Auth0 · Capability
Auth0 FGA — Fine-Grained Authorization
Auth0 FGA (Fine-Grained Authorization) capability based on OpenFGA. Models, tuples, checks, expands, and stores for relationship-based access control inspired by Google Zanzibar.
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: "Auth0 FGA \u2014 Fine-Grained Authorization"
description: Auth0 FGA (Fine-Grained Authorization) capability based on OpenFGA. Models, tuples, checks, expands, and stores for relationship-based
access control inspired by Google Zanzibar.
tags:
- Auth0
- FGA
- OpenFGA
- Authorization
- Zanzibar
created: '2026-05-22'
modified: '2026-05-22'
binds:
- namespace: env
keys:
FGA_API_URL: FGA_API_URL
FGA_STORE_ID: FGA_STORE_ID
FGA_API_TOKEN: FGA_API_TOKEN
capability:
consumes:
- type: http
namespace: auth0-fga
baseUri: '{FGA_API_URL}'
description: Auth0 FGA / OpenFGA API.
resources:
- name: .well-known-authzen-configuration-store_id
path: /.well/known/authzen/configuration/store_id
operations:
- name: GetConfiguration
method: GET
description: '[Experimental] Get AuthZEN PDP configuration and capabilities'
outputRawFormat: json
- name: stores
path: /stores
operations:
- name: ListStores
method: GET
description: List all stores
outputRawFormat: json
- name: CreateStore
method: POST
description: Create a store
outputRawFormat: json
- name: stores-store_id
path: /stores/store_id
operations:
- name: GetStore
method: GET
description: Get a store
outputRawFormat: json
- name: DeleteStore
method: DELETE
description: Delete a store
outputRawFormat: json
- name: stores-store_id-access-v1-evaluation
path: /stores/store_id/access/v1/evaluation
operations:
- name: Evaluation
method: POST
description: '[Experimental] Evaluate whether a subject can perform an action on a resource'
outputRawFormat: json
- name: stores-store_id-access-v1-evaluations
path: /stores/store_id/access/v1/evaluations
operations:
- name: Evaluations
method: POST
description: '[Experimental] Check whether one or more users are authorized to access resources'
outputRawFormat: json
- name: stores-store_id-access-v1-search-action
path: /stores/store_id/access/v1/search/action
operations:
- name: ActionSearch
method: POST
description: '[Experimental] Search for actions a subject can perform on a resource'
outputRawFormat: json
- name: stores-store_id-access-v1-search-resource
path: /stores/store_id/access/v1/search/resource
operations:
- name: ResourceSearch
method: POST
description: '[Experimental] Search for resources a subject has access to'
outputRawFormat: json
- name: stores-store_id-access-v1-search-subject
path: /stores/store_id/access/v1/search/subject
operations:
- name: SubjectSearch
method: POST
description: '[Experimental] Search for subjects with access to a resource'
outputRawFormat: json
- name: stores-store_id-assertions-authorization_model_id
path: /stores/store_id/assertions/authorization_model_id
operations:
- name: ReadAssertions
method: GET
description: Read assertions for an authorization model ID
outputRawFormat: json
- name: WriteAssertions
method: PUT
description: Upsert assertions for an authorization model ID
outputRawFormat: json
- name: stores-store_id-authorization-models
path: /stores/store_id/authorization/models
operations:
- name: ReadAuthorizationModels
method: GET
description: Return all the authorization models for a particular store
outputRawFormat: json
- name: WriteAuthorizationModel
method: POST
description: Create a new authorization model
outputRawFormat: json
- name: stores-store_id-authorization-models-id
path: /stores/store_id/authorization/models/id
operations:
- name: ReadAuthorizationModel
method: GET
description: Return a particular version of an authorization model
outputRawFormat: json
- name: stores-store_id-batch-check
path: /stores/store_id/batch/check
operations:
- name: BatchCheck
method: POST
description: Send a list of `check` operations in a single request
outputRawFormat: json
- name: stores-store_id-changes
path: /stores/store_id/changes
operations:
- name: ReadChanges
method: GET
description: Return a list of all the tuple changes
outputRawFormat: json
- name: stores-store_id-check
path: /stores/store_id/check
operations:
- name: Check
method: POST
description: Check whether a user is authorized to access an object
outputRawFormat: json
- name: stores-store_id-expand
path: /stores/store_id/expand
operations:
- name: Expand
method: POST
description: Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a
certain relationship
outputRawFormat: json
- name: stores-store_id-list-objects
path: /stores/store_id/list/objects
operations:
- name: ListObjects
method: POST
description: List all objects of the given type that the user has a relation with
outputRawFormat: json
- name: stores-store_id-list-users
path: /stores/store_id/list/users
operations:
- name: ListUsers
method: POST
description: List the users matching the provided filter who have a certain relation to a particular type.
outputRawFormat: json
- name: stores-store_id-read
path: /stores/store_id/read
operations:
- name: Read
method: POST
description: Get tuples from the store that matches a query, without following userset rewrite rules
outputRawFormat: json
- name: stores-store_id-streamed-list-objects
path: /stores/store_id/streamed/list/objects
operations:
- name: StreamedListObjects
method: POST
description: Stream all objects of the given type that the user has a relation with
outputRawFormat: json
- name: stores-store_id-write
path: /stores/store_id/write
operations:
- name: Write
method: POST
description: Add or delete tuples from the store
outputRawFormat: json