package authzed.api.v1

Get desktop application:
View/edit binary Protocol Buffers messages

ExperimentalService exposes a number of APIs that are currently being prototyped and tested for future inclusion in the stable API.

• rpc BulkCheckPermission (BulkCheckPermissionRequest, BulkCheckPermissionResponse)

  experimental_service.proto:49

  NOTE: BulkCheckPermission has been promoted to the stable API as "CheckBulkPermission" and the API will be removed from experimental in a future release.

  message BulkCheckPermissionRequest

  experimental_service.proto:179

  NOTE: Deprecated now that BulkCheckPermission has been promoted to the stable API as "CheckBulkPermission".

  • optional Consistency consistency = 1

  • repeated BulkCheckPermissionRequestItem items = 2

  message BulkCheckPermissionResponse

  experimental_service.proto:198

  • optional ZedToken checked_at = 1

  • repeated BulkCheckPermissionPair pairs = 2

• rpc BulkExportRelationships (BulkExportRelationshipsRequest, stream BulkExportRelationshipsResponse)

  experimental_service.proto:39

  BulkExportRelationships is the fastest path available to exporting relationships from the server. It is resumable, and will return results in an order determined by the server.

  message BulkExportRelationshipsRequest

  experimental_service.proto:238

  BulkExportRelationshipsRequest represents a resumable request for all relationships from the server.

  • optional Consistency consistency = 1

  • uint32 optional_limit = 2

    optional_limit, if non-zero, specifies the limit on the number of relationships the server can return in one page. By default, the server will pick a page size, and the server is free to choose a smaller size at will.

  • optional Cursor optional_cursor = 3

    optional_cursor, if specified, indicates the cursor after which results should resume being returned. The cursor can be found on the BulkExportRelationshipsResponse object.

  • optional RelationshipFilter optional_relationship_filter = 4

    optional_relationship_filter, if specified, indicates the filter to apply to each relationship to be exported.

  message BulkExportRelationshipsResponse

  experimental_service.proto:261

  BulkExportRelationshipsResponse is one page in a stream of relationship groups that meet the criteria specified by the originating request. The server will continue to stream back relationship groups as quickly as it can until all relationships have been transmitted back.

  • optional Cursor after_result_cursor = 1

  • repeated Relationship relationships = 2

• rpc BulkImportRelationships (stream BulkImportRelationshipsRequest, BulkImportRelationshipsResponse)

  experimental_service.proto:28

  BulkImportRelationships is a faster path to writing a large number of relationships at once. It is both batched and streaming. For maximum performance, the caller should attempt to write relationships in as close to relationship sort order as possible: (resource.object_type, resource.object_id, relation, subject.object.object_type, subject.object.object_id, subject.optional_relation) EXPERIMENTAL https://github.com/authzed/spicedb/issues/1303

  message BulkImportRelationshipsRequest

  experimental_service.proto:225

  BulkImportRelationshipsRequest represents one batch of the streaming BulkImportRelationships API. The maximum size is only limited by the backing datastore, and optimal size should be determined by the calling client experimentally. When BulkImport is invoked and receives its first request message, a transaction is opened to import the relationships. All requests sent to the same invocation are executed under this single transaction. If a relationship already exists within the datastore, the entire transaction will fail with an error.

  • repeated Relationship relationships = 1

  message BulkImportRelationshipsResponse

  experimental_service.proto:232

  BulkImportRelationshipsResponse is returned on successful completion of the bulk load stream, and contains the total number of relationships loaded.

  • uint64 num_loaded = 1

• rpc ExperimentalComputablePermissions (ExperimentalComputablePermissionsRequest, ExperimentalComputablePermissionsResponse)

  experimental_service.proto:69

  DEPRECATED: Promoted to ComputablePermissions in the stable API.

  message ExperimentalComputablePermissionsRequest

  experimental_service.proto:374

  • optional Consistency consistency = 1

  • string definition_name = 2

  • string relation_name = 3

  • string optional_definition_name_filter = 4

    optional_definition_name_match is a prefix that is matched against the definition name(s) for the permissions returned. If not specified, will be ignored.

  message ExperimentalComputablePermissionsResponse

  experimental_service.proto:392

  • repeated ExpRelationReference permissions = 1

  • optional ZedToken read_at = 2

    read_at is the ZedToken at which the schema was read.

• rpc ExperimentalCountRelationships (ExperimentalCountRelationshipsRequest, ExperimentalCountRelationshipsResponse)

  experimental_service.proto:109

  EXPERIMENTAL: CountRelationships returns the count of relationships for *pre-registered* filter.

  message ExperimentalCountRelationshipsRequest

  experimental_service.proto:142

  • string name = 1

    name is the name of the counter whose count is being requested.

  message ExperimentalCountRelationshipsResponse

  experimental_service.proto:150

  • oneof counter_result

    • bool counter_still_calculating = 1

      counter_still_calculating is true if the counter is still calculating the count.

    • ReadCounterValue read_counter_value = 2

      read_counter_value is the value of the counter at the time of the read.

• rpc ExperimentalDependentRelations (ExperimentalDependentRelationsRequest, ExperimentalDependentRelationsResponse)

  experimental_service.proto:79

  DEPRECATED: Promoted to DependentRelations in the stable API.

  message ExperimentalDependentRelationsRequest

  experimental_service.proto:399

  • optional Consistency consistency = 1

  • string definition_name = 2

  • string permission_name = 3

  message ExperimentalDependentRelationsResponse

  experimental_service.proto:405

  • repeated ExpRelationReference relations = 1

  • optional ZedToken read_at = 2

    read_at is the ZedToken at which the schema was read.

• rpc ExperimentalDiffSchema (ExperimentalDiffSchemaRequest, ExperimentalDiffSchemaResponse)

  experimental_service.proto:89

  DEPRECATED: Promoted to DiffSchema in the stable API.

  message ExperimentalDiffSchemaRequest

  experimental_service.proto:412

  • optional Consistency consistency = 1

  • string comparison_schema = 2

  message ExperimentalDiffSchemaResponse

  experimental_service.proto:417

  • repeated ExpSchemaDiff diffs = 1

  • optional ZedToken read_at = 2

    read_at is the ZedToken at which the schema was read.

• rpc ExperimentalReflectSchema (ExperimentalReflectSchemaRequest, ExperimentalReflectSchemaResponse)

  experimental_service.proto:59

  DEPRECATED: Promoted to ReflectSchema in the stable API.

  message ExperimentalReflectSchemaRequest

  experimental_service.proto:268

  • optional Consistency consistency = 1

  • repeated ExpSchemaFilter optional_filters = 2

    optional_filters defines optional filters that are applied in an OR fashion to the schema, before being returned

  message ExperimentalReflectSchemaResponse

  experimental_service.proto:276

  • repeated ExpDefinition definitions = 1

    definitions are the definitions defined in the schema.

  • repeated ExpCaveat caveats = 2

    caveats are the caveats defined in the schema.

  • optional ZedToken read_at = 3

    read_at is the ZedToken at which the schema was read.

• rpc ExperimentalRegisterRelationshipCounter (ExperimentalRegisterRelationshipCounterRequest, ExperimentalRegisterRelationshipCounterResponse)

  experimental_service.proto:100

  EXPERIMENTAL: RegisterRelationshipCounter registers a new filter for counting relationships. A filter must be registered before a count can be requested.

  message ExperimentalRegisterRelationshipCounterRequest

  experimental_service.proto:127

  • string name = 1

    name is the name of the counter being registered.

  • optional RelationshipFilter relationship_filter = 2

    relationship_filter defines the filter to be applied to the relationships to be counted.

  message ExperimentalRegisterRelationshipCounterResponse

  experimental_service.proto:140

  (message has no fields)

• rpc ExperimentalUnregisterRelationshipCounter (ExperimentalUnregisterRelationshipCounterRequest, ExperimentalUnregisterRelationshipCounterResponse)

  experimental_service.proto:118

  EXPERIMENTAL: UnregisterRelationshipCounter unregisters an existing filter for counting relationships.

  message ExperimentalUnregisterRelationshipCounterRequest

  experimental_service.proto:168

  • string name = 1

    name is the name of the counter being unregistered.

  message ExperimentalUnregisterRelationshipCounterResponse

  experimental_service.proto:176

  (message has no fields)

PermissionsService implements a set of RPCs that perform operations on relationships and permissions.

• rpc CheckBulkPermissions (CheckBulkPermissionsRequest, CheckBulkPermissionsResponse)

  permission_service.proto:65

  CheckBulkPermissions evaluates the given list of permission checks and returns the list of results.

  message CheckBulkPermissionsRequest

  permission_service.proto:420

  CheckBulkPermissionsRequest issues a check on whether a subject has permission or is a member of a relation on a specific resource for each item in the list. The ordering of the items in the response is maintained in the response. Checks with the same subject/permission will automatically be batched for performance optimization.

  • optional Consistency consistency = 1

  • repeated CheckBulkPermissionsRequestItem items = 2

  • bool with_tracing = 3

    with_tracing, if true, indicates that each response should include a debug trace. This can be useful for debugging and performance analysis, but adds a small amount of compute overhead to the request.

  message CheckBulkPermissionsResponse

  permission_service.proto:444

  • optional ZedToken checked_at = 1

  • repeated CheckBulkPermissionsPair pairs = 2

• rpc CheckPermission (CheckPermissionRequest, CheckPermissionResponse)

  permission_service.proto:55

  CheckPermission determines for a given resource whether a subject computes to having a permission or is a direct member of a particular relation.

  message CheckPermissionRequest

  permission_service.proto:359

  CheckPermissionRequest issues a check on whether a subject has a permission or is a member of a relation, on a specific resource.

  • optional Consistency consistency = 1

  • optional ObjectReference resource = 2

    resource is the resource on which to check the permission or relation.

  • string permission = 3

    permission is the name of the permission (or relation) on which to execute the check.

  • optional SubjectReference subject = 4

    subject is the subject that will be checked for the permission or relation.

  • optional google.protobuf.Struct context = 5

    context consists of named values that are injected into the caveat evaluation context

  • bool with_tracing = 6

    with_tracing, if true, indicates that the response should include a debug trace. This can be useful for debugging and performance analysis, but adds a small amount of compute overhead to the request.

  message CheckPermissionResponse

  permission_service.proto:384

  • optional ZedToken checked_at = 1

  • CheckPermissionResponse.Permissionship permissionship = 2

    Permissionship communicates whether or not the subject has the requested permission or has a relationship with the given resource, over the given relation. This value will be authzed.api.v1.PERMISSIONSHIP_HAS_PERMISSION if the requested subject is a member of the computed permission set or there exists a relationship with the requested relation from the given resource to the given subject.

  • optional PartialCaveatInfo partial_caveat_info = 3

    partial_caveat_info holds information of a partially-evaluated caveated response

  • optional DebugInformation debug_trace = 4

    debug_trace is the debugging trace of this check, if requested.

  • optional google.protobuf.Timestamp optional_expires_at = 5

    optional_expires_at is the time at which at least one of the relationships used to compute this result, expires (if any). This is *not* related to the caching window.

• rpc DeleteRelationships (DeleteRelationshipsRequest, DeleteRelationshipsResponse)

  permission_service.proto:45

  DeleteRelationships atomically bulk deletes all relationships matching the provided filter. If no relationships match, none will be deleted and the operation will succeed. An optional set of preconditions can be provided that must be satisfied for the operation to commit.

  message DeleteRelationshipsRequest

  permission_service.proto:310

  DeleteRelationshipsRequest specifies which Relationships should be deleted, requesting the delete of *ALL* relationships that match the specified filters. If the optional_preconditions parameter is included, all of the specified preconditions must also be satisfied before the delete will be executed.

  • optional RelationshipFilter relationship_filter = 1

  • repeated Precondition optional_preconditions = 2

    To be bounded by configuration

  • uint32 optional_limit = 3

    optional_limit, if non-zero, specifies the limit on the number of relationships to be deleted. If there are more matching relationships found to be deleted than the limit specified here, the deletion call will fail with an error to prevent partial deletion. If partial deletion is needed, specify below that partial deletion is allowed. Partial deletions can be used in a loop to delete large amounts of relationships in a *non-transactional* manner.

  • bool optional_allow_partial_deletions = 4

    optional_allow_partial_deletions, if true and a limit is specified, will delete matching found relationships up to the count specified in optional_limit, and no more.

  • optional google.protobuf.Struct optional_transaction_metadata = 5

    optional_transaction_metadata is an optional field that can be used to store metadata about the transaction. If specified, this metadata will be supplied in the WatchResponse for the deletions associated with this transaction.

  message DeleteRelationshipsResponse

  permission_service.proto:335

  • optional ZedToken deleted_at = 1

    deleted_at is the revision at which the relationships were deleted.

  • DeleteRelationshipsResponse.DeletionProgress deletion_progress = 2

    deletion_progress is an enumeration of the possible outcomes that occurred when attempting to delete the specified relationships.

• rpc ExpandPermissionTree (ExpandPermissionTreeRequest, ExpandPermissionTreeResponse)

  permission_service.proto:76

  ExpandPermissionTree reveals the graph structure for a resource's permission or relation. This RPC does not recurse infinitely deep and may require multiple calls to fully unnest a deeply nested graph.

  message ExpandPermissionTreeRequest

  permission_service.proto:474

  ExpandPermissionTreeRequest returns a tree representing the expansion of all relationships found accessible from a permission or relation on a particular resource. ExpandPermissionTreeRequest is typically used to determine the full set of subjects with a permission, along with the relationships that grant said access.

  • optional Consistency consistency = 1

  • optional ObjectReference resource = 2

    resource is the resource over which to run the expansion.

  • string permission = 3

    permission is the name of the permission or relation over which to run the expansion for the resource.

  message ExpandPermissionTreeResponse

  permission_service.proto:488

  • optional ZedToken expanded_at = 1

  • optional PermissionRelationshipTree tree_root = 2

    tree_root is a tree structure whose leaf nodes are subjects, and intermediate nodes represent the various operations (union, intersection, exclusion) to reach those subjects.

• rpc ExportBulkRelationships (ExportBulkRelationshipsRequest, stream ExportBulkRelationshipsResponse)

  permission_service.proto:122

  ExportBulkRelationships is the fastest path available to exporting relationships from the server. It is resumable, and will return results in an order determined by the server.

  message ExportBulkRelationshipsRequest

  permission_service.proto:703

  ExportBulkRelationshipsRequest represents a resumable request for all relationships from the server.

  • optional Consistency consistency = 1

  • uint32 optional_limit = 2

    optional_limit, if non-zero, specifies the limit on the number of relationships the server can return in one page. By default, the server will pick a page size, and the server is free to choose a smaller size at will.

  • optional Cursor optional_cursor = 3

    optional_cursor, if specified, indicates the cursor after which results should resume being returned. The cursor can be found on the BulkExportRelationshipsResponse object.

  • optional RelationshipFilter optional_relationship_filter = 4

    optional_relationship_filter, if specified, indicates the filter to apply to each relationship to be exported.

  message ExportBulkRelationshipsResponse

  permission_service.proto:726

  ExportBulkRelationshipsResponse is one page in a stream of relationship groups that meet the criteria specified by the originating request. The server will continue to stream back relationship groups as quickly as it can until all relationships have been transmitted back.

  • optional Cursor after_result_cursor = 1

  • repeated Relationship relationships = 2

• rpc ImportBulkRelationships (stream ImportBulkRelationshipsRequest, ImportBulkRelationshipsResponse)

  permission_service.proto:111

  ImportBulkRelationships is a faster path to writing a large number of relationships at once. It is both batched and streaming. For maximum performance, the caller should attempt to write relationships in as close to relationship sort order as possible: (resource.object_type, resource.object_id, relation, subject.object.object_type, subject.object.object_id, subject.optional_relation). All relationships written are done so under a single transaction.

  message ImportBulkRelationshipsRequest

  permission_service.proto:690

  ImportBulkRelationshipsRequest represents one batch of the streaming ImportBulkRelationships API. The maximum size is only limited by the backing datastore, and optimal size should be determined by the calling client experimentally. When ImportBulk is invoked and receives its first request message, a transaction is opened to import the relationships. All requests sent to the same invocation are executed under this single transaction. If a relationship already exists within the datastore, the entire transaction will fail with an error.

  • repeated Relationship relationships = 1

  message ImportBulkRelationshipsResponse

  permission_service.proto:697

  ImportBulkRelationshipsResponse is returned on successful completion of the bulk load stream, and contains the total number of relationships loaded.

  • uint64 num_loaded = 1

• rpc LookupResources (LookupResourcesRequest, stream LookupResourcesResponse)

  permission_service.proto:86

  LookupResources returns all the resources of a given type that a subject can access whether via a computed permission or relation membership.

  message LookupResourcesRequest

  permission_service.proto:500

  LookupResourcesRequest performs a lookup of all resources of a particular kind on which the subject has the specified permission or the relation in which the subject exists, streaming back the IDs of those resources.

  • optional Consistency consistency = 1

  • string resource_object_type = 2

    resource_object_type is the type of resource object for which the IDs will be returned.

  • string permission = 3

    permission is the name of the permission or relation for which the subject must Check.

  • optional SubjectReference subject = 4

    subject is the subject with access to the resources.

  • optional google.protobuf.Struct context = 5

    context consists of named values that are injected into the caveat evaluation context

  • uint32 optional_limit = 6

    optional_limit, if non-zero, specifies the limit on the number of resources to return before the stream is closed on the server side. By default, the stream will continue resolving resources until exhausted or the stream is closed due to the client or a network issue.

  • optional Cursor optional_cursor = 7

    optional_cursor, if specified, indicates the cursor after which results should resume being returned. The cursor can be found on the LookupResourcesResponse object.

  message LookupResourcesResponse

  permission_service.proto:543

  LookupResourcesResponse contains a single matching resource object ID for the requested object type, permission, and subject.

  • optional ZedToken looked_up_at = 1

    looked_up_at is the ZedToken at which the resource was found.

  • string resource_object_id = 2

    resource_object_id is the object ID of the found resource.

  • LookupPermissionship permissionship = 3

    permissionship indicates whether the response was partially evaluated or not

  • optional PartialCaveatInfo partial_caveat_info = 4

    partial_caveat_info holds information of a partially-evaluated caveated response

  • optional Cursor after_result_cursor = 5

    after_result_cursor holds a cursor that can be used to resume the LookupResources stream after this result.

• rpc LookupSubjects (LookupSubjectsRequest, stream LookupSubjectsResponse)

  permission_service.proto:96

  LookupSubjects returns all the subjects of a given type that have access whether via a computed permission or relation membership.

  message LookupSubjectsRequest

  permission_service.proto:564

  LookupSubjectsRequest performs a lookup of all subjects of a particular kind for which the subject has the specified permission or the relation in which the subject exists, streaming back the IDs of those subjects.

  • optional Consistency consistency = 1

  • optional ObjectReference resource = 2

    resource is the resource for which all matching subjects for the permission or relation will be returned.

  • string permission = 3

    permission is the name of the permission (or relation) for which to find the subjects.

  • string subject_object_type = 4

    subject_object_type is the type of subject object for which the IDs will be returned.

  • string optional_subject_relation = 5

    optional_subject_relation is the optional relation for the subject.

  • optional google.protobuf.Struct context = 6

    context consists of named values that are injected into the caveat evaluation context

  • uint32 optional_concrete_limit = 7

    optional_concrete_limit, if non-zero, specifies the limit on the number of *concrete* (non-wildcard) subjects to return before the stream is closed on the server side. With the default value of zero, the stream will continue resolving concrete subjects until exhausted or the stream is closed due to the client or a network issue. NOTE: Wildcard subjects ("*") have special treatment when cursors and limits are used. Because wildcards can apply to *any* concrete subjects, if a wildcard subject is found within the dataset, a wildcard subject can be returned for *all* LookupSubjects calls, regardless of the cursor or limit. For example, if wildcards are requested, a wildcard subject exists, there is a specified limit of 10 concrete subjects, and at least 10 concrete subjects exist, the API will return 11 subjects in total: the 10 concrete + the wildcard Furthermore, if a wildcard has a set of exclusions generated by the dataset, the exclusions *will respect the cursor* and only a *partial* set of exclusions will be returned for each invocation of the API. ***IT IS UP TO THE CALLER IN THIS CASE TO COMBINE THE EXCLUSIONS IF DESIRED***

  • optional Cursor optional_cursor = 8

    optional_cursor, if specified, indicates the cursor after which results should resume being returned. The cursor can be found on the LookupSubjectsResponse object. NOTE: See above for notes about how cursors interact with wildcard subjects.

  • LookupSubjectsRequest.WildcardOption wildcard_option = 9

    wildcard_option specifies whether wildcards should be returned by LookupSubjects. For backwards compatibility, defaults to WILDCARD_OPTION_INCLUDE_WILDCARDS if unspecified.

  message LookupSubjectsResponse

  permission_service.proto:635

  LookupSubjectsResponse contains a single matching subject object ID for the requested subject object type on the permission or relation.

  • optional ZedToken looked_up_at = 1

  • string subject_object_id = 2

    subject_object_id is the Object ID of the subject found. May be a `*` if a wildcard was found. deprecated: use `subject`

  • repeated string excluded_subject_ids = 3

    excluded_subject_ids are the Object IDs of the subjects excluded. This list will only contain object IDs if `subject_object_id` is a wildcard (`*`) and will only be populated if exclusions exist from the wildcard. deprecated: use `excluded_subjects`

  • LookupPermissionship permissionship = 4

    permissionship indicates whether the response was partially evaluated or not deprecated: use `subject.permissionship`

  • optional PartialCaveatInfo partial_caveat_info = 5

    partial_caveat_info holds information of a partially-evaluated caveated response deprecated: use `subject.partial_caveat_info`

  • optional ResolvedSubject subject = 6

    subject is the subject found, along with its permissionship.

  • repeated ResolvedSubject excluded_subjects = 7

    excluded_subjects are the subjects excluded. This list will only contain subjects if `subject.subject_object_id` is a wildcard (`*`) and will only be populated if exclusions exist from the wildcard.

  • optional Cursor after_result_cursor = 8

    after_result_cursor holds a cursor that can be used to resume the LookupSubjects stream after this result.

• rpc ReadRelationships (ReadRelationshipsRequest, stream ReadRelationshipsResponse)

  permission_service.proto:22

  ReadRelationships reads a set of the relationships matching one or more filters.

  message ReadRelationshipsRequest

  permission_service.proto:231

  ReadRelationshipsRequest specifies one or more filters used to read matching relationships within the system.

  • optional Consistency consistency = 1

  • optional RelationshipFilter relationship_filter = 2

    relationship_filter defines the filter to be applied to the relationships to be returned.

  • uint32 optional_limit = 3

    optional_limit, if non-zero, specifies the limit on the number of relationships to return before the stream is closed on the server side. By default, the stream will continue resolving relationships until exhausted or the stream is closed due to the client or a network issue.

  • optional Cursor optional_cursor = 4

    optional_cursor, if specified, indicates the cursor after which results should resume being returned. The cursor can be found on the ReadRelationshipsResponse object.

  message ReadRelationshipsResponse

  permission_service.proto:253

  ReadRelationshipsResponse contains a Relationship found that matches the specified relationship filter(s). A instance of this response message will be streamed to the client for each relationship found.

  • optional ZedToken read_at = 1

    read_at is the ZedToken at which the relationship was found.

  • optional Relationship relationship = 2

    relationship is the found relationship.

  • optional Cursor after_result_cursor = 3

    after_result_cursor holds a cursor that can be used to resume the ReadRelationships stream after this result.

• rpc WriteRelationships (WriteRelationshipsRequest, WriteRelationshipsResponse)

  permission_service.proto:33

  WriteRelationships atomically writes and/or deletes a set of specified relationships. An optional set of preconditions can be provided that must be satisfied for the operation to commit.

  message WriteRelationshipsRequest

  permission_service.proto:289

  WriteRelationshipsRequest contains a list of Relationship mutations that should be applied to the service. If the optional_preconditions parameter is included, all of the specified preconditions must also be satisfied before the write will be committed. All updates will be applied transactionally, and if any preconditions fail, the entire transaction will be reverted.

  • repeated RelationshipUpdate updates = 1

  • repeated Precondition optional_preconditions = 2

    To be bounded by configuration

  • optional google.protobuf.Struct optional_transaction_metadata = 3

    optional_transaction_metadata is an optional field that can be used to store metadata about the transaction. If specified, this metadata will be supplied in the WatchResponse for the updates associated with this transaction.

  message WriteRelationshipsResponse

  permission_service.proto:303

  • optional ZedToken written_at = 1

SchemaService implements operations on a Permissions System's Schema.

• rpc ComputablePermissions (ComputablePermissionsRequest, ComputablePermissionsResponse)

  schema_service.proto:50

  ComputablePermissions returns the set of permissions that compute based off a relation in the current schema. For example, if the schema has a relation `viewer` and a permission `view` defined as `permission view = viewer + editor`, then the computable permissions for the relation `viewer` will include `view`.

  message ComputablePermissionsRequest

  schema_service.proto:216

  • optional Consistency consistency = 1

  • string definition_name = 2

  • string relation_name = 3

  • string optional_definition_name_filter = 4

    optional_definition_name_match is a prefix that is matched against the definition name(s) for the permissions returned. If not specified, will be ignored.

  message ComputablePermissionsResponse

  schema_service.proto:234

  • repeated ReflectionRelationReference permissions = 1

  • optional ZedToken read_at = 2

    read_at is the ZedToken at which the schema was read.

• rpc DependentRelations (DependentRelationsRequest, DependentRelationsResponse)

  schema_service.proto:61

  DependentRelations returns the set of relations and permissions that used to compute a permission, recursively, in the current schema. It is the inverse of the ComputablePermissions API.

  message DependentRelationsRequest

  schema_service.proto:241

  • optional Consistency consistency = 1

  • string definition_name = 2

  • string permission_name = 3

  message DependentRelationsResponse

  schema_service.proto:247

  • repeated ReflectionRelationReference relations = 1

  • optional ZedToken read_at = 2

    read_at is the ZedToken at which the schema was read.

• rpc DiffSchema (DiffSchemaRequest, DiffSchemaResponse)

  schema_service.proto:71

  DiffSchema returns the difference between the specified schema and the current schema stored in SpiceDB.

  message DiffSchemaRequest

  schema_service.proto:254

  • optional Consistency consistency = 1

  • string comparison_schema = 2

  message DiffSchemaResponse

  schema_service.proto:259

  • repeated ReflectionSchemaDiff diffs = 1

  • optional ZedToken read_at = 2

    read_at is the ZedToken at which the schema was read.

• rpc ReadSchema (ReadSchemaRequest, ReadSchemaResponse)

  schema_service.proto:21

  Read returns the current Object Definitions for a Permissions System. Errors include: - INVALID_ARGUMENT: a provided value has failed to semantically validate - NOT_FOUND: no schema has been defined

  message ReadSchemaRequest

  schema_service.proto:81

  ReadSchemaRequest returns the schema from the database.

  (message has no fields)

  message ReadSchemaResponse

  schema_service.proto:85

  ReadSchemaResponse is the resulting data after having read the Object Definitions from a Schema.

  • string schema_text = 1

    schema_text is the textual form of the current schema in the system

  • optional ZedToken read_at = 2

    read_at is the ZedToken at which the schema was read.

• rpc ReflectSchema (ReflectSchemaRequest, ReflectSchemaResponse)

  schema_service.proto:38

  ReflectSchema reflects the current schema stored in SpiceDB, returning a structural form of the schema for use by client tooling.

  message ReflectSchemaRequest

  schema_service.proto:110

  • optional Consistency consistency = 1

  • repeated ReflectionSchemaFilter optional_filters = 2

    optional_filters defines optional filters that are applied in an OR fashion to the schema, before being returned

  message ReflectSchemaResponse

  schema_service.proto:118

  • repeated ReflectionDefinition definitions = 1

    definitions are the definitions defined in the schema.

  • repeated ReflectionCaveat caveats = 2

    caveats are the caveats defined in the schema.

  • optional ZedToken read_at = 3

    read_at is the ZedToken at which the schema was read.

• rpc WriteSchema (WriteSchemaRequest, WriteSchemaResponse)

  schema_service.proto:29

  Write overwrites the current Object Definitions for a Permissions System.

  message WriteSchemaRequest

  schema_service.proto:95

  WriteSchemaRequest is the required data used to "upsert" the Schema of a Permissions System.

  • string schema = 1

    The Schema containing one or more Object Definitions that will be written to the Permissions System.

    4MiB

  message WriteSchemaResponse

  schema_service.proto:103

  WriteSchemaResponse is the resulting data after having written a Schema to a Permissions System.

  • optional ZedToken written_at = 1

    written_at is the ZedToken at which the schema was written.

• rpc Watch (WatchRequest, stream WatchResponse)

  watch_service.proto:16

  message WatchRequest

  watch_service.proto:27

  WatchRequest specifies the object definitions for which we want to start watching mutations, and an optional start snapshot for when to start watching.

  • repeated string optional_object_types = 1

    optional_object_types is a filter of resource object types to watch for changes. If specified, only changes to the specified object types will be returned and optional_relationship_filters cannot be used.

  • optional ZedToken optional_start_cursor = 2

    optional_start_cursor is the ZedToken holding the point-in-time at which to start watching for changes. If not specified, the watch will begin at the current head revision of the datastore, returning any updates that occur after the caller makes the request. Note that if this cursor references a point-in-time containing data that has been garbage collected, an error will be returned.

  • repeated RelationshipFilter optional_relationship_filters = 3

    optional_relationship_filters, if specified, indicates the filter(s) to apply to each relationship to be returned by watch. The relationship will be returned as long as at least one filter matches, this allows clients to match relationships on multiple filters on a single watch call. If specified, optional_object_types cannot be used.

  message WatchResponse

  watch_service.proto:61

  WatchResponse contains all tuple modification events in ascending timestamp order, from the requested start snapshot to a snapshot encoded in the watch response. The client can use the snapshot to resume watching where the previous watch response left off.

  • repeated RelationshipUpdate updates = 1

    updates are the RelationshipUpdate events that have occurred since the last watch response.

  • optional ZedToken changes_through = 2

    changes_through is the ZedToken that represents the point in time that the watch response is current through. This token can be used in a subsequent WatchRequest to resume watching from this point.

  • optional google.protobuf.Struct optional_transaction_metadata = 3

    optional_transaction_metadata is an optional field that returns the transaction metadata given to SpiceDB during the transaction that produced the changes in this response. This field may not exist if no transaction metadata was provided.

AlgebraicSubjectSet is a subject set which is computed based on applying the specified operation to the operands according to the algebra of sets. UNION is a logical set containing the subject members from all operands. INTERSECTION is a logical set containing only the subject members which are present in all operands. EXCLUSION is a logical set containing only the subject members which are present in the first operand, and none of the other operands.

Used in: PermissionRelationshipTree

• AlgebraicSubjectSet.Operation operation = 1

• repeated PermissionRelationshipTree children = 2

Used in: AlgebraicSubjectSet

• OPERATION_UNSPECIFIED = 0

• OPERATION_UNION = 1

• OPERATION_INTERSECTION = 2

• OPERATION_EXCLUSION = 3

Used in: BulkCheckPermissionResponse

• optional BulkCheckPermissionRequestItem request = 1

• oneof response

  • BulkCheckPermissionResponseItem item = 2

  • google.rpc.Status error = 3

Used in: BulkCheckPermissionPair, BulkCheckPermissionRequest

• optional ObjectReference resource = 1

• string permission = 2

• optional SubjectReference subject = 3

• optional google.protobuf.Struct context = 4

Used in: BulkCheckPermissionPair

• CheckPermissionResponse.Permissionship permissionship = 1

• optional PartialCaveatInfo partial_caveat_info = 2

CaveatEvalInfo holds information about a caveat expression that was evaluated.

Used in: CheckDebugTrace

• string expression = 1

  expression is the expression that was evaluated.

• CaveatEvalInfo.Result result = 2

  result is the result of the evaluation.

• optional google.protobuf.Struct context = 3

  context consists of any named values that were used for evaluating the caveat expression.

• optional PartialCaveatInfo partial_caveat_info = 4

  partial_caveat_info holds information of a partially-evaluated caveated response, if applicable.

• string caveat_name = 5

  caveat_name is the name of the caveat that was executed, if applicable.

Used in: CaveatEvalInfo

• RESULT_UNSPECIFIED = 0

• RESULT_UNEVALUATED = 1

• RESULT_FALSE = 2

• RESULT_TRUE = 3

• RESULT_MISSING_SOME_CONTEXT = 4

Used in: CheckBulkPermissionsResponse

• optional CheckBulkPermissionsRequestItem request = 1

• oneof response

  • CheckBulkPermissionsResponseItem item = 2

  • google.rpc.Status error = 3

Used in: CheckBulkPermissionsPair, CheckBulkPermissionsRequest

• optional ObjectReference resource = 1

• string permission = 2

• optional SubjectReference subject = 3

• optional google.protobuf.Struct context = 4

Used in: CheckBulkPermissionsPair

• CheckPermissionResponse.Permissionship permissionship = 1

• optional PartialCaveatInfo partial_caveat_info = 2

• optional DebugInformation debug_trace = 3

  debug_trace is the debugging trace of this check, if requested.

CheckDebugTrace is a recursive trace of the requests made for resolving a CheckPermission API call.

Used in: CheckDebugTrace.SubProblems, DebugInformation

• optional ObjectReference resource = 1

  resource holds the resource on which the Check was performed. for batched calls, the object_id field contains a comma-separated list of object IDs for all the resources checked in the batch.

• string permission = 2

  permission holds the name of the permission or relation on which the Check was performed.

• CheckDebugTrace.PermissionType permission_type = 3

  permission_type holds information indicating whether it was a permission or relation.

• optional SubjectReference subject = 4

  subject holds the subject on which the Check was performed. This will be static across all calls within the same Check tree.

• CheckDebugTrace.Permissionship result = 5

  result holds the result of the Check call.

• optional CaveatEvalInfo caveat_evaluation_info = 8

  caveat_evaluation_info holds information about the caveat evaluated for this step of the trace.

• optional google.protobuf.Duration duration = 9

  duration holds the time spent executing this Check operation.

• oneof resolution

  resolution holds information about how the problem was resolved.

  • bool was_cached_result = 6

    was_cached_result, if true, indicates that the result was found in the cache and returned directly.

  • CheckDebugTrace.SubProblems sub_problems = 7

    sub_problems holds the sub problems that were executed to resolve the answer to this Check. An empty list and a permissionship of PERMISSIONSHIP_HAS_PERMISSION indicates the subject was found within this relation.

• optional google.protobuf.Timestamp optional_expires_at = 10

  optional_expires_at is the time at which at least one of the relationships used to compute this result, expires (if any). This is *not* related to the caching window.

• string trace_operation_id = 11

  trace_operation_id is a unique identifier for this trace's operation, that will be shared for all traces created for the same check operation in SpiceDB. In cases where SpiceDB performs automatic batching of subproblems, this ID can be used to correlate work that was shared across multiple traces. This identifier is generated by SpiceDB, is to be considered opaque to the caller and only guaranteed to be unique within the same overall Check or CheckBulk operation.

• string source = 12

  source holds the source of the result. It is of the form: `<sourcetype>:<sourceid>`, where sourcetype can be, among others: `spicedb`, `materialize`, etc.

Used in: CheckDebugTrace

• PERMISSION_TYPE_UNSPECIFIED = 0

• PERMISSION_TYPE_RELATION = 1

• PERMISSION_TYPE_PERMISSION = 2

Used in: CheckDebugTrace

• PERMISSIONSHIP_UNSPECIFIED = 0

• PERMISSIONSHIP_NO_PERMISSION = 1

• PERMISSIONSHIP_HAS_PERMISSION = 2

• PERMISSIONSHIP_CONDITIONAL_PERMISSION = 3

Used in: CheckDebugTrace

• repeated CheckDebugTrace traces = 1

Used in: BulkCheckPermissionResponseItem, CheckBulkPermissionsResponseItem, CheckPermissionResponse

• PERMISSIONSHIP_UNSPECIFIED = 0

• PERMISSIONSHIP_NO_PERMISSION = 1

• PERMISSIONSHIP_HAS_PERMISSION = 2

• PERMISSIONSHIP_CONDITIONAL_PERMISSION = 3

Consistency will define how a request is handled by the backend. By defining a consistency requirement, and a token at which those requirements should be applied, where applicable.

Used in: BulkCheckPermissionRequest, BulkExportRelationshipsRequest, CheckBulkPermissionsRequest, CheckPermissionRequest, ComputablePermissionsRequest, DependentRelationsRequest, DiffSchemaRequest, ExpandPermissionTreeRequest, ExperimentalComputablePermissionsRequest, ExperimentalDependentRelationsRequest, ExperimentalDiffSchemaRequest, ExperimentalReflectSchemaRequest, ExportBulkRelationshipsRequest, LookupResourcesRequest, LookupSubjectsRequest, ReadRelationshipsRequest, ReflectSchemaRequest

• oneof requirement

  • bool minimize_latency = 1

    minimize_latency indicates that the latency for the call should be minimized by having the system select the fastest snapshot available.

  • ZedToken at_least_as_fresh = 2

    at_least_as_fresh indicates that all data used in the API call must be *at least as fresh* as that found in the ZedToken; more recent data might be used if available or faster.

  • ZedToken at_exact_snapshot = 3

    at_exact_snapshot indicates that all data used in the API call must be *at the given* snapshot in time; if the snapshot is no longer available, an error will be returned to the caller.

  • bool fully_consistent = 4

    fully_consistent indicates that all data used in the API call *must* be at the most recent snapshot found. NOTE: using this method can be *quite slow*, so unless there is a need to do so, it is recommended to use `at_least_as_fresh` with a stored ZedToken.

ContextualizedCaveat represents a reference to a caveat to be used by caveated relationships. The context consists of key-value pairs that will be injected at evaluation time. The keys must match the arguments defined on the caveat in the schema.

Used in: Relationship

• string caveat_name = 1

  caveat_name is the name of the caveat expression to use, as defined in the schema

• optional google.protobuf.Struct context = 2

  context consists of any named values that are defined at write time for the caveat expression

Cursor is used to provide resumption of listing between calls to APIs such as LookupResources.

Used in: BulkExportRelationshipsRequest, BulkExportRelationshipsResponse, ExportBulkRelationshipsRequest, ExportBulkRelationshipsResponse, LookupResourcesRequest, LookupResourcesResponse, LookupSubjectsRequest, LookupSubjectsResponse, ReadRelationshipsRequest, ReadRelationshipsResponse

• string token = 1

DebugInformation defines debug information returned by an API call in a footer when requested with a specific debugging header. The specific debug information returned will depend on the type of the API call made. See the github.com/authzed/authzed-go project for the specific header and footer names.

Used in: CheckBulkPermissionsResponseItem, CheckPermissionResponse

• optional CheckDebugTrace check = 1

  check holds debug information about a check request.

• string schema_used = 2

  schema_used holds the schema used for the request.

Used in: DeleteRelationshipsResponse

• DELETION_PROGRESS_UNSPECIFIED = 0

• DELETION_PROGRESS_COMPLETE = 1

  DELETION_PROGRESS_COMPLETE indicates that all remaining relationships matching the filter were deleted. Will be returned even if no relationships were deleted.

• DELETION_PROGRESS_PARTIAL = 2

  DELETION_PROGRESS_PARTIAL indicates that a subset of the relationships matching the filter were deleted. Only returned if optional_allow_partial_deletions was true, an optional_limit was specified, and there existed more relationships matching the filter than optional_limit would allow. Once all remaining relationships have been deleted, DELETION_PROGRESS_COMPLETE will be returned.

DirectSubjectSet is a subject set which is simply a collection of subjects.

Used in: PermissionRelationshipTree

• repeated SubjectReference subjects = 1

Defines the supported values for `google.rpc.ErrorInfo.reason` for the `authzed.com` error domain.

• ERROR_REASON_UNSPECIFIED = 0

  Do not use this default value.

• ERROR_REASON_SCHEMA_PARSE_ERROR = 1

  The request gave a schema that could not be parsed. Example of an ErrorInfo: { "reason": "ERROR_REASON_SCHEMA_PARSE_ERROR", "domain": "authzed.com", "metadata": { "start_line_number": "1", "start_column_position": "19", "end_line_number": "1", "end_column_position": "19", "source_code": "somedefinition", } } The line numbers and column positions are 0-indexed and may not be present.

• ERROR_REASON_SCHEMA_TYPE_ERROR = 2

  The request contains a schema with a type error. Example of an ErrorInfo: { "reason": "ERROR_REASON_SCHEMA_TYPE_ERROR", "domain": "authzed.com", "metadata": { "definition_name": "somedefinition", ... additional keys based on the kind of type error ... } }

• ERROR_REASON_UNKNOWN_DEFINITION = 3

  The request referenced an unknown object definition in the schema. Example of an ErrorInfo: { "reason": "ERROR_REASON_UNKNOWN_DEFINITION", "domain": "authzed.com", "metadata": { "definition_name": "somedefinition" } }

• ERROR_REASON_UNKNOWN_RELATION_OR_PERMISSION = 4

  The request referenced an unknown relation or permission under a definition in the schema. Example of an ErrorInfo: { "reason": "ERROR_REASON_UNKNOWN_RELATION_OR_PERMISSION", "domain": "authzed.com", "metadata": { "definition_name": "somedefinition", "relation_or_permission_name": "somepermission" } }

• ERROR_REASON_TOO_MANY_UPDATES_IN_REQUEST = 5

  The WriteRelationships request contained more updates than the maximum configured. Example of an ErrorInfo: { "reason": "ERROR_REASON_TOO_MANY_UPDATES_IN_REQUEST", "domain": "authzed.com", "metadata": { "update_count": "525", "maximum_updates_allowed": "500", } }

• ERROR_REASON_TOO_MANY_PRECONDITIONS_IN_REQUEST = 6

  The request contained more preconditions than the maximum configured. Example of an ErrorInfo: { "reason": "ERROR_REASON_TOO_MANY_PRECONDITIONS_IN_REQUEST", "domain": "authzed.com", "metadata": { "precondition_count": "525", "maximum_preconditions_allowed": "500", } }

• ERROR_REASON_WRITE_OR_DELETE_PRECONDITION_FAILURE = 7

  The request contained a precondition that failed. Example of an ErrorInfo: { "reason": "ERROR_REASON_WRITE_OR_DELETE_PRECONDITION_FAILURE", "domain": "authzed.com", "metadata": { "precondition_resource_type": "document", ... other fields for the filter ... "precondition_operation": "MUST_EXIST", } }

• ERROR_REASON_SERVICE_READ_ONLY = 8

  A write or delete request was made to an instance that is deployed in read-only mode. Example of an ErrorInfo: { "reason": "ERROR_REASON_SERVICE_READ_ONLY", "domain": "authzed.com" }

• ERROR_REASON_UNKNOWN_CAVEAT = 9

  The request referenced an unknown caveat in the schema. Example of an ErrorInfo: { "reason": "ERROR_REASON_UNKNOWN_CAVEAT", "domain": "authzed.com", "metadata": { "caveat_name": "somecaveat" } }

• ERROR_REASON_INVALID_SUBJECT_TYPE = 10

  The request tries to use a subject type that was not valid for a relation. Example of an ErrorInfo: { "reason": "ERROR_REASON_INVALID_SUBJECT_TYPE", "domain": "authzed.com", "metadata": { "definition_name": "somedefinition", "relation_name": "somerelation", "subject_type": "user:*" } }

• ERROR_REASON_CAVEAT_PARAMETER_TYPE_ERROR = 11

  The request tries to specify a caveat parameter value with the wrong type. Example of an ErrorInfo: { "reason": "ERROR_REASON_CAVEAT_PARAMETER_TYPE_ERROR", "domain": "authzed.com", "metadata": { "definition_name": "somedefinition", "relation_name": "somerelation", "caveat_name": "somecaveat", "parameter_name": "someparameter", "expected_type": "int", } }

• ERROR_REASON_UPDATES_ON_SAME_RELATIONSHIP = 12

  The request tries to perform two or more updates on the same relationship in the same WriteRelationships call. Example of an ErrorInfo: { "reason": "ERROR_REASON_UPDATES_ON_SAME_RELATIONSHIP", "domain": "authzed.com", "metadata": { "definition_name": "somedefinition", "relationship": "somerelationship", } }

• ERROR_REASON_CANNOT_UPDATE_PERMISSION = 13

  The request tries to write a relationship on a permission instead of a relation. Example of an ErrorInfo: { "reason": "ERROR_REASON_CANNOT_UPDATE_PERMISSION", "domain": "authzed.com", "metadata": { "definition_name": "somedefinition", "permission_name": "somerelation", } }

• ERROR_REASON_CAVEAT_EVALUATION_ERROR = 14

  The request failed to evaluate a caveat expression due to an error. Example of an ErrorInfo: { "reason": "ERROR_REASON_CAVEAT_EVALUATION_ERROR", "domain": "authzed.com", "metadata": { "caveat_name": "somecaveat", } }

• ERROR_REASON_INVALID_CURSOR = 15

  The request failed because the provided cursor was invalid in some way. Example of an ErrorInfo: { "reason": "ERROR_REASON_INVALID_CURSOR", "domain": "authzed.com", "metadata": { ... additional keys based on the kind of cursor error ... } }

• ERROR_REASON_TOO_MANY_RELATIONSHIPS_FOR_TRANSACTIONAL_DELETE = 16

  The request failed because there are too many matching relationships to be deleted within a single transactional deletion call. To avoid, set `optional_allow_partial_deletions` to true on the DeleteRelationships call. Example of an ErrorInfo: { "reason": "ERROR_REASON_TOO_MANY_RELATIONSHIPS_FOR_TRANSACTIONAL_DELETE", "domain": "authzed.com", "metadata": { ... fields for the filter ... } }

• ERROR_REASON_MAX_RELATIONSHIP_CONTEXT_SIZE = 17

  The request failed because the client attempted to write a relationship with a context that exceeded the configured server limit. Example of an ErrorInfo: { "reason": "ERROR_REASON_MAX_RELATIONSHIP_CONTEXT_SIZE", "domain": "authzed.com", "metadata": { "relationship": "relationship_exceeding_the_limit", "max_allowed_size": "server_max_allowed_context_size", "context_size": "actual_relationship_context_size" , } }

• ERROR_REASON_ATTEMPT_TO_RECREATE_RELATIONSHIP = 18

  The request failed because a relationship marked to be CREATEd was already present within the datastore. Example of an ErrorInfo: { "reason": "ERROR_REASON_ATTEMPT_TO_RECREATE_RELATIONSHIP", "domain": "authzed.com", "metadata": { "relationship": "relationship_that_already_existed", "resource_type": "resource type", "resource_object_id": "resource object id", ... additional decomposed relationship fields ... } }

• ERROR_REASON_MAXIMUM_DEPTH_EXCEEDED = 19

  The request failed because it caused the maximum depth allowed to be exceeded. This typically indicates that there is a circular data traversal somewhere in the schema, but can also be raised if the data traversal is simply too deep. Example of an ErrorInfo: { "reason": "ERROR_REASON_MAXIMUM_DEPTH_EXCEEDED", "domain": "authzed.com", "metadata": { "maximum_depth_allowed": "50", ... additional fields based on request type ... } }

• ERROR_REASON_SERIALIZATION_FAILURE = 20

  The request failed due to a serialization error in the backend database. This typically indicates that various in flight transactions conflicted with each other and the database had to abort one or more of them. SpiceDB will retry a few times before returning the error to the client. Example of an ErrorInfo: { "reason": "ERROR_REASON_SERIALIZATION_FAILURE", "domain": "authzed.com", "metadata": {} }

• ERROR_REASON_TOO_MANY_CHECKS_IN_REQUEST = 21

  The request contained more check items than the maximum configured. Example of an ErrorInfo: { "reason": "ERROR_REASON_TOO_MANY_CHECKS_IN_REQUEST", "domain": "authzed.com", "metadata": { "check_count": "525", "maximum_checks_allowed": "500", } }

• ERROR_REASON_EXCEEDS_MAXIMUM_ALLOWABLE_LIMIT = 22

  The request's specified limit is too large. Example of an ErrorInfo: { "reason": "ERROR_REASON_EXCEEDS_MAXIMUM_ALLOWABLE_LIMIT", "domain": "authzed.com", "metadata": { "limit_provided": "525", "maximum_limit_allowed": "500", } }

• ERROR_REASON_INVALID_FILTER = 23

  The request failed because the provided filter was invalid in some way. Example of an ErrorInfo: { "reason": "ERROR_REASON_INVALID_FILTER", "domain": "authzed.com", "metadata": { "filter": "...", } }

• ERROR_REASON_INMEMORY_TOO_MANY_CONCURRENT_UPDATES = 24

  The request failed because too many concurrent updates were attempted against the in-memory datastore. Example of an ErrorInfo: { "reason": "ERROR_REASON_INMEMORY_TOO_MANY_CONCURRENT_UPDATES", "domain": "authzed.com", "metadata": {} }

• ERROR_REASON_EMPTY_PRECONDITION = 25

  The request failed because the precondition specified is empty. Example of an ErrorInfo: { "reason": "ERROR_REASON_EMPTY_PRECONDITION", "domain": "authzed.com", "metadata": {} }

• ERROR_REASON_COUNTER_ALREADY_REGISTERED = 26

  The request failed because the counter was already registered. Example of an ErrorInfo: { "reason": "ERROR_REASON_COUNTER_ALREADY_REGISTERED", "domain": "authzed.com", "metadata": { "counter_name": "name" } }

• ERROR_REASON_COUNTER_NOT_REGISTERED = 27

  The request failed because the counter was not registered. Example of an ErrorInfo: { "reason": "ERROR_REASON_COUNTER_NOT_REGISTERED", "domain": "authzed.com", "metadata": { "counter_name": "name" } }

• ERROR_REASON_WILDCARD_NOT_ALLOWED = 28

  The request failed because a wildcard was not allowed. For CheckPermission, this means that the subject or resource ID was a wildcard. For LookupResources, this means that the subject ID was a wildcard. Example of an ErrorInfo: { "reason": "ERROR_REASON_WILDCARD_NOT_ALLOWED", "domain": "authzed.com", "metadata": { "disallowed_field": "subject_id" } }

• ERROR_REASON_TRANSACTION_METADATA_TOO_LARGE = 29

  The request failed because the transaction metadata was too large. Example of an ErrorInfo: { "reason": "ERROR_REASON_TRANSACTION_METADATA_TOO_LARGE", "domain": "authzed.com", "metadata": { "metadata_byte_size": "1024", "maximum_allowed_metadata_byte_size": "512", } }

ExpCaveat is the representation of a caveat in the schema.

Used in: ExpSchemaDiff, ExperimentalReflectSchemaResponse

• string name = 1

• string comment = 2

  comment is a human-readable comments on the caveat. Will include delimiter characters.

• repeated ExpCaveatParameter parameters = 3

• string expression = 4

ExpCaveatParameter is the representation of a parameter in a caveat.

Used in: ExpCaveat, ExpCaveatParameterTypeChange, ExpSchemaDiff

• string name = 1

• string type = 2

  type is the type of the parameter. Will be a string representing the type, e.g. `int` or `list<string>`

• string parent_caveat_name = 3

Used in: ExpSchemaDiff

• optional ExpCaveatParameter parameter = 1

• string previous_type = 2

ExpDefinition is the representation of a definition in the schema.

Used in: ExpSchemaDiff, ExperimentalReflectSchemaResponse

• string name = 1

• string comment = 2

  comment is a human-readable comments on the definition. Will include delimiter characters.

• repeated ExpRelation relations = 3

• repeated ExpPermission permissions = 4

ExpPermission is the representation of a permission in the schema.

Used in: ExpDefinition, ExpSchemaDiff

• string name = 1

• string comment = 2

  comment is a human-readable comments on the permission. Will include delimiter characters.

• string parent_definition_name = 3

ExpRelation is the representation of a relation in the schema.

Used in: ExpDefinition, ExpRelationSubjectTypeChange, ExpSchemaDiff

• string name = 1

• string comment = 2

• string parent_definition_name = 3

• repeated ExpTypeReference subject_types = 4

ExpRelationReference is a reference to a relation or permission in the schema.

Used in: ExperimentalComputablePermissionsResponse, ExperimentalDependentRelationsResponse

• string definition_name = 1

• string relation_name = 2

• bool is_permission = 3

Used in: ExpSchemaDiff

• optional ExpRelation relation = 1

• optional ExpTypeReference changed_subject_type = 2

ExpSchemaDiff is the representation of a diff between two schemas.

Used in: ExperimentalDiffSchemaResponse

• oneof diff

  • ExpDefinition definition_added = 1

  • ExpDefinition definition_removed = 2

  • ExpDefinition definition_doc_comment_changed = 3

  • ExpRelation relation_added = 4

  • ExpRelation relation_removed = 5

  • ExpRelation relation_doc_comment_changed = 6

  • ExpRelationSubjectTypeChange relation_subject_type_added = 7

  • ExpRelationSubjectTypeChange relation_subject_type_removed = 8

  • ExpPermission permission_added = 9

  • ExpPermission permission_removed = 10

  • ExpPermission permission_doc_comment_changed = 11

  • ExpPermission permission_expr_changed = 12

  • ExpCaveat caveat_added = 13

  • ExpCaveat caveat_removed = 14

  • ExpCaveat caveat_doc_comment_changed = 15

  • ExpCaveat caveat_expr_changed = 16

  • ExpCaveatParameter caveat_parameter_added = 17

  • ExpCaveatParameter caveat_parameter_removed = 18

  • ExpCaveatParameterTypeChange caveat_parameter_type_changed = 19

ExpSchemaFilter is a filter that can be applied to the schema on reflection.

Used in: ExperimentalReflectSchemaRequest

• string optional_definition_name_filter = 1

  optional_definition_name_filter is a prefix that is matched against the definition name.

• string optional_caveat_name_filter = 2

  optional_caveat_name_filter is a prefix that is matched against the caveat name.

• string optional_relation_name_filter = 3

  optional_relation_name_filter is a prefix that is matched against the relation name.

• string optional_permission_name_filter = 4

  optional_permission_name_filter is a prefix that is matched against the permission name.

ExpTypeReference is the representation of a type reference in the schema.

Used in: ExpRelation, ExpRelationSubjectTypeChange

• string subject_definition_name = 1

  subject_definition_name is the name of the subject's definition.

• string optional_caveat_name = 2

  optional_caveat_name is the name of the caveat that is applied to the subject, if any.

• oneof typeref

  • bool is_terminal_subject = 3

    is_terminal_subject is true if the subject is terminal, meaning it is referenced directly vs a sub-relation.

  • string optional_relation_name = 4

    optional_relation_name is the name of the relation that is applied to the subject, if any.

  • bool is_public_wildcard = 5

    is_public_wildcard is true if the subject is a public wildcard.

LookupPermissionship represents whether a Lookup response was partially evaluated or not

Used in: LookupResourcesResponse, LookupSubjectsResponse, ResolvedSubject

• LOOKUP_PERMISSIONSHIP_UNSPECIFIED = 0

• LOOKUP_PERMISSIONSHIP_HAS_PERMISSION = 1

• LOOKUP_PERMISSIONSHIP_CONDITIONAL_PERMISSION = 2

Used in: LookupSubjectsRequest

• WILDCARD_OPTION_UNSPECIFIED = 0

• WILDCARD_OPTION_INCLUDE_WILDCARDS = 1

• WILDCARD_OPTION_EXCLUDE_WILDCARDS = 2

ObjectReference is used to refer to a specific object in the system.

Used in: materialize.v0.PermissionChange, BulkCheckPermissionRequestItem, CheckBulkPermissionsRequestItem, CheckDebugTrace, CheckPermissionRequest, ExpandPermissionTreeRequest, LookupSubjectsRequest, PermissionRelationshipTree, Relationship, SubjectReference, v1alpha1.PermissionUpdate

• string object_type = 1

• string object_id = 2

PartialCaveatInfo carries information necessary for the client to take action in the event a response contains a partially evaluated caveat

Used in: BulkCheckPermissionResponseItem, CaveatEvalInfo, CheckBulkPermissionsResponseItem, CheckPermissionResponse, LookupResourcesResponse, LookupSubjectsResponse, ResolvedSubject

• repeated string missing_required_context = 1

  missing_required_context is a list of one or more fields that were missing and prevented caveats from being fully evaluated

PermissionRelationshipTree is used for representing a tree of a resource and its permission relationships with other objects.

Used in: AlgebraicSubjectSet, ExpandPermissionTreeResponse

• oneof tree_type

  • AlgebraicSubjectSet intermediate = 1

  • DirectSubjectSet leaf = 2

• optional ObjectReference expanded_object = 3

• string expanded_relation = 4

Precondition specifies how and the existence or absence of certain relationships as expressed through the accompanying filter should affect whether or not the operation proceeds. MUST_NOT_MATCH will fail the parent request if any relationships match the relationships filter. MUST_MATCH will fail the parent request if there are no relationships that match the filter.

Used in: DeleteRelationshipsRequest, WriteRelationshipsRequest

• Precondition.Operation operation = 1

• optional RelationshipFilter filter = 2

Used in: Precondition

• OPERATION_UNSPECIFIED = 0

• OPERATION_MUST_NOT_MATCH = 1

• OPERATION_MUST_MATCH = 2

Used in: ExperimentalCountRelationshipsResponse

• uint64 relationship_count = 1

  relationship_count is the count of relationships that match the filter.

• optional ZedToken read_at = 2

  read_at is the ZedToken at which the relationship count applies.

ReflectionCaveat is the representation of a caveat in the schema.

Used in: ReflectSchemaResponse, ReflectionSchemaDiff

• string name = 1

• string comment = 2

  comment is a human-readable comments on the caveat. Will include delimiter characters.

• repeated ReflectionCaveatParameter parameters = 3

• string expression = 4

ReflectionCaveatParameter is the representation of a parameter in a caveat.

Used in: ReflectionCaveat, ReflectionCaveatParameterTypeChange, ReflectionSchemaDiff

• string name = 1

• string type = 2

  type is the type of the parameter. Will be a string representing the type, e.g. `int` or `list<string>`

• string parent_caveat_name = 3

Used in: ReflectionSchemaDiff

• optional ReflectionCaveatParameter parameter = 1

• string previous_type = 2

ReflectionDefinition is the representation of a definition in the schema.

Used in: ReflectSchemaResponse, ReflectionSchemaDiff

• string name = 1

• string comment = 2

  comment is a human-readable comments on the definition. Will include delimiter characters.

• repeated ReflectionRelation relations = 3

• repeated ReflectionPermission permissions = 4

ReflectionPermission is the representation of a permission in the schema.

Used in: ReflectionDefinition, ReflectionSchemaDiff

• string name = 1

• string comment = 2

  comment is a human-readable comments on the permission. Will include delimiter characters.

• string parent_definition_name = 3

ReflectionRelation is the representation of a relation in the schema.

Used in: ReflectionDefinition, ReflectionRelationSubjectTypeChange, ReflectionSchemaDiff

• string name = 1

• string comment = 2

• string parent_definition_name = 3

• repeated ReflectionTypeReference subject_types = 4

ReflectionRelationReference is a reference to a relation or permission in the schema.

Used in: ComputablePermissionsResponse, DependentRelationsResponse

• string definition_name = 1

• string relation_name = 2

• bool is_permission = 3

Used in: ReflectionSchemaDiff

• optional ReflectionRelation relation = 1

• optional ReflectionTypeReference changed_subject_type = 2

ReflectionSchemaDiff is the representation of a diff between two schemas.

Used in: DiffSchemaResponse

• oneof diff

  • ReflectionDefinition definition_added = 1

  • ReflectionDefinition definition_removed = 2

  • ReflectionDefinition definition_doc_comment_changed = 3

  • ReflectionRelation relation_added = 4

  • ReflectionRelation relation_removed = 5

  • ReflectionRelation relation_doc_comment_changed = 6

  • ReflectionRelationSubjectTypeChange relation_subject_type_added = 7

  • ReflectionRelationSubjectTypeChange relation_subject_type_removed = 8

  • ReflectionPermission permission_added = 9

  • ReflectionPermission permission_removed = 10

  • ReflectionPermission permission_doc_comment_changed = 11

  • ReflectionPermission permission_expr_changed = 12

  • ReflectionCaveat caveat_added = 13

  • ReflectionCaveat caveat_removed = 14

  • ReflectionCaveat caveat_doc_comment_changed = 15

  • ReflectionCaveat caveat_expr_changed = 16

  • ReflectionCaveatParameter caveat_parameter_added = 17

  • ReflectionCaveatParameter caveat_parameter_removed = 18

  • ReflectionCaveatParameterTypeChange caveat_parameter_type_changed = 19

ReflectionSchemaFilter is a filter that can be applied to the schema on reflection.

Used in: ReflectSchemaRequest

• string optional_definition_name_filter = 1

  optional_definition_name_filter is a prefix that is matched against the definition name.

• string optional_caveat_name_filter = 2

  optional_caveat_name_filter is a prefix that is matched against the caveat name.

• string optional_relation_name_filter = 3

  optional_relation_name_filter is a prefix that is matched against the relation name.

• string optional_permission_name_filter = 4

  optional_permission_name_filter is a prefix that is matched against the permission name.

ReflectionTypeReference is the representation of a type reference in the schema.

Used in: ReflectionRelation, ReflectionRelationSubjectTypeChange

• string subject_definition_name = 1

  subject_definition_name is the name of the subject's definition.

• string optional_caveat_name = 2

  optional_caveat_name is the name of the caveat that is applied to the subject, if any.

• oneof typeref

  • bool is_terminal_subject = 3

    is_terminal_subject is true if the subject is terminal, meaning it is referenced directly vs a sub-relation.

  • string optional_relation_name = 4

    optional_relation_name is the name of the relation that is applied to the subject, if any.

  • bool is_public_wildcard = 5

    is_public_wildcard is true if the subject is a public wildcard.

Relationship specifies how a resource relates to a subject. Relationships form the data for the graph over which all permissions questions are answered.

Used in: BulkExportRelationshipsResponse, BulkImportRelationshipsRequest, ExportBulkRelationshipsResponse, ImportBulkRelationshipsRequest, ReadRelationshipsResponse, RelationshipUpdate

• optional ObjectReference resource = 1

  resource is the resource to which the subject is related, in some manner

• string relation = 2

  relation is how the resource and subject are related.

• optional SubjectReference subject = 3

  subject is the subject to which the resource is related, in some manner.

• optional ContextualizedCaveat optional_caveat = 4

  optional_caveat is a reference to a the caveat that must be enforced over the relationship.

• optional google.protobuf.Timestamp optional_expires_at = 5

  optional_expires_at is the time at which the relationship expires, if any.

RelationshipFilter is a collection of filters which when applied to a relationship will return relationships that have exactly matching fields. All fields are optional and if left unspecified will not filter relationships, but at least one field must be specified. NOTE: The performance of the API will be affected by the selection of fields on which to filter. If a field is not indexed, the performance of the API can be significantly slower.

Used in: BulkExportRelationshipsRequest, DeleteRelationshipsRequest, ExperimentalRegisterRelationshipCounterRequest, ExportBulkRelationshipsRequest, Precondition, ReadRelationshipsRequest, WatchRequest

• string resource_type = 1

  resource_type is the *optional* resource type of the relationship. NOTE: It is not prefixed with "optional_" for legacy compatibility.

• string optional_resource_id = 2

  optional_resource_id is the *optional* resource ID of the relationship. If specified, optional_resource_id_prefix cannot be specified.

• string optional_resource_id_prefix = 5

  optional_resource_id_prefix is the *optional* prefix for the resource ID of the relationship. If specified, optional_resource_id cannot be specified.

• string optional_relation = 3

  relation is the *optional* relation of the relationship.

• optional SubjectFilter optional_subject_filter = 4

  optional_subject_filter is the optional filter for the subjects of the relationships.

RelationshipUpdate is used for mutating a single relationship within the service. CREATE will create the relationship only if it doesn't exist, and error otherwise. TOUCH will upsert the relationship, and will not error if it already exists. DELETE will delete the relationship. If the relationship does not exist, this operation will no-op.

Used in: WatchResponse, WriteRelationshipsRequest

• RelationshipUpdate.Operation operation = 1

• optional Relationship relationship = 2

Used in: RelationshipUpdate

• OPERATION_UNSPECIFIED = 0

• OPERATION_CREATE = 1

• OPERATION_TOUCH = 2

• OPERATION_DELETE = 3

ResolvedSubject is a single subject resolved within LookupSubjects.

Used in: LookupSubjectsResponse

• string subject_object_id = 1

  subject_object_id is the Object ID of the subject found. May be a `*` if a wildcard was found.

• LookupPermissionship permissionship = 2

  permissionship indicates whether the response was partially evaluated or not

• optional PartialCaveatInfo partial_caveat_info = 3

  partial_caveat_info holds information of a partially-evaluated caveated response

SubjectFilter specifies a filter on the subject of a relationship. subject_type is required and all other fields are optional, and will not impose any additional requirements if left unspecified.

Used in: RelationshipFilter

• string subject_type = 1

• string optional_subject_id = 2

• optional SubjectFilter.RelationFilter optional_relation = 3

Used in: SubjectFilter

• string relation = 1

SubjectReference is used for referring to the subject portion of a Relationship. The relation component is optional and is used for defining a sub-relation on the subject, e.g. group:123#members

Used in: materialize.v0.PermissionChange, BulkCheckPermissionRequestItem, CheckBulkPermissionsRequestItem, CheckDebugTrace, CheckPermissionRequest, DirectSubjectSet, LookupResourcesRequest, Relationship, v1alpha1.PermissionUpdate

• optional ObjectReference object = 1

• string optional_relation = 2

ZedToken is used to provide causality metadata between Write and Check requests. See the authzed.api.v1.Consistency message for more information.

Used in: materialize.v0.BreakingSchemaChange, materialize.v0.Cursor, materialize.v0.LookupPermissionSetsRequest, materialize.v0.LookupPermissionSetsRequired, materialize.v0.PermissionChange, materialize.v0.PermissionSetChange, materialize.v0.WatchPermissionSetsRequest, materialize.v0.WatchPermissionSetsResponse, materialize.v0.WatchPermissionsRequest, materialize.v0.WatchPermissionsResponse, BulkCheckPermissionResponse, CheckBulkPermissionsResponse, CheckPermissionResponse, ComputablePermissionsResponse, Consistency, DeleteRelationshipsResponse, DependentRelationsResponse, DiffSchemaResponse, ExpandPermissionTreeResponse, ExperimentalComputablePermissionsResponse, ExperimentalDependentRelationsResponse, ExperimentalDiffSchemaResponse, ExperimentalReflectSchemaResponse, LookupResourcesResponse, LookupSubjectsResponse, ReadCounterValue, ReadRelationshipsResponse, ReadSchemaResponse, ReflectSchemaResponse, WatchRequest, WatchResponse, WriteRelationshipsResponse, WriteSchemaResponse, v1alpha1.WatchResourcesRequest, v1alpha1.WatchResourcesResponse

• string token = 1