Evaluate Access
Check whether a subject is allowed to perform an action on a resource.
POST /policy-srv/v1/evaluate
This is the primary endpoint your application calls to make authorization decisions.
Request
Headers
| Header | Value |
|---|---|
Authorization | Bearer YOUR_API_KEY |
Content-Type | application/json |
Body
{
"subject": {
"id": "user-123",
"type": "user",
"attributes": {
"department": "engineering"
},
"roles": ["editor"]
},
"resource": {
"type": "document",
"id": "doc-456",
"attributes": {
"classification": "internal"
}
},
"action": "read",
"context": {
"ip_address": "192.168.1.1"
}
}
Fields
| Field | Type | Required | Description |
|---|---|---|---|
subject.id | string | Yes | Unique identifier of the subject |
subject.type | string | Yes | Type of subject (e.g., user, service) |
subject.attributes | object | No | Key-value attributes for the subject |
subject.roles | string[] | No | Roles assigned to the subject |
resource.type | string | Yes | Resource type (must match a defined resource type) |
resource.id | string | Yes | Unique identifier of the resource |
resource.attributes | object | No | Key-value attributes for the resource |
action | string | Yes | The action being requested (e.g., read, write, delete) |
context | object | No | Additional context for policy evaluation |
Minimal request
At minimum, you need subject.id, subject.type, resource.type, resource.id, and action:
{
"subject": { "id": "user-123", "type": "user" },
"resource": { "type": "document", "id": "doc-456" },
"action": "read"
}
Response
Access allowed
{
"allowed": true,
"reason": "Policy 'editors-can-read-write' grants access",
"policy_id": "550e8400-e29b-41d4-a716-446655440000",
"access_path": "role"
}
Access denied
{
"allowed": false,
"reason": "No matching policy found"
}
Fields
| Field | Type | Description |
|---|---|---|
allowed | boolean | Whether access is granted |
reason | string | Human-readable explanation |
policy_id | string | ID of the matching policy (if allowed) |
access_path | string | How access was granted: "direct", "role", or "group" |
Error responses
| Status | Description |
|---|---|
400 | Invalid request body |
401 | Missing or invalid API key |
500 | Internal evaluation error |
Example
curl -X POST https://api.authzx.com/policy-srv/v1/evaluate \
-H "Authorization: Bearer ak_live_abc123..." \
-H "Content-Type: application/json" \
-d '{
"subject": { "id": "user-123", "type": "user" },
"resource": { "type": "document", "id": "doc-456" },
"action": "read"
}'
Performance
The evaluate endpoint is designed for low-latency, high-throughput use:
- Policies are cached for fast evaluation
- In-memory policy engine
- Typical response time: < 30ms