Check authorization (PDP)¶
Ask DotID’s policy decision point (PDP) whether a principal in your account is allowed to perform an action on a resource. Use it to enforce DotID’s access model in your own service — the same 10-step evaluation the platform uses.
Endpoint¶
Method |
Path |
Purpose |
|---|---|---|
|
|
Evaluate one request → |
|
|
Evaluate many requests in one call |
Base URL: https://api.flexgalaxy.ai (production) or http://api.dev.fgai.test (local dev).
Authentication¶
This endpoint is authenticated with FGAI-HMAC-SHA256 request signing using an account service-user access key — not a bearer token. Issue a key for your service as described in [CLI & service authentication](https://docs.flexgalaxy.ai/dev/dotid/cli-authentication/), then sign each request with these headers:
Header |
Value |
|---|---|
|
|
|
Request timestamp, |
|
Hex SHA-256 of the request body |
|
Present only for temporary (STS) credentials |
See Integrate with AK/SK for the canonical signing detail (canonical request, signing-key derivation, and clock-skew rules).
Decisions are scoped to your key’s account: you can only evaluate principals and resources in the account the access key belongs to. A caller for one account cannot read another account’s grants.
Request¶
{
"principal": {
"account_id": "<account UUID>",
"user_id": "<user UUID>",
"user_type": "iam",
"ic_session": false
},
"action": "licensing:Device:Read",
"resource": "frn:<account-uuid>:licensing:device/dev-98765",
"context": { "source_ip": "10.0.1.50" }
}
principal — the identity whose access you are checking (must be in your account). Send
ic_session: falsefor a normal IAM/service user (it is a required boolean — omitting it is rejected). Hereuser_typeis the PDP principal-type discriminator (iam,root, oric) that selects which evaluator DotID runs — it is not the JWTuser_typeclaim (root/workforce) described in API authentication and JWT validation.action — the operation,
service:Resource:Verb(e.g.licensing:Device:Read).resource — the target as a [FlexGalaxy Resource Name (FRN)](https://docs.flexgalaxy.ai/dev/dotid/frn-format/).
context — optional attributes evaluated by policy conditions (
StringEquals,Bool, …).
Response¶
{
"decision": "ALLOW",
"reason": null,
"matched_statement": "AllowDeviceRead"
}
decision —
ALLOWorDENY.reason — populated on
DENY(e.g.EXPLICIT_DENY,IMPLICIT_DENY).matched_statement — the policy statement Sid that decided an
ALLOW.
The batch endpoint takes { "principal": {…}, "context": {…}, "checks": [ { "action": …, "resource": … }, … ] }
— all checks share one principal and optional context — and returns { "results": [ … ] } in the
same order.
Behavior¶
Fail-closed. A missing or invalid signature returns
401; an authenticated but non-HMAC caller returns403. Absence of a matchingAllowisDENY(IMPLICIT_DENY); a matchingDenyalways wins (EXPLICIT_DENY).Semantics match the platform. This is the same policy engine DotID uses internally; the result you get is the result the platform enforces.
See also: [Hierarchical access](https://docs.flexgalaxy.ai/dev/dotid/hierarchical-access/) for how account/OU/organization policies combine, and [FRN format](https://docs.flexgalaxy.ai/dev/dotid/frn-format/) for addressing resources.