Ory · Capability
Ory Keto API — permission
Ory Keto API — permission. 6 operations. Lead operation: Batch check permissions. Self-contained Naftiko capability covering one Ory business surface.
What You Can Do
POST
Batchcheckpermission
— Batch check permissions
/v1/relation-tuples/batch/check
GET
Checkpermissionorerror
— Check a permission
/v1/relation-tuples/check
POST
Postcheckpermissionorerror
— Check a permission
/v1/relation-tuples/check
GET
Checkpermission
— Check a permission
/v1/relation-tuples/check/openapi
POST
Postcheckpermission
— Check a permission
/v1/relation-tuples/check/openapi
GET
Expandpermissions
— Expand a Relationship into permissions.
/v1/relation-tuples/expand
MCP Tools
batch-check-permissions
Batch check permissions
read-only
check-permission
Check a permission
read-only
idempotent
check-permission-2
Check a permission
read-only
check-permission-3
Check a permission
read-only
idempotent
check-permission-4
Check a permission
read-only
expand-relationship-permissions
Expand a Relationship into permissions.
read-only
idempotent
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: Ory Keto API — permission
description: 'Ory Keto API — permission. 6 operations. Lead operation: Batch check permissions. Self-contained Naftiko capability
covering one Ory business surface.'
tags:
- Ory
- permission
created: '2026-05-19'
modified: '2026-05-19'
binds:
- namespace: env
keys:
ORY_API_KEY: ORY_API_KEY
capability:
consumes:
- type: http
namespace: keto-permission
baseUri: ''
description: Ory Keto API — permission business capability. Self-contained, no shared references.
resources:
- name: relation-tuples-batch-check
path: /relation-tuples/batch/check
operations:
- name: batchcheckpermission
method: POST
description: Batch check permissions
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: max-depth
in: query
type: integer
- name: body
in: body
type: object
description: Request body (JSON).
required: false
- name: relation-tuples-check
path: /relation-tuples/check
operations:
- name: checkpermissionorerror
method: GET
description: Check a permission
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: namespace
in: query
type: string
description: Namespace of the Relationship
- name: object
in: query
type: string
description: Object of the Relationship
- name: relation
in: query
type: string
description: Relation of the Relationship
- name: subject_id
in: query
type: string
description: SubjectID of the Relationship
- name: subject_set.namespace
in: query
type: string
description: Namespace of the Subject Set
- name: subject_set.object
in: query
type: string
description: Object of the Subject Set
- name: subject_set.relation
in: query
type: string
description: Relation of the Subject Set
- name: max-depth
in: query
type: integer
- name: postcheckpermissionorerror
method: POST
description: Check a permission
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: max-depth
in: query
type: integer
- name: body
in: body
type: object
description: Request body (JSON).
required: false
- name: relation-tuples-check-openapi
path: /relation-tuples/check/openapi
operations:
- name: checkpermission
method: GET
description: Check a permission
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: namespace
in: query
type: string
description: Namespace of the Relationship
- name: object
in: query
type: string
description: Object of the Relationship
- name: relation
in: query
type: string
description: Relation of the Relationship
- name: subject_id
in: query
type: string
description: SubjectID of the Relationship
- name: subject_set.namespace
in: query
type: string
description: Namespace of the Subject Set
- name: subject_set.object
in: query
type: string
description: Object of the Subject Set
- name: subject_set.relation
in: query
type: string
description: Relation of the Subject Set
- name: max-depth
in: query
type: integer
- name: postcheckpermission
method: POST
description: Check a permission
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: max-depth
in: query
type: integer
- name: body
in: body
type: object
description: Request body (JSON).
required: false
- name: relation-tuples-expand
path: /relation-tuples/expand
operations:
- name: expandpermissions
method: GET
description: Expand a Relationship into permissions.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: namespace
in: query
type: string
description: Namespace of the Subject Set
required: true
- name: object
in: query
type: string
description: Object of the Subject Set
required: true
- name: relation
in: query
type: string
description: Relation of the Subject Set
required: true
- name: max-depth
in: query
type: integer
exposes:
- type: rest
namespace: keto-permission-rest
port: 8080
description: REST adapter for Ory Keto API — permission. One Spectral-compliant resource per consumed operation, prefixed
with /v1.
resources:
- path: /v1/relation-tuples/batch/check
name: relation-tuples-batch-check
description: REST surface for relation-tuples-batch-check.
operations:
- method: POST
name: batchcheckpermission
description: Batch check permissions
call: keto-permission.batchcheckpermission
with:
max-depth: rest.max-depth
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/relation-tuples/check
name: relation-tuples-check
description: REST surface for relation-tuples-check.
operations:
- method: GET
name: checkpermissionorerror
description: Check a permission
call: keto-permission.checkpermissionorerror
with:
namespace: rest.namespace
object: rest.object
relation: rest.relation
subject_id: rest.subject_id
subject_set.namespace: rest.subject_set.namespace
subject_set.object: rest.subject_set.object
subject_set.relation: rest.subject_set.relation
max-depth: rest.max-depth
outputParameters:
- type: object
mapping: $.
- method: POST
name: postcheckpermissionorerror
description: Check a permission
call: keto-permission.postcheckpermissionorerror
with:
max-depth: rest.max-depth
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/relation-tuples/check/openapi
name: relation-tuples-check-openapi
description: REST surface for relation-tuples-check-openapi.
operations:
- method: GET
name: checkpermission
description: Check a permission
call: keto-permission.checkpermission
with:
namespace: rest.namespace
object: rest.object
relation: rest.relation
subject_id: rest.subject_id
subject_set.namespace: rest.subject_set.namespace
subject_set.object: rest.subject_set.object
subject_set.relation: rest.subject_set.relation
max-depth: rest.max-depth
outputParameters:
- type: object
mapping: $.
- method: POST
name: postcheckpermission
description: Check a permission
call: keto-permission.postcheckpermission
with:
max-depth: rest.max-depth
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/relation-tuples/expand
name: relation-tuples-expand
description: REST surface for relation-tuples-expand.
operations:
- method: GET
name: expandpermissions
description: Expand a Relationship into permissions.
call: keto-permission.expandpermissions
with:
namespace: rest.namespace
object: rest.object
relation: rest.relation
max-depth: rest.max-depth
outputParameters:
- type: object
mapping: $.
- type: mcp
namespace: keto-permission-mcp
port: 9090
transport: http
description: MCP adapter for Ory Keto API — permission. One tool per consumed operation, routed inline through this capability's
consumes block.
tools:
- name: batch-check-permissions
description: Batch check permissions
hints:
readOnly: true
destructive: false
idempotent: false
call: keto-permission.batchcheckpermission
with:
max-depth: tools.max-depth
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: check-permission
description: Check a permission
hints:
readOnly: true
destructive: false
idempotent: true
call: keto-permission.checkpermissionorerror
with:
namespace: tools.namespace
object: tools.object
relation: tools.relation
subject_id: tools.subject_id
subject_set.namespace: tools.subject_set.namespace
subject_set.object: tools.subject_set.object
subject_set.relation: tools.subject_set.relation
max-depth: tools.max-depth
outputParameters:
- type: object
mapping: $.
- name: check-permission-2
description: Check a permission
hints:
readOnly: true
destructive: false
idempotent: false
call: keto-permission.postcheckpermissionorerror
with:
max-depth: tools.max-depth
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: check-permission-3
description: Check a permission
hints:
readOnly: true
destructive: false
idempotent: true
call: keto-permission.checkpermission
with:
namespace: tools.namespace
object: tools.object
relation: tools.relation
subject_id: tools.subject_id
subject_set.namespace: tools.subject_set.namespace
subject_set.object: tools.subject_set.object
subject_set.relation: tools.subject_set.relation
max-depth: tools.max-depth
outputParameters:
- type: object
mapping: $.
- name: check-permission-4
description: Check a permission
hints:
readOnly: true
destructive: false
idempotent: false
call: keto-permission.postcheckpermission
with:
max-depth: tools.max-depth
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: expand-relationship-permissions
description: Expand a Relationship into permissions.
hints:
readOnly: true
destructive: false
idempotent: true
call: keto-permission.expandpermissions
with:
namespace: tools.namespace
object: tools.object
relation: tools.relation
max-depth: tools.max-depth
outputParameters:
- type: object
mapping: $.