AuthZEN 1.0 Compliance
AuthzX is natively compliant with the OpenID AuthZEN Authorization API 1.0 specification (Final, January 2026). This is not a compatibility shim or translation layer — the primary /v1/authorize endpoint speaks AuthZEN as its native protocol.
What is AuthZEN?
AuthZEN is an open standard from the OpenID Foundation that defines a common API for authorization decisions. It specifies how clients request access decisions and how authorization services respond, enabling interoperability between applications and authorization providers.
The goal: any application that speaks AuthZEN can work with any compliant authorization service, without vendor-specific integration code.
Request format
AuthZEN defines three top-level objects in the request: subject, resource, and action.
Action as an object
The action field is an object containing a name:
{
"action": {
"name": "read"
}
}
Properties
Subject and resource carry key-value data in a properties field. AuthzX also accepts attributes as an alias for backward compatibility.
{
"subject": {
"id": "user-123",
"type": "user",
"properties": {
"department": "engineering"
}
},
"resource": {
"id": "doc-456",
"type": "document",
"properties": {
"classification": "internal"
}
}
}
Required type fields
Both subject.type and resource.type are required. These tell the authorization engine what kind of entity is requesting access and what kind of resource is being accessed.
Response format
The response uses decision (boolean) as the top-level verdict, with additional details nested under context:
{
"decision": true,
"context": {
"reason": "Policy 'editors-can-read-write' grants access",
"policy_id": "550e8400-e29b-41d4-a716-446655440000",
"access_path": "role"
}
}
| Field | Type | Description |
|---|---|---|
decision | boolean | Whether access is granted |
context.reason | string | Human-readable explanation |
context.policy_id | string | ID of the matching policy (when access is granted) |
context.access_path | string | How access was resolved: "direct", "role", "group", or "none" |
Discovery endpoint
AuthzX exposes a discovery endpoint at:
GET /.well-known/authzen-configuration
This returns metadata about the authorization service, including supported endpoints and capabilities. Clients can use this to auto-configure against any AuthZEN-compliant service.
X-Request-ID support
Send an X-Request-ID header with your request, and AuthzX echoes it back in the response. This makes it straightforward to correlate authorization decisions with your application logs and traces.
curl -X POST https://api.authzx.com/v1/authorize \
-H "Authorization: Bearer azx_..." \
-H "Content-Type: application/json" \
-H "X-Request-ID: req-abc-123" \
-d '{ ... }'
The response includes the same header:
X-Request-ID: req-abc-123
AuthzX extensions
AuthzX extends the AuthZEN spec with additional fields that are useful for real-world authorization but not part of the base specification:
| Extension field | Location | Description |
|---|---|---|
subject.roles | Request | Roles to evaluate for the subject, enabling inline RBAC without a prior role lookup |
subject.external_id | Request | External identifier from your identity provider |
resource.name | Request | Human-readable resource name for name-based lookup (avoids hardcoding UUIDs) |
resource.application_id | Request | Scopes the resource to a specific application |
context.access_path | Response | Which access path produced the decision |
context.policy_id | Response | The specific policy that matched |
These extensions are fully optional. A standard AuthZEN client works with AuthzX without using any of them.
Specification link
The full AuthZEN 1.0 specification is available at: https://openid.github.io/authzen/
Related
- Authorize API -- full request and response reference.
- Access Paths -- the
access_pathresponse field explained. - Decisions -- what happens after evaluation.