Access check endpoints help you answer authorization questions: “Can this user perform this action on this resource?” and “What resources can this user access?”
Check if an organization membership has a specific permission on a resource. This endpoint considers all sources of access:
You must provide either resource_id or both resource_external_id and resource_type_slug to identify the resource.
For org-wide permissions, you can check the JWT directly without making an API call. Use this endpoint for resource-specific permission checks.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); // Option 1: by resource ID const result = await workos.authorization.check({ organizationMembershipId: 'om_01HXYZ123456789ABCDEFGHIJ', permissionSlug: 'project:edit', resourceId: 'authz_resource_01HXYZ123456789ABCDEFGH', }); // Option 2: by external ID + type const resultByExternal = await workos.authorization.check({ organizationMembershipId: 'om_01HXYZ123456789ABCDEFGHIJ', permissionSlug: 'project:edit', resourceExternalId: 'proj-456', resourceTypeSlug: 'project', }); console.log(result.authorized); // true or false
authorizationParameters objectReturns Returns all child resources of a parent resource where the organization membership has a specific permission. This is useful for resource discovery – answering “What projects can this user access in this workspace?”
You must provide either parent_resource_id or both parent_resource_external_id and parent_resource_type_slug to identify the parent resource.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); // Option 1: by parent resource ID const resources = await workos.authorization.listResourcesForMembership({ organizationMembershipId: 'om_01HXYZ123456789ABCDEFGHIJ', permissionSlug: 'project:read', parentResourceId: 'authz_resource_01XYZ789', limit: 10, order: 'desc', }); // Option 2: by parent external ID + type const resourcesByExternal = await workos.authorization.listResourcesForMembership({ organizationMembershipId: 'om_01HXYZ123456789ABCDEFGHIJ', permissionSlug: 'project:read', parentResourceTypeSlug: 'workspace', parentResourceExternalId: 'ws-123', });
authorizationParameters objectReturns objectReturns all organization memberships that have a specific permission on a resource. This is useful for answering “Who can access this resource?”
You can filter by assignment type to distinguish between direct assignments (role assigned directly on the resource) and indirect assignments (permission inherited from a parent resource).
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); const memberships = await workos.authorization.listMembershipsForResource({ resourceId: 'authz_resource_01HXYZ123456789ABCDEFGH', permissionSlug: 'project:edit', assignment: 'direct', limit: 10, order: 'desc', });
authorizationParameters objectReturns objectReturns all organization memberships that have a specific permission on a resource, using the resource’s external ID. This is useful for answering “Who can access this resource?” when you only have the external ID.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); const memberships = await workos.authorization.listMembershipsForResourceByExternalId({ organizationId: 'org_01ABC123', resourceTypeSlug: 'project', externalId: 'proj-456', permissionSlug: 'project:edit', assignment: 'direct', limit: 10, });
authorizationParameters objectReturns object