AuthZEN API
OpenID Foundation Authorization API specification endpoints.
InferaDB implements the OpenID AuthZEN specification. AuthZEN provides vendor-neutral interoperability — swap authorization providers without changing integration code.
Service Discovery
GET /.well-known/authzen-configuration
Returns supported endpoints and extensions for this instance.
Evaluation
Single Check
POST /access/v1/evaluation
Request:
{
"subject": {
"type": "user",
"id": "alice"
},
"action": {
"name": "can_edit"
},
"resource": {
"type": "document",
"id": "readme"
}
}
Response:
{
"decision": true
}
Batch Check
POST /access/v1/evaluations
Evaluate up to 100 authorization checks in a single request.
Request:
{
"evaluations": [
{
"subject": { "type": "user", "id": "alice" },
"action": { "name": "can_edit" },
"resource": { "type": "document", "id": "readme" }
},
{
"subject": { "type": "user", "id": "bob" },
"action": { "name": "can_view" },
"resource": { "type": "document", "id": "readme" }
}
]
}
Resource Search
POST /access/v1/search/resource
Find resources accessible by a subject with a given action.
Subject Search
POST /access/v1/search/subject
Find subjects with access to a resource for a given action.
InferaDB Extensions
Extensions beyond the AuthZEN base spec, advertised via the well-known endpoint:
| Extension | Description |
|---|---|
inferadb_relationship_management |
Direct CRUD for relationship tuples |
inferadb_relation_expansion |
Expand relation trees |
inferadb_simulation |
What-if testing with ephemeral data |
inferadb_realtime_streaming |
Real-time change notifications via SSE |
Identifier Format
AuthZEN uses typed identifiers ({"type": "user", "id": "alice"}); the native API uses "user:alice". Both are accepted on all endpoints.