WorkOS Docs Homepage
FGA
API referenceDashboardSign In
Getting StartedOverviewOverviewQuick StartQuick StartPlaygroundPlaygroundKey ConceptsSchemaSchemaWarrantsWarrantsResourcesResourcesPoliciesPoliciesQuery LanguageQuery LanguageWarrant TokensWarrant TokensOperations & UsageOperations & UsageManagementSchema ManagementSchema ManagementLocal DevelopmentLocal DevelopmentIdentity Provider SessionsIdentity Provider SessionsModelingOrg Roles & PermissionsOrg Roles & PermissionsCustom RolesCustom RolesGoogle DocsGoogle DocsEntitlementsEntitlementsUser GroupsUser GroupsManaged Service ProviderManaged Service ProviderAttribute-Based Access ControlAttribute-Based Access ControlConditional RolesConditional RolesPolicy ContextPolicy ContextPublic AccessPublic AccessSuperusersSuperusersBlocklistsBlocklists
API Reference
API Reference
Events
Events
Integrations
Integrations
Migrate to WorkOS
Migrate to WorkOS
SDKs
SDKs

Public Access

Model public document access using FGA policies.

On this page

  • Example Applications
  • Schema
  • Example
    • 1. Apply the schema
    • 2. Check access

Explore the example from this guide in the FGA Playground, where you can interact with the schema, warrants, and access checks in real-time!

Public access allows users to view resources without requiring a direct relationship or explicit grant. This is useful for cases where content is meant to be openly accessible but still requires a basic set of conditions, such as being published or flagged as public.

Example Applications

  • Document Management: Public reports or documents.
  • Education Platforms: Make certain course materials or syllabus open access.
  • Media & Publishing: Allow public access to some articles while gating premium ones.
  • E-Commerce: Public product listings with private admin dashboards or private draft listings.

Schema

version 0.3
type user
type document
relation viewer [user]
inherit viewer if
policy is_public_document
policy is_public_document(document_attributes map) {
document_attributes.public == true && document_attributes.status == "published"
}

Note: Public access can also be modeled with wildcard warrants. This example focuses on using policies for more control over access conditions.

Example

1. Apply the schema

Create a file called schema.txt containing the schema definition from above. Then use the CLI to apply this schema to your WorkOS FGA environment.

Note: make sure to select the correct environment with the CLI

workos fga schema apply schema.txt

2. Check access

With our environment setup, we can check the user’s permission to view a document.

Check if a user can view a document
curl "https://api.workos.com/fga/v1/check" \
-X POST \
-H "Authorization: Bearer sk_example_123456789" \
--data-raw \
'{
"checks": [
{
"resource_type": "document",
"resource_id": "doc-1",
"relation": "viewer",
"subject": {
"resource_type": "user",
"resource_id": "user_2oDscjroNWtzxzYEnEzT9P7VYEe"
},
"context": {
"document_attributes": {
"id": "doc-1",
"public": true,
"status": "published"
}
}
}
]
}'
© WorkOS, Inc.
FeaturesAuthKitSingle Sign-OnDirectory SyncAdmin PortalFine-Grained Authorization
DevelopersDocumentationChangelogAPI Status
ResourcesBlogPodcastPricingSecuritySupport
CompanyAboutCustomersCareersLegalPrivacy
© WorkOS, Inc.