Skip to content
Kilpi
Docs
Authorization object

Authorization object

When a policy is evaluated, it returns an authorization object. An authorization can be granted or denied.

If granted, the authorization object contains the narrowed down subject. If not, it contains a message explaining why the authorization was denied.

This design allows for e.g. subject narrowing.

type AuthorizationGranted<T> = { granted: true; subject: T; };
type AuthorizationDenied = { granted: false; message?: string };
type Authorization<T> = AuthorizationGranted<T> | AuthorizationDenied;

Receiving the authorization object

To receive the raw authorization object, you can use the Kilpi.getAuthorization method.

const authorization = Kilpi.getAuthorization("example:policy", resource);


if (!authorization.granted) {
  console.error("Authorization denied:", authorization.message);
  return;
}


console.log("Authorization granted to", authorization.subject.name);
Home Docs Articles

Getting started

Introduction Quickstart Project structure Examples Gradual adoption Support development Usage on client

Installation

Express Hono Koa Nest.js Next Oak

Concepts

Authorization object Hooks Plugin Policy Protected query Scope Subject

Guides

Protection basics Apply to UI Protecting actions Protecting pages Protecting queries

Reference

createKilpi createKilpiClient

Plugins

Audit Plugin Endpoint Plugin React Client Plugin React RSC Plugin

Advanced

ABAC RBAC ReBAC Permissions