Check permissions

const options = {
  method: 'POST',
  headers: {Authorization: 'Bearer <token>', 'Content-Type': 'application/json'},
  body: JSON.stringify({
    checks: [{action: 'compute.instances.create', resource: 'proj-abc123'}],
    subject: 'user-xyz789'
  })
};

fetch('https://api.k0rdent.ai/v1/regions/global/auth/check', options)
  .then(res => res.json())
  .then(res => console.log(res))
  .catch(err => console.error(err));

{
  "results": [
    {
      "allowed": true
    }
  ]
}

check

Check permissions

Visibility: public · internal ( OpenAPI Custom Extension: x-visibility )

Evaluate whether the authenticated principal (or a specified subject) is allowed to perform one or more actions on target resources. Supports both single and bulk checks in a single request.

Self-check — When no subject is specified, the caller’s own permissions are evaluated. Useful for frontends that need to show/hide UI elements based on the current user’s access.

Subject check — Tenant administrators can evaluate permissions for another principal by specifying a subject. Non-admin callers specifying a subject other than themselves receive 403.

Results are returned positionally — results[i] corresponds to checks[i].

POST

regions

global

auth

check

Check permissions

const options = {
  method: 'POST',
  headers: {Authorization: 'Bearer <token>', 'Content-Type': 'application/json'},
  body: JSON.stringify({
    checks: [{action: 'compute.instances.create', resource: 'proj-abc123'}],
    subject: 'user-xyz789'
  })
};

fetch('https://api.k0rdent.ai/v1/regions/global/auth/check', options)
  .then(res => res.json())
  .then(res => console.log(res))
  .catch(err => console.error(err));

{
  "results": [
    {
      "allowed": true
    }
  ]
}

Authorizations

Authorization

string

header

required

Bearer token authentication using OAuth2/OIDC tokens

Body

application/json

checks

object[]

required

List of permission checks to evaluate. Each check specifies an action and a target resource. Maximum 100 checks per request.

Required array length: 1 - 100 elements

Show child attributes

subject

string

Principal to evaluate. Can be a user ID, API key ID, or service account clientId. If omitted, defaults to the authenticated caller. Only tenant administrators can specify a subject other than themselves.

Example:

"user-xyz789"

Response

Permission check results.

results

object[]

required

Positional results — results[i] corresponds to checks[i] in the request.

Show child attributes

Introspect token

Revoke token

Platform APIs

Shared API Spec

Apps Team APIs Dev

Draft APIs

Archived APIs

Check permissions

Authorizations

Body

Response