> ## Documentation Index
> Fetch the complete documentation index at: https://www.osohq.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Post authorize query
> Fetches a query that can be run against your database to determine whether an actor can perform an action on a resource.
## OpenAPI
````yaml post /authorize_query
openapi: 3.1.0
info:
title: Oso Cloud HTTP API
version: 0.1.0
description: >-
Oso Cloud exposes an HTTP API that you can use to make queries directly,
without using one of the clients.
For endpoints that require
authentication, pass your API key as an HTTP Bearer Auth payload.
For
example, using curl: curl -H "Authorization: Bearer
$OSO_AUTH" https://cloud.osohq.com/api/
servers:
- url: https://api.osohq.com/api/
security: []
paths:
/authorize_query:
post:
tags:
- Local Check API
description: >-
Fetches a query that can be run against your database to determine
whether an actor can perform an action on a resource.
operationId: post_authorize_query
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/LocalAuthQuery'
required: true
responses:
'200':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/LocalAuthResult'
default:
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/ApiError'
security:
- ApiKey: []
x-codeSamples:
- lang: javascript
label: Node.js
source: |
import { Oso } from 'oso-cloud';
const apiKey = process.env.OSO_CLOUD_API_KEY;
const oso = new Oso("https://cloud.osohq.com", apiKey);
// Generate authorization check SQL
const alice = { type: "User", id: "alice" };
const issue = { type: "Issue", id: "123" };
const query = await oso.authorizeLocal(alice, "read", issue);
// Execute with database (example with raw SQL)
const result = await sql.raw(query).execute(db);
const { allowed } = result.rows[0];
if (!allowed) {
throw new Error("Access denied");
}
- lang: python
label: Python
source: |
from oso_cloud import Oso, Value
import os
from sqlalchemy import text
from oso_cloud import Oso, Value
oso = Oso(api_key=os.environ.get('OSO_CLOUD_API_KEY', None))
# Generate authorization check SQL
alice = Value("User", "alice")
issue = Value("Issue", "123")
query = oso.authorize_local(alice, "read", issue)
# Execute with SQLAlchemy
authorized = session.execute(text(query)).scalar()
if not authorized:
raise Exception("Access denied")
- lang: go
label: Go
source: |
package main
import (
"log"
"os"
oso "github.com/osohq/go-oso-cloud/v2"
)
func main() {
apiKey := os.Getenv("OSO_CLOUD_API_KEY")
osoClient := oso.NewClient("https://cloud.osohq.com", apiKey)
// Generate authorization check SQL
alice := oso.NewValue("User", "alice")
issue := oso.NewValue("Issue", "123")
query, err := osoClient.AuthorizeLocal(alice, "read", issue)
if err != nil {
log.Fatal(err)
}
// Execute with GORM
var authorizeResult AuthorizeResult
db.Raw(query).Scan(&authorizeResult)
if !authorizeResult.Allowed {
return fmt.Errorf("access denied")
}
}
- lang: java
label: Java
source: |
package com.mycompany;
import java.io.IOException;
import com.osohq.oso_cloud.Oso;
import com.osohq.oso_cloud.api.ApiException;
import com.osohq.oso_cloud.api.Value;
public class App {
public static void main(String[] args) {
String apiKey = System.getenv("OSO_CLOUD_API_KEY");
Oso oso = new Oso(apiKey);
try {
// Generate authorization check SQL
Value alice = new Value("User", "alice");
Value issue = new Value("Issue", "123");
String query = oso.authorizeLocal(alice, "read", issue);
// Execute with database (example with JPA/Hibernate)
Boolean authorized = (Boolean) entityManager.createNativeQuery(query)
.getSingleResult();
if (!authorized) {
throw new SecurityException("Access denied");
}
} catch (IOException | ApiException e) {
System.err.println("Error: " + e.getMessage());
}
}
}
- lang: ruby
label: Ruby
source: >
require 'oso-cloud'
api_key = ENV.fetch('OSO_CLOUD_API_KEY', nil)
oso = OsoCloud::Oso.new(url: "https://cloud.osohq.com", api_key:
api_key)
# Generate authorization check SQL
alice = OsoCloud::Value.new(type: "User", id: "alice")
issue = OsoCloud::Value.new(type: "Issue", id: "123")
query = oso.authorize_local(alice, "read", issue)
# Execute with ActiveRecord
authorized =
ActiveRecord::Base.connection.execute(query).values.first.first
raise "Access denied" unless authorized
- lang: csharp
label: C#
source: >
using OsoCloud;
string? apiKey =
Environment.GetEnvironmentVariable("OSO_CLOUD_API_KEY");
var oso = new Oso("https://api.osohq.com", apiKey);
// Generate authorization check SQL
var alice = new Value("User", "alice");
var issue = new Value("Issue", "123");
string query = await oso.AuthorizeLocal(alice, "read", issue);
// Execute with Entity Framework
bool authorized = await
context.Database.SqlQueryRaw(query).FirstAsync();
if (!authorized) {
throw new UnauthorizedAccessException("Access denied");
}
components:
schemas:
LocalAuthQuery:
type: object
required:
- data_bindings
- query
properties:
query:
$ref: '#/components/schemas/AuthorizeQuery'
data_bindings:
type: string
LocalAuthResult:
type: object
required:
- sql
properties:
sql:
type: string
ApiError:
type: object
required:
- message
properties:
message:
type: string
AuthorizeQuery:
type: object
required:
- action
- actor_id
- actor_type
- resource_id
- resource_type
properties:
actor_type:
type: string
actor_id:
type: string
action:
type: string
resource_type:
type: string
resource_id:
type: string
context_facts:
default: []
type: array
items:
$ref: '#/components/schemas/Fact'
Fact:
description: 'A pattern object for matching authorization-relevant data, ie: facts.'
type: object
required:
- args
- predicate
properties:
predicate:
type: string
args:
type: array
items:
$ref: '#/components/schemas/Value'
Value:
type: object
properties:
type:
type: string
nullable: true
id:
type: string
nullable: true
securitySchemes:
ApiKey:
description: Requires an API key to access.
type: http
scheme: bearer
bearerFormat: Bearer e_0123_123_token0123
````