Skip to main content

Overview

The OpenID AuthZEN Authorization API defines a standard interface between Policy Enforcement Points (PEPs) and Policy Decision Points (PDPs). Grantex aligns its external policy backend integration with the AuthZEN subject/resource/action/context model.

How It Works

When an authorization request arrives at the Grantex server and an external policy backend is configured (OPA or Cedar), the server translates the request into an AuthZEN-aligned evaluation context:
AuthZEN ElementDAAP Source
SubjectAgent DID, developer ID, principal ID
ResourceGrant with requested scopes
Actionauthorize, delegate, verify, or debit
ContextTimestamp, IP address, budget state

Example

A DAAP authorization request: 
{
  "agentId": "ag_01HXYZ123abc",
  "principalId": "user_abc123",
  "scopes": ["calendar:read", "payments:initiate:max_500"]
}
Becomes the following AuthZEN evaluation request: 
{
  "subject": {
    "type": "agent",
    "id": "did:grantex:ag_01HXYZ123abc",
    "properties": {
      "developer": "org_yourcompany",
      "principalId": "user_abc123"
    }
  },
  "resource": {
    "type": "grant",
    "properties": {
      "scopes": ["calendar:read", "payments:initiate:max_500"]
    }
  },
  "action": { "name": "authorize" },
  "context": {
    "timestamp": "2026-02-01T12:00:00Z"
  }
}

Backend-Specific Details

OPA (Rego)

OPA receives the context in its input field and evaluates Rego policies: 
POLICY_BACKEND=opa
OPA_URL=http://localhost:8181
See the OPA integration guide for policy examples.

Cedar

Cedar maps the context to typed entities (Agent, Grant, Action): 
POLICY_BACKEND=cedar
CEDAR_URL=http://localhost:8180
See the Cedar integration guide for policy examples.

Full Documentation