Skip to main content

Transactional Writes

Using Auth0 FGA, you can update multiple relationship tuples in a single transaction.

When to use

Updating multiple relationship tuples can keep your system state consistent.

Before you start

Familiarize yourself with basic Auth0 FGA Concepts before completing this guide.

In the following authorization model, there is type called tweet that can have a reader. There is another type called user that can have a follower and followed_by relationship.

model
  schema 1.1

type tweet
  relations
    define viewer: [user, user:*, user#follower]

type user
  relations
    define follower: [user]
    define followed_by: [user]

In addition:

Direct access

Creating an authorization model and a relationship tuple grants a user access to an object. To learn more, read about Direct Access.

Modeling public access

The following example uses public access. To learn more, read about Public Access.

Auth0 FGA concepts

  • A Type: a class of objects that have similar characteristics
  • A User: an entity in the system that can be related to an object
  • A Relation: is a string defined in the type definition of an authorization model that defines the possibility of a relationship between an object of the same type as the type definition and a user in the system
  • A Relation: a string defined in the type definition of an authorization model that defines the possibility of a relationship between an object of the same type as the type definition and a user in the system
  • A Relationship Tuple: a group stored in Auth0 FGA that consists of a user, a relation, and an object

Step by step

01. Add and remove relationship tuples in the same transaction

A call to the Write API can add or delete tuples in your store. For example, the following tuple makes tweet:1 public by making everyone a viewer:

Initialize the SDK
// Checkout the "How to Setup the SDK Client" page for more details.
const { CredentialsMethod, OpenFgaClient } = require('@openfga/sdk'); // OR import { CredentialsMethod, OpenFgaClient } from '@openfga/sdk';

// Ensure the environment variables are set
// FGA_API_URL = 'https://api.us1.fga.dev' // 'https://api.eu1.fga.dev' for EU and 'https://api.au1.fga.dev' for AU
// FGA_STORE_ID = 'YOUR_STORE_ID' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page
// FGA_MODEL_ID = 'YOUR_MODEL_ID' - optional, can be overridden per request, helps reduce latency
// FGA_API_TOKEN_ISSUER = 'auth.fga.dev'
// FGA_API_AUDIENCE = 'https://api.us1.fga.dev/' // 'https://api.eu1.fga.dev/' for EU and 'https://api.au1.fga.dev/' for AU
// FGA_CLIENT_ID = 'YOUR_CLIENT_ID' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page
// FGA_CLIENT_SECRET = 'YOUR_CLIENT_SECRET' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page

const fgaClient = new OpenFgaClient({
    apiUrl: process.env.FGA_API_URL,
    storeId: process.env.FGA_STORE_ID,
    authorizationModelId: process.env.FGA_MODEL_ID,
    credentials: { // Credentials are not needed if connecting to the Playground API
      method: CredentialsMethod.ClientCredentials,
      config: {
        apiTokenIssuer: process.env.FGA_API_TOKEN_ISSUER,
        apiAudience: process.env.FGA_API_AUDIENCE,
        clientId: process.env.FGA_CLIENT_ID,
        clientSecret: process.env.FGA_CLIENT_SECRET,
      },
    },
});

const options = {
  authorizationModelId: "01HVMMBCMGZNT3SED4Z17ECXCA",
};

await fgaClient.write({
  writes: [
      {"user":"user:*","relation":"viewer","object":"tweet:1"}
  ],
}, options);

Deleting the previous tuple converts this tweet to private:

Initialize the SDK
// Checkout the "How to Setup the SDK Client" page for more details.
const { CredentialsMethod, OpenFgaClient } = require('@openfga/sdk'); // OR import { CredentialsMethod, OpenFgaClient } from '@openfga/sdk';

// Ensure the environment variables are set
// FGA_API_URL = 'https://api.us1.fga.dev' // 'https://api.eu1.fga.dev' for EU and 'https://api.au1.fga.dev' for AU
// FGA_STORE_ID = 'YOUR_STORE_ID' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page
// FGA_MODEL_ID = 'YOUR_MODEL_ID' - optional, can be overridden per request, helps reduce latency
// FGA_API_TOKEN_ISSUER = 'auth.fga.dev'
// FGA_API_AUDIENCE = 'https://api.us1.fga.dev/' // 'https://api.eu1.fga.dev/' for EU and 'https://api.au1.fga.dev/' for AU
// FGA_CLIENT_ID = 'YOUR_CLIENT_ID' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page
// FGA_CLIENT_SECRET = 'YOUR_CLIENT_SECRET' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page

const fgaClient = new OpenFgaClient({
    apiUrl: process.env.FGA_API_URL,
    storeId: process.env.FGA_STORE_ID,
    authorizationModelId: process.env.FGA_MODEL_ID,
    credentials: { // Credentials are not needed if connecting to the Playground API
      method: CredentialsMethod.ClientCredentials,
      config: {
        apiTokenIssuer: process.env.FGA_API_TOKEN_ISSUER,
        apiAudience: process.env.FGA_API_AUDIENCE,
        clientId: process.env.FGA_CLIENT_ID,
        clientSecret: process.env.FGA_CLIENT_SECRET,
      },
    },
});

const options = {
  authorizationModelId: "01HVMMBCMGZNT3SED4Z17ECXCA",
};

await fgaClient.write({
  deletes: [
      { user: 'user:*', relation: 'viewer', object: 'tweet:1'}
  ],
}, options);

By removing the tuple, we made the tweet visible to no-one, which may not be what we want.

Limitations on duplicate tuples in a single request

When using the Write API, you cannot include the same tuple (same user, relation, and object) in both the writes and deletes arrays within a single request. The API will return an error with code cannot_allow_duplicate_tuples_in_one_request if duplicate tuples are detected.

For example, this request would fail:

curl -X POST "${FGA_API_URL}/stores/${FGA_STORE_ID}/write" \
  -H 'content-type: application/json' \
  --data '{
    "writes": {
      "tuple_keys": [{
        "user": "user:anne",
        "relation": "member",
        "object": "group:2"
      }]
    },
    "deletes": {
      "tuple_keys": [{
        "user": "user:anne",
        "relation": "member",
        "object": "group:2"
      }]
    }
  }'

The Write API allows you to send up to 40 unique tuples in the request. (This limit applies to the sum of both writes and deletes in that request). This means we can submit one API call that converts the tweet from public to visible to only the user's followers.

Initialize the SDK
// Checkout the "How to Setup the SDK Client" page for more details.
const { CredentialsMethod, OpenFgaClient } = require('@openfga/sdk'); // OR import { CredentialsMethod, OpenFgaClient } from '@openfga/sdk';

// Ensure the environment variables are set
// FGA_API_URL = 'https://api.us1.fga.dev' // 'https://api.eu1.fga.dev' for EU and 'https://api.au1.fga.dev' for AU
// FGA_STORE_ID = 'YOUR_STORE_ID' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page
// FGA_MODEL_ID = 'YOUR_MODEL_ID' - optional, can be overridden per request, helps reduce latency
// FGA_API_TOKEN_ISSUER = 'auth.fga.dev'
// FGA_API_AUDIENCE = 'https://api.us1.fga.dev/' // 'https://api.eu1.fga.dev/' for EU and 'https://api.au1.fga.dev/' for AU
// FGA_CLIENT_ID = 'YOUR_CLIENT_ID' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page
// FGA_CLIENT_SECRET = 'YOUR_CLIENT_SECRET' - Get this from your store settings in the dashboard, refer to the "How to get your API Keys" page

const fgaClient = new OpenFgaClient({
    apiUrl: process.env.FGA_API_URL,
    storeId: process.env.FGA_STORE_ID,
    authorizationModelId: process.env.FGA_MODEL_ID,
    credentials: { // Credentials are not needed if connecting to the Playground API
      method: CredentialsMethod.ClientCredentials,
      config: {
        apiTokenIssuer: process.env.FGA_API_TOKEN_ISSUER,
        apiAudience: process.env.FGA_API_AUDIENCE,
        clientId: process.env.FGA_CLIENT_ID,
        clientSecret: process.env.FGA_CLIENT_SECRET,
      },
    },
});

const options = {
  authorizationModelId: "01HVMMBCMGZNT3SED4Z17ECXCA",
};

await fgaClient.write({
  writes: [
      // Anne's followers can view tweet:1
      {"_description":"Anne's followers can view tweet:1","user":"user:anne#follower","relation":"viewer","object":"tweet:1"}
  ],
  deletes: [
      // tweet:1 is no longer viewable by everyone (*)
      { user: 'user:*', relation: 'viewer', object: 'tweet:1'}
  ],
}, options);

Sending multiple tuples per request can also help maintain consistency. For example, if anne follows becky, you can save the following two tuples or neither of them:

[// Anne is a follower of Becky
  {
  "_description": "Anne is a follower of Becky",
  "user": "user:anne",
  "relation": "follower",
  "object": "user:becky"
}// Becky is followed by Anne
  {
  "_description": "Becky is followed by Anne",
  "user": "user:becky",
  "relation": "followed_by",
  "object": "user:anne"
}]
info

In this case, the type user exists because users can be related to each other, so users now are a type in the system.

The Auth0 Fine-Grained Authorization (FGA) service attempts to perform all the changes sent in a single Write API call in one transaction. If it cannot complete all the changes, it rejects all of them.

Check the following sections for more on how to update tuples.
Update relationship tuples in SDK

Learn about how to update relationship tuples in SDK.

Auth0 FGA API

Details on the write API in the Auth0 FGA reference guide.

Have Feedback?

You can use any of our support channels for any questions or suggestions you may have.