: "album:object"
The policy version used to evaluate this request. Example: "default"
The scope that was used for this resource.
Mapping of each action to an effect. Each key is an action name, and the value is either EFFECT_ALLOW or EFFECT_DENY. Example: {"view": "EFFECT_ALLOW", "delete": "EFFECT_DENY"}
List of validation errors (if schema validation is enabled).
Metadata about policy evaluation (only included if includeMeta was set to true in the request). Metadata about the effect calculated for each action on this resource instance. Policy that matched to produce this effect. Example: "resource.album_object.vdefault"
Policy scope that matched to produce this effect. Example: "acme.corp.base"
Derived roles that were effective during policy evaluation. Example: ["owner"]
Output for each rule with outputs configured. Rule that matched to produce this output. Example: "resource.expense.v1/acme#rule-001"
Dynamic output, determined by user defined rule output.
Audit log call ID associated with this request.
Example cat << EOF | curl --silent "http://localhost:3592/api/check/resources?pretty" -d @- { "requestId": "test01", "includeMeta": true, "principal": { "id": "alicia", "roles": [ "user" ] }, "resources": [ { "actions": [ "view" ], "resource": { "id": "XX125", "kind": "album:object", "attr": { "owner": "alicia", "public": false, "flagged": false } } } ] } EOF
Use Cases Single Resource Check The most common use case is checking if a user can perform actions on a single resource:
{ "principal" : { "id" : "user123" , "roles" : [ "user" ] }, "resources" : [ { "actions" : [ "view" , "edit" , "delete" ], "resource" : { "kind" : "document" , "id" : "doc456" , "attr" : { "owner" : "user123" } } } ] }
Batch Resource Check You can check permissions for multiple heterogeneous resources in a single request:
{ "principal" : { "id" : "user123" , "roles" : [ "user" ] }, "resources" : [ { "actions" : [ "view" ], "resource" : { "kind" : "document" , "id" : "doc456" } }, { "actions" : [ "approve" ], "resource" : { "kind" : "expense" , "id" : "exp789" } } ] }
Request metadata to understand which policies matched:
{ "includeMeta" : true , "principal" : { "id" : "user123" , "roles" : [ "user" ] }, "resources" : [ { "actions" : [ "view" ], "resource" : { "kind" : "document" , "id" : "doc456" } } ] }