🛡️Gatekeeper/ SDKs

Gatekeeper RBAC is role-based with fine-grained permission strings. This guide defines a custom role scoped to a tenant, assigns it to a user, checks an individual permission, then revokes the role. Permissions use a resource:action shape (for example keys:read), and * is the wildcard that grants everything.

  1. Create a tenant-scoped role with permissions.createRole(tenantId, name, permissions).

  2. Assign it to a user with permissions.assign(userId, tenantId, roleId).

  3. Check a single permission with permissions.can(userId, tenantId, permission).

  4. Inspect the user's full effective permission set with permissions.list(userId, tenantId).

  5. Revoke the role with permissions.revoke(userId, tenantId, roleId) when access should end.

import { GatekeeperCore, PermissionsService } from '@orkait/sdk';
 
const core = new GatekeeperCore({ baseUrl: 'https://gatekeeper-api.example.workers.dev' });
core.setToken(adminAccessToken);
 
const perms = new PermissionsService(core);
 
// 1. Define a custom role. Permissions are resource:action; '*' is the wildcard.
const role = await perms.createRole('t_acme', 'billing-viewer', [
  'billing:read',
  'usage:read',
]);
 
// 2. Assign it to a user.
await perms.assign('user_finance_1', 't_acme', role.id);
 
// 3. Check a single permission.
const canRead = await perms.can('user_finance_1', 't_acme', 'billing:read');
console.log('billing:read ->', canRead); // true
 
// 4. Inspect the user's effective permissions.
const effective = await perms.list('user_finance_1', 't_acme');
console.log(effective);
 
// 5. Revoke when access should end.
await perms.revoke('user_finance_1', 't_acme', role.id);