naftiko: 1.0.0-alpha2 info: label: "Auth0 FGA \u2014 Fine-Grained Authorization" description: Auth0 FGA (Fine-Grained Authorization) capability based on OpenFGA. Models, tuples, checks, expands, and stores for relationship-based access control inspired by Google Zanzibar. tags: - Auth0 - FGA - OpenFGA - Authorization - Zanzibar created: '2026-05-22' modified: '2026-05-22' binds: - namespace: env keys: FGA_API_URL: FGA_API_URL FGA_STORE_ID: FGA_STORE_ID FGA_API_TOKEN: FGA_API_TOKEN capability: consumes: - type: http namespace: auth0-fga baseUri: '{FGA_API_URL}' description: Auth0 FGA / OpenFGA API. resources: - name: .well-known-authzen-configuration-store_id path: /.well/known/authzen/configuration/store_id operations: - name: GetConfiguration method: GET description: '[Experimental] Get AuthZEN PDP configuration and capabilities' outputRawFormat: json - name: stores path: /stores operations: - name: ListStores method: GET description: List all stores outputRawFormat: json - name: CreateStore method: POST description: Create a store outputRawFormat: json - name: stores-store_id path: /stores/store_id operations: - name: GetStore method: GET description: Get a store outputRawFormat: json - name: DeleteStore method: DELETE description: Delete a store outputRawFormat: json - name: stores-store_id-access-v1-evaluation path: /stores/store_id/access/v1/evaluation operations: - name: Evaluation method: POST description: '[Experimental] Evaluate whether a subject can perform an action on a resource' outputRawFormat: json - name: stores-store_id-access-v1-evaluations path: /stores/store_id/access/v1/evaluations operations: - name: Evaluations method: POST description: '[Experimental] Check whether one or more users are authorized to access resources' outputRawFormat: json - name: stores-store_id-access-v1-search-action path: /stores/store_id/access/v1/search/action operations: - name: ActionSearch method: POST description: '[Experimental] Search for actions a subject can perform on a resource' outputRawFormat: json - name: stores-store_id-access-v1-search-resource path: /stores/store_id/access/v1/search/resource operations: - name: ResourceSearch method: POST description: '[Experimental] Search for resources a subject has access to' outputRawFormat: json - name: stores-store_id-access-v1-search-subject path: /stores/store_id/access/v1/search/subject operations: - name: SubjectSearch method: POST description: '[Experimental] Search for subjects with access to a resource' outputRawFormat: json - name: stores-store_id-assertions-authorization_model_id path: /stores/store_id/assertions/authorization_model_id operations: - name: ReadAssertions method: GET description: Read assertions for an authorization model ID outputRawFormat: json - name: WriteAssertions method: PUT description: Upsert assertions for an authorization model ID outputRawFormat: json - name: stores-store_id-authorization-models path: /stores/store_id/authorization/models operations: - name: ReadAuthorizationModels method: GET description: Return all the authorization models for a particular store outputRawFormat: json - name: WriteAuthorizationModel method: POST description: Create a new authorization model outputRawFormat: json - name: stores-store_id-authorization-models-id path: /stores/store_id/authorization/models/id operations: - name: ReadAuthorizationModel method: GET description: Return a particular version of an authorization model outputRawFormat: json - name: stores-store_id-batch-check path: /stores/store_id/batch/check operations: - name: BatchCheck method: POST description: Send a list of `check` operations in a single request outputRawFormat: json - name: stores-store_id-changes path: /stores/store_id/changes operations: - name: ReadChanges method: GET description: Return a list of all the tuple changes outputRawFormat: json - name: stores-store_id-check path: /stores/store_id/check operations: - name: Check method: POST description: Check whether a user is authorized to access an object outputRawFormat: json - name: stores-store_id-expand path: /stores/store_id/expand operations: - name: Expand method: POST description: Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a certain relationship outputRawFormat: json - name: stores-store_id-list-objects path: /stores/store_id/list/objects operations: - name: ListObjects method: POST description: List all objects of the given type that the user has a relation with outputRawFormat: json - name: stores-store_id-list-users path: /stores/store_id/list/users operations: - name: ListUsers method: POST description: List the users matching the provided filter who have a certain relation to a particular type. outputRawFormat: json - name: stores-store_id-read path: /stores/store_id/read operations: - name: Read method: POST description: Get tuples from the store that matches a query, without following userset rewrite rules outputRawFormat: json - name: stores-store_id-streamed-list-objects path: /stores/store_id/streamed/list/objects operations: - name: StreamedListObjects method: POST description: Stream all objects of the given type that the user has a relation with outputRawFormat: json - name: stores-store_id-write path: /stores/store_id/write operations: - name: Write method: POST description: Add or delete tuples from the store outputRawFormat: json