Skip to main content
Context facts let you provide additional, request-specific facts alongside an authorization decision. These facts are considered true only for the duration of that decision and are not stored persistently. Common examples include a user’s geographic location or local time at the moment of the request.

How context facts affect authorization

When Oso evaluates an authorization request, it checks the policy against known facts (typically stored in Oso Cloud); if the facts are true, the request succeeds. Context facts can also satisfy policy conditions, letting you provide information that exists only at request time. If a context fact isn’t provided, Oso checks the centralized fact storage instead.

Example

Consider a policy rule: 
has_permission(user: User, "delete", account: Account) if
  has_relation(user, "owner", account) and
  request_came_from_eu(true)
You may not want request_came_from_eu to be globally true. Instead, provide it as a context fact when appropriate:
  • Node.js
  • Python
  • Go
  • Ruby
  • C#
  • Java
  • CLI
oso.js
import { Oso } from 'oso-cloud'

const apiKey = process.env.OSO_CLOUD_API_KEY;

const oso = new Oso("https://cloud.osohq.com", apiKey);

const authorized = await oso.authorize(
  {type: "User", id: "alice"},
  "delete",
  {type: "Account", id: "alice"},
  [ // Context Facts
    ["request_came_from_eu", {type: "Boolean", id: "true"}]
  ]
);

console.log("Authorization result was " + authorized);

When to use context facts

Use context facts when authorization depends on ephemeral or external data that isn’t part of your database. Examples:
  • Identity provider (IDP) claims: Roles or permissions that exist only on a user’s authentication token (e.g. is_admin(user) from a JWT). Context facts let you pass these values without syncing them to Oso Cloud.
  • Request-specific properties: Information like IP address, time of day, or location: is_weekend(true) or request_came_from_eu(true)).
In most other contexts, we recommend using Local Authorization. See Data management for how context facts compare to other strategies.

Using context facts with the Check API

All SDKs support including context facts in check calls. The methods are documented under Authorization Checks. Some SDKs also let you include context facts with the local check API. See Local Authorization for more information.