Class: AuthSystem<S>
Defined in: packages/polizy/src/polizy.ts:138
Type Parameters
S
S extends AuthSchema<any, any, any, any, any>
Constructors
Constructor
new AuthSystem<
S>(config):AuthSystem<S>
Defined in: packages/polizy/src/polizy.ts:151
Parameters
config
defaultCheckDepth?
number
fieldSeparator?
string
Overrides the schema's field separator (defaults to the schema's, then "#").
logger?
maxDepthBehavior?
"throw" | "deny"
schema
S
storage
StorageAdapter<SchemaSubjectTypes<S>, SchemaObjectTypes<S>>
Returns
AuthSystem<S>
Methods
addMember()
addMember(
args):Promise<StoredTuple<SchemaSubjectTypes<S>,SchemaObjectTypes<S>>>
Defined in: packages/polizy/src/polizy.ts:716
Parameters
args
as?
keyof S["relations"]
condition?
group
AnyObject<SchemaObjectTypes<S>>
member
Subject<SchemaSubjectTypes<S>> | AnyObject<SchemaObjectTypes<S>>
Returns
Promise<StoredTuple<SchemaSubjectTypes<S>, SchemaObjectTypes<S>>>
allow()
allow(
args):Promise<StoredTuple<SchemaSubjectTypes<S>,SchemaObjectTypes<S>>>
Defined in: packages/polizy/src/polizy.ts:661
Parameters
args
onWhat
AnyObject<SchemaObjectTypes<S>>
toBe
keyof S["relations"]
when?
who
Subject<SchemaSubjectTypes<S>> | AnyObject<SchemaObjectTypes<S>>
Returns
Promise<StoredTuple<SchemaSubjectTypes<S>, SchemaObjectTypes<S>>>
allowMany()
allowMany(
grants):Promise<StoredTuple<SchemaSubjectTypes<S>,SchemaObjectTypes<S>>[]>
Defined in: packages/polizy/src/polizy.ts:679
Idempotently grant several relationships at once.
Parameters
grants
object[]
Returns
Promise<StoredTuple<SchemaSubjectTypes<S>, SchemaObjectTypes<S>>[]>
check()
check(
request):Promise<boolean>
Defined in: packages/polizy/src/polizy.ts:179
Parameters
request
canThey
keyof S["actionToRelations"]
consistency?
"default" | "strong"
Consistency mode for this check (mirrors OpenFGA's naming).
"default"reads live: consistent per broadened key via the read cache, but not guaranteed across keys, with no snapshot overhead."strong"pins every read in the check to one point-in-time snapshot for full cross-key consistency — when the storage adapter supports snapshots (withSnapshot). Adapters without snapshot support fall back to live reads. See the read-after-write notes in the docs.
context?
Record<string, unknown>
contextualTuples?
InputTuple<SchemaSubjectTypes<S>, SchemaObjectTypes<S>>[]
Ephemeral tuples evaluated as if they were stored — the embeddable way to get read-your-writes (e.g. pass the grant you just made) without a token protocol. Never persisted.
onWhat
AnyObject<SchemaObjectTypes<S>>
who
Subject<SchemaSubjectTypes<S>> | AnyObject<SchemaObjectTypes<S>>
Returns
Promise<boolean>
checkMany()
checkMany(
requests,options?):Promise<boolean[]>
Defined in: packages/polizy/src/polizy.ts:333
Answer several authorization questions at once. Each question is resolved
with its own memo (questions may carry different context), but every
question still benefits from within-question memoization.
Parameters
requests
object[]
options?
consistency?
"default" | "strong"
Returns
Promise<boolean[]>
checkOrThrow()
checkOrThrow(
request):Promise<void>
Defined in: packages/polizy/src/polizy.ts:312
Like check, but throws NotAuthorizedError when denied.
Parameters
request
canThey
keyof S["actionToRelations"]
context?
Record<string, unknown>
onWhat
AnyObject<SchemaObjectTypes<S>>
who
Subject<SchemaSubjectTypes<S>> | AnyObject<SchemaObjectTypes<S>>
Returns
Promise<void>
disallowAllMatching()
disallowAllMatching(
filter):Promise<number>
Defined in: packages/polizy/src/polizy.ts:708
Parameters
filter
onWhat?
AnyObject<SchemaObjectTypes<S>>
was?
keyof S["relations"]
who?
Subject<SchemaSubjectTypes<S>> | AnyObject<SchemaObjectTypes<S>>
Returns
Promise<number>
explain()
explain(
request):Promise<ExplainResult>
Defined in: packages/polizy/src/polizy.ts:376
Explain why a check is allowed or denied, returning the granting path.
Parameters
request
canThey
keyof S["actionToRelations"]
context?
Record<string, unknown>
onWhat
AnyObject<SchemaObjectTypes<S>>
who
Subject<SchemaSubjectTypes<S>> | AnyObject<SchemaObjectTypes<S>>
Returns
Promise<ExplainResult>
listAccessibleObjects()
listAccessibleObjects(
args):Promise<ListAccessibleObjectsResult<S>>
Defined in: packages/polizy/src/polizy.ts:497
Parameters
args
ListAccessibleObjectsArgs<S> & object
Returns
Promise<ListAccessibleObjectsResult<S>>
listSubjects()
listSubjects(
args):Promise<Subject<SchemaSubjectTypes<S>>[]>
Defined in: packages/polizy/src/polizy.ts:413
Reverse expansion: list the subjects that can perform canThey on onWhat.
Candidates are gathered from direct holders, group members (transitively),
and the object's hierarchy ancestors, then each is confirmed with check.
Parameters
args
canThey
keyof S["actionToRelations"]
context?
Record<string, unknown>
ofType?
onWhat
AnyObject<SchemaObjectTypes<S>>
Returns
Promise<Subject<SchemaSubjectTypes<S>>[]>
listTuples()
listTuples(
filter,options?):Promise<StoredTuple<SchemaSubjectTypes<S>,SchemaObjectTypes<S>>[]>
Defined in: packages/polizy/src/polizy.ts:477
Parameters
filter
Partial<Omit<InputTuple<SchemaSubjectTypes<S>, SchemaObjectTypes<S>>, "id"> & object>
options?
limit?
number
offset?
number
Returns
Promise<StoredTuple<SchemaSubjectTypes<S>, SchemaObjectTypes<S>>[]>
removeMember()
removeMember(
args):Promise<number>
Defined in: packages/polizy/src/polizy.ts:739
Parameters
args
as?
keyof S["relations"]
group
AnyObject<SchemaObjectTypes<S>>
member
Subject<SchemaSubjectTypes<S>> | AnyObject<SchemaObjectTypes<S>>
Returns
Promise<number>
removeParent()
removeParent(
args):Promise<number>
Defined in: packages/polizy/src/polizy.ts:780
Parameters
args
as?
keyof S["relations"]
child
AnyObject<SchemaObjectTypes<S>>
parent
AnyObject<SchemaObjectTypes<S>>
Returns
Promise<number>
setParent()
setParent(
args):Promise<StoredTuple<SchemaSubjectTypes<S>,SchemaObjectTypes<S>>>
Defined in: packages/polizy/src/polizy.ts:757
Parameters
args
as?
keyof S["relations"]
child
AnyObject<SchemaObjectTypes<S>>
condition?
parent
AnyObject<SchemaObjectTypes<S>>
Returns
Promise<StoredTuple<SchemaSubjectTypes<S>, SchemaObjectTypes<S>>>
withReadScope()
withReadScope<
T>(fn,options?):Promise<T>
Defined in: packages/polizy/src/polizy.ts:223
Run several read operations against ONE shared read pass. Inside fn,
scope.check/checkMany/explain/listAccessibleObjects/listSubjects
all share a single reader, so each subject/object/relation is fetched from
storage at most once for the whole scope — not once per operation. Ideal for
a page that asks many authorization questions (a list endpoint, a dashboard).
{ preload: true } fetches the entire tuple set up front in ONE read, so
every check then resolves in memory — use it when the working set is small
or storage round-trips are expensive (e.g. an in-browser database). Omit it
for large stores, where the per-key range reads scale better.
Type Parameters
T
T
Parameters
fn
(scope) => Promise<T>
options?
consistency?
"default" | "strong"
preload?
boolean
Returns
Promise<T>
writeTuple()
writeTuple(
tuple):Promise<StoredTuple<SchemaSubjectTypes<S>,SchemaObjectTypes<S>>>
Defined in: packages/polizy/src/polizy.ts:637
Parameters
tuple
Omit<InputTuple<SchemaSubjectTypes<S>, SchemaObjectTypes<S>>, "id"> & object
Returns
Promise<StoredTuple<SchemaSubjectTypes<S>, SchemaObjectTypes<S>>>