Skip to main content

Perform a Check

note
OpenFGA is an open source Fine-Grained Authorization solution based on Google's Zanzibar. We welcome community contribution to this project.

This section will illustrate how to perform a check request to determine whether a user has a certain relationship with an object.

Before You Start

  1. Deploy an instance of the OpenFGA server, and have ready the values for your setup: FGA_STORE_ID, FGA_API_HOST and, if needed, FGA_API_TOKEN.
  2. You have installed the SDK.
  3. You have configured the authorization model and updated the relationship tuples.
  4. You have loaded FGA_STORE_ID and FGA_API_HOST as environment variables.

Step By Step

Assume that you want to check whether user anne has relationship reader with object document:Z

01. Configure the OpenFGA API Client

Before calling the check API, you will need to configure the API client.

// import the SDK
const { OpenFgaApi } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaApi({
apiScheme: process.env.FGA_API_SCHEME, // Either "http" or "https", defaults to "https"
apiHost: process.env.FGA_API_HOST, // required, define without the scheme (e.g. api.openfga.example instead of https://api.openfga.example)
storeId: process.env.FGA_STORE_ID, // Either "http" or "https", defaults to "https"
});

02. Calling Check API

To check whether user anne has relationship reader with object document:Z


// Run a check
const { allowed } = await fgaClient.check({
tuple_key: {
user: 'anne',
relation: 'reader',
object: 'document:Z',
},
});

// allowed = true

The result's allowed field will return true if the relationship exists and false if the relationship does not exist.

OpenFGA Check API

Read the Check API documentation and see how it works.