How to get tuple changes

note

Auth0 Fine Grained Authorization (FGA) is the early-stage product we are building at Auth0 to solve fine-grained authorization at scale. Sign up for the Developer Community Preview to try it out, and join our Discord community if you are interested in learning more about our plans.

Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Auth0 FGA during the Developer Community Preview can be found here.

This section illustrates how to call the Read Changes API to get the list of relationship tuple changes that happened in your store, in the exact order that they happened. The API response includes tuples that have been added or removed in your store. It does not include other changes, like updates to your authorization model and adding new assertions.

Before you start

Node.js

1. You have obtained the environment, store id, client id and client secret.
2. You have installed the SDK.
3. You have configured the authorization model and added some relationship tuples.
4. You have loaded FGA_ENVIRONMENT, FGA_STORE_ID, FGA_CLIENT_ID and FGA_CLIENT_SECRET as environment variables.

Go

1. You have obtained the environment, store id, client id and client secret.
2. You have installed the SDK.
3. You have configured the authorization model and added some relationship tuples.
4. You have loaded FGA_ENVIRONMENT, FGA_STORE_ID, FGA_CLIENT_ID and FGA_CLIENT_SECRET as environment variables.

.NET

1. You have obtained the environment, store id, client id and client secret.
2. You have installed the SDK.
3. You have configured the authorization model.
4. You have loaded FGA_ENVIRONMENT, FGA_STORE_ID, FGA_CLIENT_ID and FGA_CLIENT_SECRET as environment variables.

curl

1. You have obtained the environment, store id, client id and client secret.
2. You have configured the authorization model and added some relationship tuples.
3. You have loaded FGA_ENVIRONMENT, FGA_BEARER_TOKEN and FGA_STORE_ID as environment variables.

Step By Step

To get a chronologically ordered list of tuples that have been written or deleted in your store, you can do so by calling the Read Changes API.

01. Configure The Auth0 FGA API Client

First you will need to configure the API client.

Node.js

// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
  environment: process.env.FGA_ENVIRONMENT,
  storeId: process.env.FGA_STORE_ID,
  clientId: process.env.FGA_CLIENT_ID,
  clientSecret: process.env.FGA_CLIENT_SECRET,
});

Go

import (
    fgaSdk "github.com/auth0-lab/fga-go-sdk"
    "os"
)

func main() {
    configuration, err := fgaSdk.NewConfiguration(fgaSdk.UserConfiguration{
        Environment:  os.Getenv("FGA_ENVIRONMENT"),
        StoreId:      os.Getenv("FGA_STORE_ID"),
        ClientId:     os.Getenv("FGA_CLIENT_ID"),
        ClientSecret: os.Getenv("FGA_CLIENT_SECRET"),
    })

    if err != nil {
    // .. Handle error
    }

    fgaClient := fgaSdk.NewAPIClient(configuration)
}

.NET

// import the SDK
using Auth0.Fga.Api;
using Auth0.Fga.Configuration;
using Environment = System.Environment;

namespace ExampleApp;

class MyProgram {
    static async Task Main() {
        var storeId = Environment.GetEnvironmentVariable("FGA_STORE_ID");
        var environment = Environment.GetEnvironmentVariable("FGA_ENVIRONMENT")
        var configuration = new Configuration(storeId, environment) {
            ClientId = Environment.GetEnvironmentVariable("FGA_CLIENT_ID"),
            ClientSecret = Environment.GetEnvironmentVariable("FGA_CLIENT_SECRET"),
        };
        var fgaClient = new Auth0FgaApi(configuration);
    }
}

curl

To obtain the access token:

# Not needed when calling the Playground API
curl -X POST \
   https://fga.us.auth0.com/oauth/token \
   -H 'content-type: application/json' \
   -d '{"client_id":"'$FGA_CLIENT_ID'","client_secret":"'$FGA_CLIENT_SECRET'","audience":"https://api.us1.fga.dev/","grant_type":"client_credentials"}'

# The response will be returned in the form
# {
#  "access_token": "eyJ...Ggg",
#  "expires_in": 86400,
#  "scope": "read:tuples write:tuples check:tuples ... write:authorization-models",
#  "token_type": "Bearer"
# }
# Store this `access_token` value in environment variable `FGA_BEARER_TOKEN`

# For non-playground environment
FGA_API_URL='https://api.us1.fga.dev'
# For playground environment
# FGA_API_URL='https://api.playground.fga.dev'

02. Get Changes For All Object Types

To get a paginated list of changes that happened in your store:

Node.js

var type = "";
var continuationToken = "";
var pageSize = 25;

await fgaClient.readChanges(type, pageSize, continuationToken);

Go

data, response, err := fgaClient.Auth0FgaApi.ReadChanges(context.Background()).
	PageSize(25).
	Execute()

if err != nil {
    // .. Handle error
}

.NET

var type = "";
var continuationToken = "";
var pageSize = 25;

await fgaClient.ReadChanges(type, pageSize, continuationToken);

curl

curl -X POST $FGA_API_URL/stores/$FGA_STORE_ID/changes \
  -H "Authorization: Bearer $FGA_BEARER_TOKEN" \ # Not needed if service does not require authorization
  -H "content-type: application/json" \
  -d '{"page_size": 25}'

The result will contain an array of up to 25 tuples, with the operation (write or delete), and the timestamp in which that operation took place. The result will also contain a continuation token. Save the continuation token in persistent storage between calls so that it is not lost and you do not have to restart from scratch on system restart or on error.

You can then use this token to get the next set of changes:

Node.js

var type = "";
var continuationToken = "eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==";
var pageSize = 25;

await fgaClient.readChanges(type, pageSize, continuationToken);

Go

data, response, err := fgaClient.Auth0FgaApi.ReadChanges(context.Background()).
	PageSize(25).
	ContinuationToken("eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==").
	Execute()

if err != nil {
    // .. Handle error
}

.NET

var type = "";
var continuationToken = "eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==";
var pageSize = 25;

await fgaClient.ReadChanges(type, pageSize, continuationToken);

curl

curl -X POST $FGA_API_URL/stores/$FGA_STORE_ID/changes \
  -H "Authorization: Bearer $FGA_BEARER_TOKEN" \ # Not needed if service does not require authorization
  -H "content-type: application/json" \
  -d '{"continuation_token": "eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==", "page_size": 25}'

Once there are no more changes to retrieve, the API will return the same token as the one you sent. Save the token in persistent storage to use at a later time.

note

• The default page size is 50. The maximum page size allowed is 100.
• The API response will not return all the changes immediately. There will be a delay of one minute between the time that you add or delete a tuple and the time that you see it in the Read Changes API response.
• The API response does not expand the tuples. If you wrote a tuple that includes a userset, like {"user": "group:abc#member", "relation": "owner": "doc:budget"}, the Read Changes API will return that exact tuple.

03. Get Changes For A Specific Object Type

Imagine you have the following authorization model:

DSL

model
  schema 1.1
type user
type group
  relations
    define member: [user]
type folder
  relations
    define owner: [group#member,user]
type doc
  relations
    define owner: [group#member,user]

JSON

{
  "schema_version": "1.1",
  "type_definitions": [
    {
      "type": "user"
    },
    {
      "type": "group",
      "relations": {
        "member": {
          "this": {}
        }
      },
      "metadata": {
        "relations": {
          "member": {
            "directly_related_user_types": [
              {
                "type": "user"
              }
            ]
          }
        }
      }
    },
    {
      "type": "folder",
      "relations": {
        "owner": {
          "this": {}
        }
      },
      "metadata": {
        "relations": {
          "owner": {
            "directly_related_user_types": [
              {
                "type": "group",
                "relation": "member"
              },
              {
                "type": "user"
              }
            ]
          }
        }
      }
    },
    {
      "type": "doc",
      "relations": {
        "owner": {
          "this": {}
        }
      },
      "metadata": {
        "relations": {
          "owner": {
            "directly_related_user_types": [
              {
                "type": "group",
                "relation": "member"
              },
              {
                "type": "user"
              }
            ]
          }
        }
      }
    }
  ]
}

It is possible to get a list of changes that happened in your store that relate only to one specific object type, like folder, by issuing a call like this:

Node.js

var type = "folder";
var continuationToken = "";
var pageSize = 25;

await fgaClient.readChanges(type, pageSize, continuationToken);

Go

data, response, err := fgaClient.Auth0FgaApi.ReadChanges(context.Background()).
	Type_("folder").
	PageSize(25).
	Execute()

if err != nil {
    // .. Handle error
}

.NET

var type = "folder";
var continuationToken = "";
var pageSize = 25;

await fgaClient.ReadChanges(type, pageSize, continuationToken);

curl

curl -X POST $FGA_API_URL/stores/$FGA_STORE_ID/changes \
  -H "Authorization: Bearer $FGA_BEARER_TOKEN" \ # Not needed if service does not require authorization
  -H "content-type: application/json" \
  -d '{"type": folder", "page_size": 25}'

The response will include a continuation token. In subsequent calls, you have to include the token and the type. (If you send this continuation token without the type parameter set, you will get an error).

Node.js

var type = "folder";
var continuationToken = "eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==";
var pageSize = 25;

await fgaClient.readChanges(type, pageSize, continuationToken);

Go

data, response, err := fgaClient.Auth0FgaApi.ReadChanges(context.Background()).
	Type_("folder").
	PageSize(25).
	ContinuationToken("eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==").
	Execute()

if err != nil {
    // .. Handle error
}

.NET

var type = "folder";
var continuationToken = "eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==";
var pageSize = 25;

await fgaClient.ReadChanges(type, pageSize, continuationToken);

curl

curl -X POST $FGA_API_URL/stores/$FGA_STORE_ID/changes \
  -H "Authorization: Bearer $FGA_BEARER_TOKEN" \ # Not needed if service does not require authorization
  -H "content-type: application/json" \
  -d '{"type": folder", "continuation_token": "eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==", "page_size": 25}'