Skip to content
Axowl

Identity SDK

.NET — [RequirePermission]

Section titled “.NET — [RequirePermission]”

An IAsyncAuthorizationFilter for your endpoints (RequirePermissionAttribute.cs):

[HttpGet("/wallet"), RequirePermission("wallet.read")]
[HttpPost("/wallet/admin"), RequirePermission("wallet.admin", ServerCheck = true)]
  • Default (ServerCheck=false) — reads JWT claims (AxowlPrincipalAccessor.HasPermission, wildcard-aware), no round-trip.
  • ServerCheck=true — calls IAxowlIdentityClient.CheckPermissionAsync; fails closed (deny) on network failure.

JS/TS — usePermission / requirePermission

Section titled “JS/TS — usePermission / requirePermission”
const { can } = usePermission();   // React: can('report.view')
app.get('/api/reports', requirePermission('report.view'), handler);  // Express middleware

Server-authoritative resolution

Section titled “Server-authoritative resolution”

The gRPC IdentityService (Introspect, CheckPermission, IdentityServiceImpl.cs:43,72) authenticates with the org API key (Bearer ah_live_…), validates the user token against the org RS256 JWKS, and reads permissions fresh from ConnectedIdPermissions (:226) so revocations apply immediately. Wildcard matching: *, x.*, exact (MatchScope, :263).