Evaluate authorization

POST

/api/v1/permissions/evaluate

Authentication

Bearer Token Authorization
JWT access token
API Key X-API-Key
API key for management-tier access

Request body

identity_idstring*
Identity ID (from the `identities` table — the end user being evaluated, not an admin).
permissionstring*
scopeenum: "node" | "app_wide"*
Required. `node` asks 'does this identity have the permission *at* `node_id`?' (lineage walk). `app_wide` asks the coarse-grained 'does this identity have the permission *anywhere* in the org?' question — useful for UI gating, **never** for resource-scoped enforcement. `node` requires `node_id`; `app_wide` forbids it.
node_idstring
Required when `scope` is `node`; must be omitted when `scope` is `app_wide`.

Code samples

cURL

JavaScript

Python

curl -X POST "https://api.canopy.dev/api/v1/permissions/evaluate" \
  -H "X-API-Key: $CANOPY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "identity_id": "string",
    "permission": "string",
    "scope": "node",
    "node_id": "string"
  }'

const response = await fetch("https://api.canopy.dev/api/v1/permissions/evaluate", {
  method: "POST",
  headers: {
    "X-API-Key": "$CANOPY_API_KEY",
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    "identity_id": "string",
    "permission": "string",
    "scope": "node",
    "node_id": "string"
  }),
});

const data = await response.json();

import requests

response = requests.post(
    "https://api.canopy.dev/api/v1/permissions/evaluate",
    headers={
    "X-API-Key": "$CANOPY_API_KEY",
    "Content-Type": "application/json"
    },
    json={
        "identity_id": "string",
        "permission": "string",
        "scope": "node",
        "node_id": "string",
    },
)

data = response.json()

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload := map[string]interface{}{
		"identity_id": "string",
		"permission": "string",
		"scope": "node",
		"node_id": "string",
	}
	body, _ := json.Marshal(payload)

	req, _ := http.NewRequest("POST", "https://api.canopy.dev/api/v1/permissions/evaluate", bytes.NewBuffer(body))
	req.Header.Set("X-API-Key", "$CANOPY_API_KEY")
	req.Header.Set("Content-Type", "application/json")

	resp, _ := http.DefaultClient.Do(req)
	defer resp.Body.Close()
}

Responses

200 Authorization decision returned

{
  "allowed": false,
  "permission": "string",
  "scope_evaluated": "node",
  "effective_node_id": "string",
  "granting_roles": [
    "string"
  ],
  "denial_reason": "string"
}

application/json

allowedboolean*
permissionstring*
scope_evaluatedenum: "node" | "app_wide"*
Echo of the `scope` the caller asked for. `app_wide` answers are 'matched somewhere in the tree' — never treat them as scoped to a specific node.
effective_node_idstring
The hierarchy node the decision was anchored to. Always set for `scope_evaluated: "node"`; always null for `scope_evaluated: "app_wide"` because the answer is org-scoped, not node-scoped.
granting_rolesstring[]*
denial_reasonstring

401 Invalid or expired token

403 Scoped API key is missing the `permissions.evaluate` scope (full_access keys and admin JWTs are unrestricted)

Returned object

The EvaluateResponseDto object View all properties on this resource

On this page

GETList permission catalog
POSTRegister new permission(s)
GETGet a permission
PATCHUpdate permission metadata
DELETERemove a permission
POSTBulk evaluate authorization