The Resource Catalog (under Authorization → Manage → Resources) is where you declare every thing in your application that has permissions attached. Roles and policies can only reference permissions that exist here — the catalog is the source of truth.
Dashboard → Application → Authorization → Resources. The page shows every resource with its actions in an editable table. A counter at the top tells you the total — a sane catalog usually has 5–20 resources.
A short, stable identifier in lower-snake-case: users, invoices, api_keys. Don't change this casually — it's referenced from every policy.
description
Human-readable. Shows in the policy editor when picking permissions.
actions
The verbs valid for this resource: read, update, delete, etc. Each action becomes a permission resource:action.
The dashboard helps with action names — common ones (create, read, update, delete, list) auto-complete. Custom actions (invoices:send, users:invite) are fine; just keep them short and verb-shaped.
Granularity. One resource per concept, not per database table. If "invoices" and "invoice_line_items" are always touched together, they're one resource as far as authorization is concerned.
Actions. Stick to a small standard vocabulary plus the few domain verbs that genuinely matter:
create read update delete list ← the standard CRUD-ish set
send archive publish approve invite ← verbs your business cares about
If you find yourself adding update_status_to_pending, update_status_to_approved, etc., collapse them — the action is update; the which-status-is-allowed logic belongs in your business code.
Naming.resource:action strings show up in audit logs, error messages, JWT claims, and permission checks. They're load-bearing identifiers — pick names you won't want to refactor.
A relation is the named connection between a user and a resource. Authaz ships with a small set of built-in relations:
Relation
Allowed actions (default)
owner
every action on this resource type
editor
create, read, update
viewer
read, list
commenter
read, comment (if comment is a valid action)
You can define custom relations per resource — the catalog editor has a Relations tab where each relation picks which actions it implies. Keep this small; most apps need 2–3 relations max.
# Everyone with a relation on a resourcecurl 'https://your-app.authaz.io/api/v1/authorization/relationships?resource=documents&resourceId=doc_01h...' \ -H "X-API-Key: $AUTHAZ_API_KEY"# Every resource a user has a relation oncurl 'https://your-app.authaz.io/api/v1/authorization/relationships?userId=user_01h...&resource=documents' \ -H "X-API-Key: $AUTHAZ_API_KEY"
The dashboard's Access Explorer surfaces both views interactively — useful when investigating "why can this person see this thing?".
