Access check endpoints help you answer authorization questions: “Can this user perform this action on this resource?” and “What resources can this user access?”
Check if an organization membership has a specific permission on a resource. This endpoint considers all sources of access:
You must provide either resource_id or both resource_external_id and resource_type_slug to identify the resource.
For org-wide permissions, you can check the JWT directly without making an API call. Use this endpoint for resource-specific permission checks.
curl --request POST \ --url "https://api.workos.com/authorization/organization_memberships/om_01HXYZ123456789ABCDEFGHIJ/check" \ --header "Authorization: Bearer sk_example_123456789" \ --header "Content-Type: application/json" \ -d @- <<'BODY' { "permission_slug": "posts:create", "resource_id": "resource_01HXYZ123456789ABCDEFGHIJ", "resource_type_slug": "document" } BODY
{ "authorized": true }
| curl --request POST \ | |
| --url "https://api.workos.com/authorization/organization_memberships/om_01HXYZ123456789ABCDEFGHIJ/check" \ | |
| --header "Authorization: Bearer sk_example_123456789" \ | |
| --header "Content-Type: application/json" \ | |
| -d @- <<'BODY' | |
| { | |
| "permission_slug": "posts:create", | |
| "resource_id": "resource_01HXYZ123456789ABCDEFGHIJ", | |
| "resource_type_slug": "document" | |
| } | |
| BODY |
| import { WorkOS } from '@workos-inc/node'; | |
| const workos = new WorkOS('sk_example_123456789'); | |
| // Option 1: by resource ID | |
| const result = await workos.authorization.check({ | |
| organizationMembershipId: 'om_01HXYZ123456789ABCDEFGHIJ', | |
| permissionSlug: 'project:edit', | |
| resourceId: 'authz_resource_01HXYZ123456789ABCDEFGH', | |
| }); | |
| // Option 2: by external ID + type | |
| const resultByExternal = await workos.authorization.check({ | |
| organizationMembershipId: 'om_01HXYZ123456789ABCDEFGHIJ', | |
| permissionSlug: 'project:edit', | |
| resourceExternalId: 'proj-456', | |
| resourceTypeSlug: 'project', | |
| }); | |
| console.log(result.authorized); // true or false |
| require "workos" | |
| WorkOS.configure do |config| | |
| config.api_key = "sk_example_123456789" | |
| end | |
| WorkOS.client.authorization.check( | |
| organization_membership_id: "om_01HXYZ123456789ABCDEFGHIJ", | |
| permission_slug: "posts:create" | |
| ) |
| from workos import WorkOSClient | |
| client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") | |
| client.authorization.check( | |
| organization_membership_id="om_01HXYZ123456789ABCDEFGHIJ", | |
| permission_slug="posts:create", | |
| ) |
| package main | |
| import ( | |
| "context" | |
| "github.com/workos/workos-go/v9" | |
| ) | |
| func main() { | |
| client := workos.NewClient("sk_example_123456789") | |
| _, err := client.Authorization().Check(context.Background(), "om_01HXYZ123456789ABCDEFGHIJ", &workos.AuthorizationCheckParams{ | |
| PermissionSlug: "posts:create", | |
| }) | |
| if err != nil { | |
| panic(err) | |
| } | |
| } |
| <?php | |
| use WorkOS\WorkOS; | |
| $workos = new WorkOS( | |
| apiKey: "sk_example_123456789", | |
| clientId: "client_123456789", | |
| ); | |
| $workos | |
| ->authorization() | |
| ->check( | |
| organizationMembershipId: "om_01HXYZ123456789ABCDEFGHIJ", | |
| permissionSlug: "posts:create", | |
| ); |
| import com.workos.WorkOS; | |
| import com.workos.authorization.AuthorizationApi.CheckOptions; | |
| WorkOS workos = new WorkOS("sk_example_123456789"); | |
| CheckOptions options = CheckOptions.builder().permissionSlug("posts:create").build(); | |
| workos.authorization.check("om_01HXYZ123456789ABCDEFGHIJ", options); |
| using WorkOS; | |
| var client = new WorkOSClient(new WorkOSOptions { | |
| ApiKey = "sk_example_123456789", | |
| ClientId = "client_123456789", | |
| }); | |
| await client.Authorization.CheckAsync("om_01HXYZ123456789ABCDEFGHIJ", new AuthorizationCheckOptions { | |
| PermissionSlug = "posts:create", | |
| }); |
| use workos::Client; | |
| use workos::authorization::CheckParams; | |
| #[tokio::main] | |
| async fn main() -> Result<(), workos::Error> { | |
| let client = Client::builder() | |
| .api_key("sk_example_123456789") | |
| .client_id("client_123456789") | |
| .build(); | |
| let _result = client | |
| .authorization() | |
| .check( | |
| "om_01HXYZ123456789ABCDEFGHIJ", | |
| CheckParams { | |
| permission_slug: "posts:create".into(), | |
| ..Default::default() | |
| } | |
| ) | |
| .await?; | |
| Ok(()) | |
| } |
| { | |
| "authorized": true | |
| } |
POST/authorizationParameters Returns Returns all child resources of a parent resource where the organization membership has a specific permission. This is useful for resource discovery – answering “What projects can this user access in this workspace?”
You must provide either parent_resource_id or both parent_resource_external_id and parent_resource_type_slug to identify the parent resource.
curl "https://api.workos.com/authorization/organization_memberships/om_01HXYZ123456789ABCDEFGHIJ/resources" \ --header "Authorization: Bearer sk_example_123456789" \ -G \ -d permission_slug=project:read
{ "object": "list", "data": [ { "object": "authorization_resource", "name": "Website Redesign", "description": "Company website redesign project", "organization_id": "org_01EHZNVPK3SFK441A1RGBFSHRT", "parent_resource_id": "authz_resource_01HXYZ123456789ABCDEFGHIJ", "id": "authz_resource_01HXYZ123456789ABCDEFGH", "external_id": "proj-456", "resource_type_slug": "project", "created_at": "2026-01-15T12:00:00.000Z", "updated_at": "2026-01-15T12:00:00.000Z" } ], "list_metadata": { "before": "authz_resource_01HXYZ123456789ABCDEFGHIJ", "after": "authz_resource_01HXYZ987654321KJIHGFEDCBA" } }
| curl "https://api.workos.com/authorization/organization_memberships/om_01HXYZ123456789ABCDEFGHIJ/resources" \ | |
| --header "Authorization: Bearer sk_example_123456789" \ | |
| -G \ | |
| -d permission_slug=project:read |
| import { WorkOS } from '@workos-inc/node'; | |
| const workos = new WorkOS('sk_example_123456789'); | |
| // Option 1: by parent resource ID | |
| const resources = await workos.authorization.listResourcesForMembership({ | |
| organizationMembershipId: 'om_01HXYZ123456789ABCDEFGHIJ', | |
| permissionSlug: 'project:read', | |
| parentResourceId: 'authz_resource_01XYZ789', | |
| limit: 10, | |
| order: 'desc', | |
| }); | |
| // Option 2: by parent external ID + type | |
| const resourcesByExternal = | |
| await workos.authorization.listResourcesForMembership({ | |
| organizationMembershipId: 'om_01HXYZ123456789ABCDEFGHIJ', | |
| permissionSlug: 'project:read', | |
| parentResourceTypeSlug: 'workspace', | |
| parentResourceExternalId: 'ws-123', | |
| }); |
| require "workos" | |
| WorkOS.configure do |config| | |
| config.api_key = "sk_example_123456789" | |
| end | |
| WorkOS.client.authorization.list_resources_for_membership( | |
| organization_membership_id: "om_01HXYZ123456789ABCDEFGHIJ", | |
| permission_slug: "project:read" | |
| ) |
| from workos import WorkOSClient | |
| client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") | |
| client.authorization.list_resources_for_membership( | |
| organization_membership_id="om_01HXYZ123456789ABCDEFGHIJ", | |
| permission_slug="project:read", | |
| ) |
| package main | |
| import ( | |
| "context" | |
| "github.com/workos/workos-go/v9" | |
| ) | |
| func main() { | |
| client := workos.NewClient("sk_example_123456789") | |
| _, err := client.Authorization().ListResourcesForMembership(context.Background(), "om_01HXYZ123456789ABCDEFGHIJ", &workos.AuthorizationListResourcesForMembershipParams{ | |
| PermissionSlug: "project:read", | |
| }) | |
| if err != nil { | |
| panic(err) | |
| } | |
| } |
| <?php | |
| use WorkOS\WorkOS; | |
| $workos = new WorkOS( | |
| apiKey: "sk_example_123456789", | |
| clientId: "client_123456789", | |
| ); | |
| $workos | |
| ->authorization() | |
| ->listResourcesForMembership( | |
| organizationMembershipId: "om_01HXYZ123456789ABCDEFGHIJ", | |
| permissionSlug: "project:read", | |
| ); |
| import com.workos.WorkOS; | |
| import com.workos.authorization.AuthorizationApi.ListResourcesForMembershipOptions; | |
| WorkOS workos = new WorkOS("sk_example_123456789"); | |
| ListResourcesForMembershipOptions options = | |
| ListResourcesForMembershipOptions.builder().permissionSlug("project:read").build(); | |
| workos.authorization.listResourcesForMembership("om_01HXYZ123456789ABCDEFGHIJ", options); |
| using WorkOS; | |
| var client = new WorkOSClient(new WorkOSOptions { | |
| ApiKey = "sk_example_123456789", | |
| ClientId = "client_123456789", | |
| }); | |
| await client.Authorization.ListResourcesForMembershipAsync("om_01HXYZ123456789ABCDEFGHIJ", | |
| new AuthorizationListResourcesForMembershipOptions { | |
| PermissionSlug = "project:read", | |
| }); |
| use workos::Client; | |
| use workos::authorization::ListResourcesForMembershipParams; | |
| #[tokio::main] | |
| async fn main() -> Result<(), workos::Error> { | |
| let client = Client::builder() | |
| .api_key("sk_example_123456789") | |
| .client_id("client_123456789") | |
| .build(); | |
| let _result = client | |
| .authorization() | |
| .list_resources_for_membership( | |
| "om_01HXYZ123456789ABCDEFGHIJ", | |
| ListResourcesForMembershipParams { | |
| permission_slug: "project:read".into(), | |
| ..Default::default() | |
| } | |
| ) | |
| .await?; | |
| Ok(()) | |
| } |
| { | |
| "object": "list", | |
| "data": [ | |
| { | |
| "object": "authorization_resource", | |
| "name": "Website Redesign", | |
| "description": "Company website redesign project", | |
| "organization_id": "org_01EHZNVPK3SFK441A1RGBFSHRT", | |
| "parent_resource_id": "authz_resource_01HXYZ123456789ABCDEFGHIJ", | |
| "id": "authz_resource_01HXYZ123456789ABCDEFGH", | |
| "external_id": "proj-456", | |
| "resource_type_slug": "project", | |
| "created_at": "2026-01-15T12:00:00.000Z", | |
| "updated_at": "2026-01-15T12:00:00.000Z" | |
| } | |
| ], | |
| "list_metadata": { | |
| "before": "authz_resource_01HXYZ123456789ABCDEFGHIJ", | |
| "after": "authz_resource_01HXYZ987654321KJIHGFEDCBA" | |
| } | |
| } |
GET/authorizationParameters Returns objectReturns all organization memberships that have a specific permission on a resource. This is useful for answering “Who can access this resource?”
You can filter by assignment type to distinguish between direct assignments (role assigned directly on the resource) and indirect assignments (permission inherited from a parent resource).
curl "https://api.workos.com/authorization/resources/authz_resource_01HXYZ123456789ABCDEFGHIJ/organization_memberships" \ --header "Authorization: Bearer sk_example_123456789" \ -G \ -d permission_slug=document:edit
{ "object": "list", "data": [ { "object": "organization_membership", "id": "om_01HXYZ123456789ABCDEFGHIJ", "user_id": "user_01E4ZCR3C56J083X43JQXF3JK5", "organization_id": "org_01EHZNVPK3SFK441A1RGBFSHRT", "status": "active", "directory_managed": false, "organization_name": "Acme Corp", "custom_attributes": { "department": "Engineering", "title": "Developer Experience Engineer", "location": "Brooklyn" }, "created_at": "2026-01-15T12:00:00.000Z", "updated_at": "2026-01-15T12:00:00.000Z", "user": { "object": "user", "id": "user_01E4ZCR3C56J083X43JQXF3JK5", "first_name": "Marcelina", "last_name": "Davis", "name": "Marcelina Davis", "profile_picture_url": "https://workoscdn.com/images/v1/123abc", "email": "marcelina.davis@example.com", "email_verified": true, "external_id": "f1ffa2b2-c20b-4d39-be5c-212726e11222", "metadata": { "timezone": "America/New_York" }, "last_sign_in_at": "2025-06-25T19:07:33.155Z", "locale": "en-US", "created_at": "2026-01-15T12:00:00.000Z", "updated_at": "2026-01-15T12:00:00.000Z" } } ], "list_metadata": { "before": "om_01HXYZ123456789ABCDEFGHIJ", "after": "om_01HXYZ987654321KJIHGFEDCBA" } }
| curl "https://api.workos.com/authorization/resources/authz_resource_01HXYZ123456789ABCDEFGHIJ/organization_memberships" \ | |
| --header "Authorization: Bearer sk_example_123456789" \ | |
| -G \ | |
| -d permission_slug=document:edit |
| import { WorkOS } from '@workos-inc/node'; | |
| const workos = new WorkOS('sk_example_123456789'); | |
| const memberships = await workos.authorization.listMembershipsForResource({ | |
| resourceId: 'authz_resource_01HXYZ123456789ABCDEFGH', | |
| permissionSlug: 'project:edit', | |
| assignment: 'direct', | |
| limit: 10, | |
| order: 'desc', | |
| }); |
| require "workos" | |
| WorkOS.configure do |config| | |
| config.api_key = "sk_example_123456789" | |
| end | |
| WorkOS.client.authorization.list_memberships_for_resource( | |
| resource_id: "authz_resource_01HXYZ123456789ABCDEFGHIJ", | |
| permission_slug: "document:edit" | |
| ) |
| from workos import WorkOSClient | |
| client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") | |
| client.authorization.list_memberships_for_resource( | |
| resource_id="authz_resource_01HXYZ123456789ABCDEFGHIJ", | |
| permission_slug="document:edit", | |
| ) |
| package main | |
| import ( | |
| "context" | |
| "github.com/workos/workos-go/v9" | |
| ) | |
| func main() { | |
| client := workos.NewClient("sk_example_123456789") | |
| _, err := client.Authorization().ListMembershipsForResource(context.Background(), "authz_resource_01HXYZ123456789ABCDEFGHIJ", &workos.AuthorizationListMembershipsForResourceParams{ | |
| PermissionSlug: "document:edit", | |
| }) | |
| if err != nil { | |
| panic(err) | |
| } | |
| } |
| <?php | |
| use WorkOS\WorkOS; | |
| $workos = new WorkOS( | |
| apiKey: "sk_example_123456789", | |
| clientId: "client_123456789", | |
| ); | |
| $workos | |
| ->authorization() | |
| ->listMembershipsForResource( | |
| resourceId: "authz_resource_01HXYZ123456789ABCDEFGHIJ", | |
| permissionSlug: "document:edit", | |
| ); |
| import com.workos.WorkOS; | |
| import com.workos.authorization.AuthorizationApi.ListMembershipsForResourceOptions; | |
| WorkOS workos = new WorkOS("sk_example_123456789"); | |
| ListMembershipsForResourceOptions options = | |
| ListMembershipsForResourceOptions.builder().permissionSlug("document:edit").build(); | |
| workos.authorization.listMembershipsForResource( | |
| "authz_resource_01HXYZ123456789ABCDEFGHIJ", options); |
| using WorkOS; | |
| var client = new WorkOSClient(new WorkOSOptions { | |
| ApiKey = "sk_example_123456789", | |
| ClientId = "client_123456789", | |
| }); | |
| await client.Authorization.ListMembershipsForResourceAsync("authz_resource_01HXYZ123456789ABCDEFGHIJ", | |
| new AuthorizationListMembershipsForResourceOptions { | |
| PermissionSlug = "document:edit", | |
| }); |
| use workos::Client; | |
| use workos::authorization::ListMembershipsForResourceParams; | |
| #[tokio::main] | |
| async fn main() -> Result<(), workos::Error> { | |
| let client = Client::builder() | |
| .api_key("sk_example_123456789") | |
| .client_id("client_123456789") | |
| .build(); | |
| let _result = client | |
| .authorization() | |
| .list_memberships_for_resource( | |
| "authz_resource_01HXYZ123456789ABCDEFGHIJ", | |
| ListMembershipsForResourceParams { | |
| permission_slug: "document:edit".into(), | |
| ..Default::default() | |
| } | |
| ) | |
| .await?; | |
| Ok(()) | |
| } |
| { | |
| "object": "list", | |
| "data": [ | |
| { | |
| "object": "organization_membership", | |
| "id": "om_01HXYZ123456789ABCDEFGHIJ", | |
| "user_id": "user_01E4ZCR3C56J083X43JQXF3JK5", | |
| "organization_id": "org_01EHZNVPK3SFK441A1RGBFSHRT", | |
| "status": "active", | |
| "directory_managed": false, | |
| "organization_name": "Acme Corp", | |
| "custom_attributes": { | |
| "department": "Engineering", | |
| "title": "Developer Experience Engineer", | |
| "location": "Brooklyn" | |
| }, | |
| "created_at": "2026-01-15T12:00:00.000Z", | |
| "updated_at": "2026-01-15T12:00:00.000Z", | |
| "user": { | |
| "object": "user", | |
| "id": "user_01E4ZCR3C56J083X43JQXF3JK5", | |
| "first_name": "Marcelina", | |
| "last_name": "Davis", | |
| "name": "Marcelina Davis", | |
| "profile_picture_url": "https://workoscdn.com/images/v1/123abc", | |
| "email": "marcelina.davis@example.com", | |
| "email_verified": true, | |
| "external_id": "f1ffa2b2-c20b-4d39-be5c-212726e11222", | |
| "metadata": { | |
| "timezone": "America/New_York" | |
| }, | |
| "last_sign_in_at": "2025-06-25T19:07:33.155Z", | |
| "locale": "en-US", | |
| "created_at": "2026-01-15T12:00:00.000Z", | |
| "updated_at": "2026-01-15T12:00:00.000Z" | |
| } | |
| } | |
| ], | |
| "list_metadata": { | |
| "before": "om_01HXYZ123456789ABCDEFGHIJ", | |
| "after": "om_01HXYZ987654321KJIHGFEDCBA" | |
| } | |
| } |
GET/authorizationParameters Returns objectReturns all organization memberships that have a specific permission on a resource, using the resource’s external ID. This is useful for answering “Who can access this resource?” when you only have the external ID.
curl "https://api.workos.com/authorization/organizations/org_01EHZNVPK3SFK441A1RGBFSHRT/resources/project/proj-456/organization_memberships" \ --header "Authorization: Bearer sk_example_123456789" \ -G \ -d permission_slug=project:read
{ "object": "list", "data": [ { "object": "organization_membership", "id": "om_01HXYZ123456789ABCDEFGHIJ", "user_id": "user_01E4ZCR3C56J083X43JQXF3JK5", "organization_id": "org_01EHZNVPK3SFK441A1RGBFSHRT", "status": "active", "directory_managed": false, "organization_name": "Acme Corp", "custom_attributes": { "department": "Engineering", "title": "Developer Experience Engineer", "location": "Brooklyn" }, "created_at": "2026-01-15T12:00:00.000Z", "updated_at": "2026-01-15T12:00:00.000Z", "user": { "object": "user", "id": "user_01E4ZCR3C56J083X43JQXF3JK5", "first_name": "Marcelina", "last_name": "Davis", "name": "Marcelina Davis", "profile_picture_url": "https://workoscdn.com/images/v1/123abc", "email": "marcelina.davis@example.com", "email_verified": true, "external_id": "f1ffa2b2-c20b-4d39-be5c-212726e11222", "metadata": { "timezone": "America/New_York" }, "last_sign_in_at": "2025-06-25T19:07:33.155Z", "locale": "en-US", "created_at": "2026-01-15T12:00:00.000Z", "updated_at": "2026-01-15T12:00:00.000Z" } } ], "list_metadata": { "before": "om_01HXYZ123456789ABCDEFGHIJ", "after": "om_01HXYZ987654321KJIHGFEDCBA" } }
| curl "https://api.workos.com/authorization/organizations/org_01EHZNVPK3SFK441A1RGBFSHRT/resources/project/proj-456/organization_memberships" \ | |
| --header "Authorization: Bearer sk_example_123456789" \ | |
| -G \ | |
| -d permission_slug=project:read |
| import { WorkOS } from '@workos-inc/node'; | |
| const workos = new WorkOS('sk_example_123456789'); | |
| const memberships = | |
| await workos.authorization.listMembershipsForResourceByExternalId({ | |
| organizationId: 'org_01ABC123', | |
| resourceTypeSlug: 'project', | |
| externalId: 'proj-456', | |
| permissionSlug: 'project:edit', | |
| assignment: 'direct', | |
| limit: 10, | |
| }); |
| require "workos" | |
| WorkOS.configure do |config| | |
| config.api_key = "sk_example_123456789" | |
| end | |
| WorkOS.client.authorization.list_memberships_for_resource_by_external_id( | |
| organization_id: "org_01EHZNVPK3SFK441A1RGBFSHRT", | |
| resource_type_slug: "project", | |
| external_id: "proj-456", | |
| permission_slug: "project:read" | |
| ) |
| from workos import WorkOSClient | |
| client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") | |
| client.authorization.list_memberships_for_resource_by_external_id( | |
| organization_id="org_01EHZNVPK3SFK441A1RGBFSHRT", | |
| resource_type_slug="project", | |
| external_id="proj-456", | |
| permission_slug="project:read", | |
| ) |
| package main | |
| import ( | |
| "context" | |
| "github.com/workos/workos-go/v9" | |
| ) | |
| func main() { | |
| client := workos.NewClient("sk_example_123456789") | |
| _, err := client.Authorization().ListMembershipsForResourceByExternalID(context.Background(), "org_01EHZNVPK3SFK441A1RGBFSHRT", "project", "proj-456", &workos.AuthorizationListMembershipsForResourceByExternalIDParams{ | |
| PermissionSlug: "project:read", | |
| }) | |
| if err != nil { | |
| panic(err) | |
| } | |
| } |
| <?php | |
| use WorkOS\WorkOS; | |
| $workos = new WorkOS( | |
| apiKey: "sk_example_123456789", | |
| clientId: "client_123456789", | |
| ); | |
| $workos | |
| ->authorization() | |
| ->listMembershipsForResourceByExternalId( | |
| organizationId: "org_01EHZNVPK3SFK441A1RGBFSHRT", | |
| resourceTypeSlug: "project", | |
| externalId: "proj-456", | |
| permissionSlug: "project:read", | |
| ); |
| import com.workos.WorkOS; | |
| import com.workos.authorization.AuthorizationApi.ListMembershipsForResourceByExternalIdOptions; | |
| WorkOS workos = new WorkOS("sk_example_123456789"); | |
| ListMembershipsForResourceByExternalIdOptions options = | |
| ListMembershipsForResourceByExternalIdOptions.builder() | |
| .permissionSlug("project:read") | |
| .build(); | |
| workos.authorization.listMembershipsForResourceByExternalId( | |
| "org_01EHZNVPK3SFK441A1RGBFSHRT", "project", "proj-456", options); |
| using WorkOS; | |
| var client = new WorkOSClient(new WorkOSOptions { | |
| ApiKey = "sk_example_123456789", | |
| ClientId = "client_123456789", | |
| }); | |
| await client.Authorization.ListMembershipsForResourceByExternalIdAsync( | |
| "org_01EHZNVPK3SFK441A1RGBFSHRT", "project", "proj-456", | |
| new AuthorizationListMembershipsForResourceByExternalIdOptions { | |
| PermissionSlug = "project:read", | |
| }); |
| use workos::Client; | |
| use workos::authorization::ListMembershipsForResourceByExternalIdParams; | |
| #[tokio::main] | |
| async fn main() -> Result<(), workos::Error> { | |
| let client = Client::builder() | |
| .api_key("sk_example_123456789") | |
| .client_id("client_123456789") | |
| .build(); | |
| let _result = client | |
| .authorization() | |
| .list_memberships_for_resource_by_external_id( | |
| "org_01EHZNVPK3SFK441A1RGBFSHRT", | |
| "project", | |
| "proj-456", | |
| ListMembershipsForResourceByExternalIdParams { | |
| permission_slug: "project:read".into(), | |
| ..Default::default() | |
| } | |
| ) | |
| .await?; | |
| Ok(()) | |
| } |
| { | |
| "object": "list", | |
| "data": [ | |
| { | |
| "object": "organization_membership", | |
| "id": "om_01HXYZ123456789ABCDEFGHIJ", | |
| "user_id": "user_01E4ZCR3C56J083X43JQXF3JK5", | |
| "organization_id": "org_01EHZNVPK3SFK441A1RGBFSHRT", | |
| "status": "active", | |
| "directory_managed": false, | |
| "organization_name": "Acme Corp", | |
| "custom_attributes": { | |
| "department": "Engineering", | |
| "title": "Developer Experience Engineer", | |
| "location": "Brooklyn" | |
| }, | |
| "created_at": "2026-01-15T12:00:00.000Z", | |
| "updated_at": "2026-01-15T12:00:00.000Z", | |
| "user": { | |
| "object": "user", | |
| "id": "user_01E4ZCR3C56J083X43JQXF3JK5", | |
| "first_name": "Marcelina", | |
| "last_name": "Davis", | |
| "name": "Marcelina Davis", | |
| "profile_picture_url": "https://workoscdn.com/images/v1/123abc", | |
| "email": "marcelina.davis@example.com", | |
| "email_verified": true, | |
| "external_id": "f1ffa2b2-c20b-4d39-be5c-212726e11222", | |
| "metadata": { | |
| "timezone": "America/New_York" | |
| }, | |
| "last_sign_in_at": "2025-06-25T19:07:33.155Z", | |
| "locale": "en-US", | |
| "created_at": "2026-01-15T12:00:00.000Z", | |
| "updated_at": "2026-01-15T12:00:00.000Z" | |
| } | |
| } | |
| ], | |
| "list_metadata": { | |
| "before": "om_01HXYZ123456789ABCDEFGHIJ", | |
| "after": "om_01HXYZ987654321KJIHGFEDCBA" | |
| } | |
| } |
GET/authorizationParameters Returns objectReturns all permissions the organization membership effectively has on a resource, including permissions inherited through roles assigned to ancestor resources.
curl "https://api.workos.com/authorization/organization_memberships/om_01HXYZ123456789ABCDEFGHIJ/resources/authz_resource_01HXYZ123456789ABCDEFGHIJ/permissions" \ --header "Authorization: Bearer sk_example_123456789"
{ "object": "list", "data": [ { "object": "permission", "id": "perm_01HXYZ123456789ABCDEFGHIJ", "slug": "documents:read", "name": "View Documents", "description": "Allows viewing document contents", "system": false, "resource_type_slug": "workspace", "created_at": "2026-01-15T12:00:00.000Z", "updated_at": "2026-01-15T12:00:00.000Z" } ], "list_metadata": { "before": "perm_01HXYZ123456789ABCDEFGHIJ", "after": "perm_01HXYZ987654321KJIHGFEDCBA" } }
| curl "https://api.workos.com/authorization/organization_memberships/om_01HXYZ123456789ABCDEFGHIJ/resources/authz_resource_01HXYZ123456789ABCDEFGHIJ/permissions" \ | |
| --header "Authorization: Bearer sk_example_123456789" |
| require "workos" | |
| WorkOS.configure do |config| | |
| config.api_key = "sk_example_123456789" | |
| end | |
| WorkOS.client.authorization.list_effective_permissions( | |
| organization_membership_id: "om_01HXYZ123456789ABCDEFGHIJ", | |
| resource_id: "authz_resource_01HXYZ123456789ABCDEFGHIJ" | |
| ) |
| from workos import WorkOSClient | |
| client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") | |
| client.authorization.list_effective_permissions( | |
| organization_membership_id="om_01HXYZ123456789ABCDEFGHIJ", | |
| resource_id="authz_resource_01HXYZ123456789ABCDEFGHIJ", | |
| ) |
| package main | |
| import ( | |
| "context" | |
| "github.com/workos/workos-go/v9" | |
| ) | |
| func main() { | |
| client := workos.NewClient("sk_example_123456789") | |
| _, err := client.Authorization().ListEffectivePermissions(context.Background(), "om_01HXYZ123456789ABCDEFGHIJ", "authz_resource_01HXYZ123456789ABCDEFGHIJ") | |
| if err != nil { | |
| panic(err) | |
| } | |
| } |
| <?php | |
| use WorkOS\WorkOS; | |
| $workos = new WorkOS( | |
| apiKey: "sk_example_123456789", | |
| clientId: "client_123456789", | |
| ); | |
| $workos | |
| ->authorization() | |
| ->listEffectivePermissions( | |
| organizationMembershipId: "om_01HXYZ123456789ABCDEFGHIJ", | |
| resourceId: "authz_resource_01HXYZ123456789ABCDEFGHIJ", | |
| ); |
| import com.workos.WorkOS; | |
| WorkOS workos = new WorkOS("sk_example_123456789"); | |
| workos.authorization.listEffectivePermissions( | |
| "om_01HXYZ123456789ABCDEFGHIJ", "authz_resource_01HXYZ123456789ABCDEFGHIJ"); |
| using WorkOS; | |
| var client = new WorkOSClient(new WorkOSOptions { | |
| ApiKey = "sk_example_123456789", | |
| ClientId = "client_123456789", | |
| }); | |
| await client.Authorization.ListEffectivePermissionsAsync("om_01HXYZ123456789ABCDEFGHIJ", | |
| "authz_resource_01HXYZ123456789ABCDEFGHIJ"); |
| use workos::Client; | |
| #[tokio::main] | |
| async fn main() -> Result<(), workos::Error> { | |
| let client = Client::builder() | |
| .api_key("sk_example_123456789") | |
| .client_id("client_123456789") | |
| .build(); | |
| let _result = client | |
| .authorization() | |
| .list_effective_permissions( | |
| "om_01HXYZ123456789ABCDEFGHIJ", | |
| "authz_resource_01HXYZ123456789ABCDEFGHIJ" | |
| ) | |
| .await?; | |
| Ok(()) | |
| } |
| { | |
| "object": "list", | |
| "data": [ | |
| { | |
| "object": "permission", | |
| "id": "perm_01HXYZ123456789ABCDEFGHIJ", | |
| "slug": "documents:read", | |
| "name": "View Documents", | |
| "description": "Allows viewing document contents", | |
| "system": false, | |
| "resource_type_slug": "workspace", | |
| "created_at": "2026-01-15T12:00:00.000Z", | |
| "updated_at": "2026-01-15T12:00:00.000Z" | |
| } | |
| ], | |
| "list_metadata": { | |
| "before": "perm_01HXYZ123456789ABCDEFGHIJ", | |
| "after": "perm_01HXYZ987654321KJIHGFEDCBA" | |
| } | |
| } |
GET/authorizationParameters Returns objectReturns all permissions the organization membership effectively has on a resource identified by its external ID, including permissions inherited through roles assigned to ancestor resources.
curl "https://api.workos.com/authorization/organization_memberships/om_01HXYZ123456789ABCDEFGHIJ/resources/document/doc-456/permissions" \ --header "Authorization: Bearer sk_example_123456789"
{ "object": "list", "data": [ { "object": "permission", "id": "perm_01HXYZ123456789ABCDEFGHIJ", "slug": "documents:read", "name": "View Documents", "description": "Allows viewing document contents", "system": false, "resource_type_slug": "workspace", "created_at": "2026-01-15T12:00:00.000Z", "updated_at": "2026-01-15T12:00:00.000Z" } ], "list_metadata": { "before": "perm_01HXYZ123456789ABCDEFGHIJ", "after": "perm_01HXYZ987654321KJIHGFEDCBA" } }
| curl "https://api.workos.com/authorization/organization_memberships/om_01HXYZ123456789ABCDEFGHIJ/resources/document/doc-456/permissions" \ | |
| --header "Authorization: Bearer sk_example_123456789" |
| require "workos" | |
| WorkOS.configure do |config| | |
| config.api_key = "sk_example_123456789" | |
| end | |
| WorkOS.client.authorization.list_effective_permissions_by_external_id( | |
| organization_membership_id: "om_01HXYZ123456789ABCDEFGHIJ", | |
| resource_type_slug: "document", | |
| external_id: "doc-456" | |
| ) |
| from workos import WorkOSClient | |
| client = WorkOSClient(api_key="sk_example_123456789", client_id="client_123456789") | |
| client.authorization.list_effective_permissions_by_external_id( | |
| organization_membership_id="om_01HXYZ123456789ABCDEFGHIJ", | |
| resource_type_slug="document", | |
| external_id="doc-456", | |
| ) |
| package main | |
| import ( | |
| "context" | |
| "github.com/workos/workos-go/v9" | |
| ) | |
| func main() { | |
| client := workos.NewClient("sk_example_123456789") | |
| _, err := client.Authorization().ListEffectivePermissionsByExternalID(context.Background(), "om_01HXYZ123456789ABCDEFGHIJ", "document", "doc-456") | |
| if err != nil { | |
| panic(err) | |
| } | |
| } |
| <?php | |
| use WorkOS\WorkOS; | |
| $workos = new WorkOS( | |
| apiKey: "sk_example_123456789", | |
| clientId: "client_123456789", | |
| ); | |
| $workos | |
| ->authorization() | |
| ->listEffectivePermissionsByExternalId( | |
| organizationMembershipId: "om_01HXYZ123456789ABCDEFGHIJ", | |
| resourceTypeSlug: "document", | |
| externalId: "doc-456", | |
| ); |
| import com.workos.WorkOS; | |
| WorkOS workos = new WorkOS("sk_example_123456789"); | |
| workos.authorization.listEffectivePermissionsByExternalId( | |
| "om_01HXYZ123456789ABCDEFGHIJ", "document", "doc-456"); |
| using WorkOS; | |
| var client = new WorkOSClient(new WorkOSOptions { | |
| ApiKey = "sk_example_123456789", | |
| ClientId = "client_123456789", | |
| }); | |
| await client.Authorization.ListEffectivePermissionsByExternalIdAsync("om_01HXYZ123456789ABCDEFGHIJ", "document", | |
| "doc-456"); |
| use workos::Client; | |
| #[tokio::main] | |
| async fn main() -> Result<(), workos::Error> { | |
| let client = Client::builder() | |
| .api_key("sk_example_123456789") | |
| .client_id("client_123456789") | |
| .build(); | |
| let _result = client | |
| .authorization() | |
| .list_effective_permissions_by_external_id( | |
| "om_01HXYZ123456789ABCDEFGHIJ", | |
| "document", | |
| "doc-456" | |
| ) | |
| .await?; | |
| Ok(()) | |
| } |
| { | |
| "object": "list", | |
| "data": [ | |
| { | |
| "object": "permission", | |
| "id": "perm_01HXYZ123456789ABCDEFGHIJ", | |
| "slug": "documents:read", | |
| "name": "View Documents", | |
| "description": "Allows viewing document contents", | |
| "system": false, | |
| "resource_type_slug": "workspace", | |
| "created_at": "2026-01-15T12:00:00.000Z", | |
| "updated_at": "2026-01-15T12:00:00.000Z" | |
| } | |
| ], | |
| "list_metadata": { | |
| "before": "perm_01HXYZ123456789ABCDEFGHIJ", | |
| "after": "perm_01HXYZ987654321KJIHGFEDCBA" | |
| } | |
| } |
GET/authorizationParameters Returns object