Quick Start

From zero to a working access check. Pick the flow that fits your situation.

• Dashboard flow — click through the console.
• Terraform flow — policies as code.
• Local agent — add a sidecar for sub-millisecond decisions.

Dashboard flow

1. Sign in

Go to console.authzx.com and sign in.

2. Create an application

An application is a container for the resources you want to protect. Resources live inside an application; subjects, roles, groups, and policies live at the tenant level and can span applications.

Applications → Create Application. Example: CRM Platform.

3. Get credentials

Two options — pick the one that fits how you'll call AuthzX.

• API key — Settings → API Keys → Create. Good for simple, trusted, long-lived internal services. Starts with azx_.
• OAuth client (recommended for server-to-server and CI/CD) — Settings → API → OAuth Clients → Create. Returns a client_id and client_secret (shown once). See OAuth Client Credentials.

4. Define a resource type

Resources → Resource Types → Create. A resource type describes a category of thing you protect and the actions available on it.

Example:

• Name: document
• Actions: read, write, delete, share

5. Create a resource

Resources → Create Resource, selecting your application from step 2.

Example:

• Application: CRM Platform
• Name: Engineering Wiki
• Type: document

6. Add a subject

Subjects → Create Subject.

Example:

• Name: Alice
• Type: user

7. Create a role and policy

Roles → Create Role — e.g. editor.

Policies → Create Policy:

• Name: editors-can-read-write
• Effect: ALLOW
• Actions: read, write
• Resource type: document

Assign the policy to the editor role, then assign editor to Alice.

8. Make your first API call

You can identify the resource by id (UUID) or by type + name — whichever is more convenient. Name-based lookup matches the dashboard and Terraform workflow and avoids pasting UUIDs into application code.

curl -X POST https://api.authzx.com/v1/authorize \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "subject":  { "id": "ALICE_SUBJECT_ID", "type": "user" },
    "resource": { "type": "document", "name": "Engineering Wiki" },
    "action":   { "name": "read" }
  }'

Response:

{
  "decision": true,
  "context": {
    "reason": "Policy 'editors-can-read-write' grants access",
    "policy_id": "...",
    "access_path": "role"
  }
}

Switch action to {"name": "delete"} and the same call returns "decision": false.

Terraform flow

The Terraform provider authenticates via OAuth Client Credentials. Create an OAuth client in the console first (step 3).

export AUTHZX_CLIENT_ID=client_...
export AUTHZX_CLIENT_SECRET=azx_cs_...

terraform {
  required_providers {
    authzx = { source = "authzx/authzx", version = "~> 0.2" }
  }
}

provider "authzx" {}

resource "authzx_application" "crm" {
  name = "CRM Platform"
}

resource "authzx_resource_type" "document" {
  application_id = authzx_application.crm.id
  name           = "document"
  actions        = ["read", "write", "delete", "share"]
}

resource "authzx_resource" "wiki" {
  application_id = authzx_application.crm.id
  name           = "Engineering Wiki"
  type           = authzx_resource_type.document.id
}

resource "authzx_role" "editor" {
  application_id = authzx_application.crm.id
  name           = "editor"
}

resource "authzx_policy" "editors_can_edit" {
  application_id = authzx_application.crm.id
  name           = "editors-can-read-write"
  effect         = "ALLOW"
  priority       = 50
  resources = [{
    resource_id = authzx_resource.wiki.id
    actions     = ["read", "write"]
  }]
}

resource "authzx_policy_assignment" "editors_policy" {
  policy_id   = authzx_policy.editors_can_edit.id
  entity_type = "role"
  entity_id   = authzx_role.editor.id
}

terraform init && terraform apply

Full reference: Terraform Provider.

SDKs

# Go
go get github.com/authzx/authzx-go

# Node.js
npm install @authzx/sdk

# Python
pip install authzx

client := authzx.NewClient("YOUR_API_KEY")
decision, _ := client.Check(ctx,
  authzx.Subject{ID: "ALICE_SUBJECT_ID", Type: "user"},
  authzx.Action{Name: "read"},
  authzx.Resource{Type: "document", Name: "Engineering Wiki"},
)

const authzx = new AuthzX({ apiKey: 'YOUR_API_KEY' })
const { decision } = await authzx.authorize({
  subject:  { id: 'ALICE_SUBJECT_ID', type: 'user' },
  resource: { type: 'document', name: 'Engineering Wiki' },
  action:   { name: 'read' },
})

client = AuthzX(api_key="YOUR_API_KEY")
result = client.authorize(
    subject={"id": "ALICE_SUBJECT_ID", "type": "user"},
    resource={"type": "document", "name": "Engineering Wiki"},
    action={"name": "read"},
)

Local agent

Run decisions next to your service. Same request shape, sub-millisecond evaluation, works from a local cache when the cloud is unreachable.

docker run -d \
  -e AUTHZX_API_KEY=azx_... \
  -p 8181:8181 \
  -v authzx-cache:/var/lib/authzx/bundles \
  authzx/agent:latest

Then point your SDK at http://localhost:8181:

const authzx = new AuthzX({ baseUrl: 'http://localhost:8181' })

Full agent config (metrics, decision logs, graceful degradation): AuthzX Agent.

What's next

• MCP Adapter — Gate MCP tool calls with one line.
• SDKs & CLI — Install an SDK for your language.
• Concepts — Access paths and the authorization model.
• Authorize API — Full endpoint reference.