Implement access control

Verify permissions and roles in your application code to control user access

After configuring permissions and roles, the next critical step is implementing access control directly within your application code. This is achieved by carefully examining the roles and permissions embedded in the user’s access token to make authorization decisions.

Scalekit conveniently packages these authorization details during the authentication process, providing you with a comprehensive set of data to make precise access control decisions without requiring additional API calls.

Review the authorization flow

This section focuses on implementing access control, which naturally follows user authentication. We recommend completing the authentication quickstart before diving into these access control implementation details.

Start by inspecting the access token

When you exchange the code for a user profile, Scalekit also adds additional information that help your app determine the access control decisions.

1
{
2
  user: {
3
    email: "john.doe@example.com",
4
    emailVerified: true,
5
    givenName: "John",
6
    name: "John Doe",
7
    id: "usr_74599896446906854"
8
  },
9
  idToken: "eyJhbGciO..", // Decode for full user details
10

11
  accessToken: "eyJhbGciOi..",
12
  refreshToken: "rt_8f7d6e5c4b3a2d1e0f9g8h7i6j..",
13
  expiresIn: 299 // in seconds
14
}

1
{
2
  "at_hash": "ec_jU2ZKpFelCKLTRWiRsg",
3
  "aud": [
4
    "skc_58327482062864390"
5
  ],
6
  "azp": "skc_58327482062864390",
7
  "c_hash": "6wMreK9kWQQY6O5R0CiiYg",
8
  "client_id": "skc_58327482062864390",
9
  "email": "john.doe@example.com",
10
  "email_verified": true,
11
  "exp": 1742975822,
12
  "family_name": "Doe",
13
  "given_name": "John",
14
  "iat": 1742974022,
15
  "iss": "https://scalekit-z44iroqaaada-dev.scalekit.cloud",
16
  "name": "John Doe",
17
  "oid": "org_59615193906282635",
18
  "sid": "ses_65274187031249433",
19
  "sub": "usr_63261014140912135"
20
}

1
{
2
    "aud": [
3
      "prd_skc_7848964512134X699"
4
    ],
5
    "client_id": "prd_skc_7848964512134X699",
6
    "exp": 1758265247,
7
    "iat": 1758264947,
8
    "iss": "https://login.devramp.ai",
9
    "jti": "tkn_90928731115292X63",
10
    "nbf": 1758264947,
11
    "oid": "org_89678001X21929734",
12
    "permissions": [
13
      "workspace_data:write",
14
      "workspace_data:read"
15
    ],
16
    "roles": [
17
      "admin"
18
    ],
19
    "sid": "ses_90928729571723X24",
20
    "sub": "usr_8967800122X995270",
21
    // External identifiers if updated on Scalekit
22
    "xoid": "ext_org_123", // Organization ID
23
    "xuid": "ext_usr_456", // User ID
24
}

Let’s closely look at the access token:

{
  "aud": ["skc_987654321098765432"],
  "client_id": "skc_987654321098765432",
  "exp": 1750850145,
  "iat": 1750849845,
  "iss": "http://example.localhost:8889",
  "jti": "tkn_987654321098765432",
  "nbf": 1750849845,
  "roles": ["project_manager", "member"],
  "oid": "org_69615647365005430",
  "permissions": ["projects:create", "projects:read", "projects:update", "tasks:assign"],
  "sid": "ses_987654321098765432",
  "sub": "usr_987654321098765432"
}

The roles and permissions values provide runtime insights into the user’s access constraints directly within the access token, eliminating the need for additional API requests. Crucially, always validate the token’s integrity before relying on the embedded authorization details.

1
// Middleware to validate tokens and extract authorization data
2
const validateAndExtractAuth = async (req, res, next) => {
3
  try {
4
    // Extract access token from cookie (decrypt if needed)
5
    const accessToken = decrypt(req.cookies.accessToken);
6

7
    // Validate the token using Scalekit SDK
8
    const isValid = await scalekit.validateAccessToken(accessToken);
9

10
    if (!isValid) {
11
      return res.status(401).json({ error: 'Invalid or expired token' });
12
    }
13

14
    // Decode token to get roles and permissions using any JWT decode library
15
    const tokenData = await decodeAccessToken(accessToken);
16

17
    // Make authorization data available to route handlers
18
    req.user = {
19
      id: tokenData.sub,
20
      organizationId: tokenData.oid,
21
      roles: tokenData.roles || [],
22
      permissions: tokenData.permissions || []
23
    };
24

25
    next();
26
  } catch (error) {
27
    return res.status(401).json({ error: 'Authentication failed' });
28
  }
29
};


4 collapsed lines
1
from scalekit import ScalekitClient
2
from functools import wraps
3
import jwt
4

5
scalekit_client = ScalekitClient(/* your credentials */)
6

7
def validate_and_extract_auth(f):
8
    @wraps(f)
9
    def decorated_function(*args, **kwargs):
10
        try:
11
            # Extract access token from cookie (decrypt if needed)
12
            access_token = decrypt(request.cookies.get('accessToken'))
13

14
            # Validate the token using Scalekit SDK
15
            is_valid = scalekit_client.validate_access_token(access_token)
16

17
            if not is_valid:
18
                return jsonify({'error': 'Invalid or expired token'}), 401
19

20
            # Decode token to get roles and permissions
21
            token_data = scalekit_client.decode_access_token(access_token)
22

23
            # Make authorization data available to route handlers
24
            request.user = {
25
                'id': token_data.get('sub'),
26
                'organization_id': token_data.get('oid'),
27
                'roles': token_data.get('roles', []),
28
                'permissions': token_data.get('permissions', [])
29
            }
30

31
            return f(*args, **kwargs)
32
        except Exception as e:
33
            return jsonify({'error': 'Authentication failed'}), 401
34

35
    return decorated_function


7 collapsed lines
1
import (
2
    "context"
3
    "encoding/json"
4
    "net/http"
5
    "github.com/scalekit-inc/scalekit-sdk-go"
6
)
7

8
scalekitClient := scalekit.NewScalekitClient(/* your credentials */)
9

10
func validateAndExtractAuth(next http.HandlerFunc) http.HandlerFunc {
11
    return func(w http.ResponseWriter, r *http.Request) {
12
        // Extract access token from cookie (decrypt if needed)
13
        cookie, err := r.Cookie("accessToken")
14
        if err != nil {
15
            http.Error(w, `{"error": "No access token provided"}`, http.StatusUnauthorized)
16
            return
17
        }
18

19
        accessToken, err := decrypt(cookie.Value)
20
        if err != nil {
21
            http.Error(w, `{"error": "Token decryption failed"}`, http.StatusUnauthorized)
22
            return
23
        }
24

25
        // Validate the token using Scalekit SDK
26
        isValid, err := scalekitClient.ValidateAccessToken(accessToken)
27
        if err != nil || !isValid {
28
            http.Error(w, `{"error": "Invalid or expired token"}`, http.StatusUnauthorized)
29
            return
30
        }
31

32
        // Decode token to get roles and permissions using any JWT decode lib
33
        tokenData, err := DecodeAccessToken(accessToken)
34
        if err != nil {
35
            http.Error(w, `{"error": "Token decode failed"}`, http.StatusUnauthorized)
36
            return
37
        }
38

39
        // Add authorization data to request context
40
        user := map[string]interface{}{
41
            "id":             tokenData["sub"],
42
            "organization_id": tokenData["oid"],
43
            "roles":          tokenData["roles"],
44
            "permissions":    tokenData["permissions"],
45
        }
46

47
        ctx := context.WithValue(r.Context(), "user", user)
48
        next(w, r.WithContext(ctx))
49
    }
50
}


7 collapsed lines
1
import com.scalekit.ScalekitClient;
2
import javax.servlet.http.HttpServletRequest;
3
import javax.servlet.http.HttpServletResponse;
4
import org.springframework.web.servlet.HandlerInterceptor;
5
import java.util.Map;
6
import java.util.HashMap;
7

8
@Component
9
public class AuthorizationInterceptor implements HandlerInterceptor {
10
    private final ScalekitClient scalekit;
11

12
    @Override
13
    public boolean preHandle(
14
        HttpServletRequest request,
15
        HttpServletResponse response,
16
        Object handler
17
    ) throws Exception {
18
        try {
19
            // Extract access token from cookie (decrypt if needed)
20
            String accessToken = getCookieValue(request, "accessToken");
21
            String decryptedToken = decrypt(accessToken);
22

23
            // Validate the token using Scalekit SDK
24
            boolean isValid = scalekit.authentication().validateAccessToken(decryptedToken);
25

26
            if (!isValid) {
27
                response.setStatus(HttpStatus.UNAUTHORIZED.value());
28
                response.getWriter().write("{\"error\": \"Invalid or expired token\"}");
29
                return false;
30
            }
31

32
            // Decode token to get roles and permissions using any JWT decode lib
33
            Map<String, Object> tokenData = decodeAccessToken(decryptedToken);
34

35
            // Make authorization data available to controllers
36
            Map<String, Object> user = new HashMap<>();
37
            user.put("id", tokenData.get("sub"));
38
            user.put("organizationId", tokenData.get("oid"));
39
            user.put("roles", tokenData.get("roles"));
40
            user.put("permissions", tokenData.get("permissions"));
41

42
            request.setAttribute("user", user);
43
            return true;
44

45
        } catch (Exception e) {
46
            response.setStatus(HttpStatus.UNAUTHORIZED.value());
47
            response.getWriter().write("{\"error\": \"Authentication failed\"}");
48
            return false;
49
        }
50
    }
51
}

This approach makes user roles and permissions available throughout different routes of your application, enabling consistent and secure access control across all endpoints.

Verify user’s role to allow access to protected resources

Role-based access control (RBAC) provides a straightforward way to manage permissions by grouping them into logical roles. Instead of checking individual permissions for every action, your application can simply verify if the user has the required role, making access control decisions more efficient and easier to maintain.


17 collapsed lines
1
// Helper function to check roles
2
function hasRole(user, requiredRole) {
3
  return user.roles && user.roles.includes(requiredRole);
4
}
5

6
// Middleware to require specific roles
7
function requireRole(role) {
8
  return (req, res, next) => {
9
    if (!hasRole(req.user, role)) {
10
      return res.status(403).json({
11
        error: `Access denied. Required role: ${role}`
12
      });
13
    }
14
    next();
15
  };
16
}
17

18
// Admin-only routes
19
app.get('/api/admin/users', validateAndExtractAuth, requireRole('admin'), (req, res) => {
20
  // Only admin users can access this endpoint
21
  res.json(getAllUsers(req.user.organizationId));
22
});
23

24
// Multiple role check
25
app.post('/api/admin/invite-user', validateAndExtractAuth, (req, res) => {
26
  const user = req.user;
27

28
  // Allow admins or managers to invite users
29
  if (!hasRole(user, 'admin') && !hasRole(user, 'manager')) {
30
    return res.status(403).json({ error: 'Only admins and managers can invite users' });
31
  }
32

33
  const invitation = createUserInvitation(req.body, user.organizationId);
34
  res.json(invitation);
35
});


17 collapsed lines
1
# Helper function to check roles
2
def has_role(user, required_role):
3
    roles = user.get('roles', [])
4
    return required_role in roles
5

6
# Decorator to require specific roles
7
def require_role(role):
8
    def decorator(f):
9
        @wraps(f)
10
        def decorated_function(*args, **kwargs):
11
            user = getattr(request, 'user', {})
12
            if not has_role(user, role):
13
                return jsonify({'error': f'Access denied. Required role: {role}'}), 403
14
            return f(*args, **kwargs)
15
        return decorated_function
16
    return decorator
17

18
# Admin-only routes
19
@app.route('/api/admin/users')
20
@validate_and_extract_auth
21
@require_role('admin')
22
def get_all_users():
23
    # Only admin users can access this endpoint
24
    return jsonify(get_all_users_for_org(request.user['organization_id']))
25

26
# Multiple role check
27
@app.route('/api/admin/invite-user', methods=['POST'])
28
@validate_and_extract_auth
29
def invite_user():
30
    user = request.user
31

32
    # Allow admins or managers to invite users
33
    if not has_role(user, 'admin') and not has_role(user, 'manager'):
34
        return jsonify({'error': 'Only admins and managers can invite users'}), 403
35

36
    invitation = create_user_invitation(request.json, user['organization_id'])
37
    return jsonify(invitation)


31 collapsed lines
1
// Helper function to check roles
2
func hasRole(user map[string]interface{}, requiredRole string) bool {
3
    roles, ok := user["roles"].([]interface{})
4
    if !ok {
5
        return false
6
    }
7

8
    for _, role := range roles {
9
        if roleStr, ok := role.(string); ok && roleStr == requiredRole {
10
            return true
11
        }
12
    }
13
    return false
14
}
15

16
// Middleware to require specific roles
17
func requireRole(role string) func(http.HandlerFunc) http.HandlerFunc {
18
    return func(next http.HandlerFunc) http.HandlerFunc {
19
        return func(w http.ResponseWriter, r *http.Request) {
20
            user := r.Context().Value("user").(map[string]interface{})
21

22
            if !hasRole(user, role) {
23
                http.Error(w, fmt.Sprintf(`{"error": "Access denied. Required role: %s"}`, role), http.StatusForbidden)
24
                return
25
            }
26

27
            next(w, r)
28
        }
29
    }
30
}
31

32
// Admin-only routes
33
func getAllUsersHandler(w http.ResponseWriter, r *http.Request) {
34
    user := r.Context().Value("user").(map[string]interface{})
35
    orgId := user["organization_id"].(string)
36

37
    // Only admin users can access this endpoint
38
    users := getAllUsersForOrg(orgId)
39
    json.NewEncoder(w).Encode(users)
40
}
41

42
// Route setup with role middleware
43
http.HandleFunc("/api/admin/users", validateAndExtractAuth(requireRole("admin")(getAllUsersHandler)))

1
@RestController
2
public class AdminController {
7 collapsed lines
3

4
    // Helper method to check roles
5
    private boolean hasRole(Map<String, Object> user, String requiredRole) {
6
        List<String> roles = (List<String>) user.get("roles");
7
        return roles != null && roles.contains(requiredRole);
8
    }
9

10
    // Admin-only endpoint
11
    @GetMapping("/api/admin/users")
12
    public ResponseEntity<List<User>> getAllUsers(HttpServletRequest request) {
13
        Map<String, Object> user = (Map<String, Object>) request.getAttribute("user");
14

15
        // Check for admin role
16
        if (!hasRole(user, "admin")) {
17
            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
18
        }
19

20
        String orgId = (String) user.get("organizationId");
21
        List<User> users = userService.getAllUsersForOrg(orgId);
22
        return ResponseEntity.ok(users);
23
    }
24

25
    @PostMapping("/api/admin/invite-user")
26
    public ResponseEntity<Invitation> inviteUser(
27
        @RequestBody InviteUserRequest request,
28
        HttpServletRequest httpRequest
29
    ) {
30
        Map<String, Object> user = (Map<String, Object>) httpRequest.getAttribute("user");
31

32
        // Allow admins or managers to invite users
33
        if (!hasRole(user, "admin") && !hasRole(user, "manager")) {
34
            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
35
        }
36

37
        String orgId = (String) user.get("organizationId");
38
        Invitation invitation = userService.createInvitation(request, orgId);
39
        return ResponseEntity.ok(invitation);
40
    }
41
}

Verify user’s permissions to allow specific actions

Permission-based access control provides granular control over specific actions and resources within your application. While roles offer broad access patterns, permissions allow you to define exactly what operations users can perform, enabling precise security controls and the principle of least privilege.


17 collapsed lines
1
// Helper function to check permissions
2
function hasPermission(user, requiredPermission) {
3
  return user.permissions && user.permissions.includes(requiredPermission);
4
}
5

6
// Middleware to require specific permissions
7
function requirePermission(permission) {
8
  return (req, res, next) => {
9
    if (!hasPermission(req.user, permission)) {
10
      return res.status(403).json({
11
        error: `Access denied. Required permission: ${permission}`
12
      });
13
    }
14
    next();
15
  };
16
}
17

18
// Protected routes with permission checks
19
app.get('/api/projects', validateAndExtractAuth, requirePermission('projects:read'), (req, res) => {
20
  // User has projects:read permission - allow access
21
  res.json(getProjects(req.user.organizationId));
22
});
23

24
app.post('/api/projects', validateAndExtractAuth, requirePermission('projects:create'), (req, res) => {
25
  // User has projects:create permission - allow creation
26
  const newProject = createProject(req.body, req.user.organizationId);
27
  res.json(newProject);
28
});
29

30
// Multiple permission check
31
app.delete('/api/projects/:id', validateAndExtractAuth, (req, res) => {
32
  const user = req.user;
33

34
  // Check if user has either admin role or specific delete permission
35
  if (!hasPermission(user, 'projects:delete') && !user.roles.includes('admin')) {
36
    return res.status(403).json({ error: 'Cannot delete projects' });
37
  }
38

39
  deleteProject(req.params.id, user.organizationId);
40
  res.json({ success: true });
41
});


17 collapsed lines
1
# Helper function to check permissions
2
def has_permission(user, required_permission):
3
    permissions = user.get('permissions', [])
4
    return required_permission in permissions
5

6
# Decorator to require specific permissions
7
def require_permission(permission):
8
    def decorator(f):
9
        @wraps(f)
10
        def decorated_function(*args, **kwargs):
11
            user = getattr(request, 'user', {})
12
            if not has_permission(user, permission):
13
                return jsonify({'error': f'Access denied. Required permission: {permission}'}), 403
14
            return f(*args, **kwargs)
15
        return decorated_function
16
    return decorator
17

18
# Protected routes with permission checks
19
@app.route('/api/projects')
20
@validate_and_extract_auth
21
@require_permission('projects:read')
22
def get_projects():
23
    # User has projects:read permission - allow access
24
    return jsonify(get_projects_for_org(request.user['organization_id']))
25

26
@app.route('/api/projects', methods=['POST'])
27
@validate_and_extract_auth
28
@require_permission('projects:create')
29
def create_project():
30
    # User has projects:create permission - allow creation
31
    new_project = create_project_for_org(request.json, request.user['organization_id'])
32
    return jsonify(new_project)
33

34
# Multiple permission check
35
@app.route('/api/projects/<project_id>', methods=['DELETE'])
36
@validate_and_extract_auth
37
def delete_project(project_id):
38
    user = request.user
39

40
    # Check if user has either admin role or specific delete permission
41
    if not has_permission(user, 'projects:delete') and 'admin' not in user.get('roles', []):
42
        return jsonify({'error': 'Cannot delete projects'}), 403
43

44
    delete_project_from_org(project_id, user['organization_id'])
45
    return jsonify({'success': True})

1
// Helper function to check permissions
2
func hasPermission(user map[string]interface{}, requiredPermission string) bool {
3
    permissions, ok := user["permissions"].([]interface{})
4
    if !ok {
5
        return false
6
    }
7

8
    for _, perm := range permissions {
9
        if permStr, ok := perm.(string); ok && permStr == requiredPermission {
10
            return true
11
        }
12
    }
13
    return false
14
}
15

16
// Middleware to require specific permissions
17
func requirePermission(permission string) func(http.HandlerFunc) http.HandlerFunc {
18
    return func(next http.HandlerFunc) http.HandlerFunc {
19
        return func(w http.ResponseWriter, r *http.Request) {
20
            user := r.Context().Value("user").(map[string]interface{})
21

22
            if !hasPermission(user, permission) {
23
                http.Error(w, fmt.Sprintf(`{"error": "Access denied. Required permission: %s"}`, permission), http.StatusForbidden)
24
                return
25
            }
26

27
            next(w, r)
28
        }
29
    }
30
}
31

32
// Protected routes with permission checks
33
func getProjectsHandler(w http.ResponseWriter, r *http.Request) {
34
    user := r.Context().Value("user").(map[string]interface{})
35
    orgId := user["organization_id"].(string)
36

37
    // User has projects:read permission - allow access
38
    projects := getProjectsForOrg(orgId)
39
    json.NewEncoder(w).Encode(projects)
40
}
41

42
func createProjectHandler(w http.ResponseWriter, r *http.Request) {
43
    user := r.Context().Value("user").(map[string]interface{})
44
    orgId := user["organization_id"].(string)
45

46
    // User has projects:create permission - allow creation
47
    var projectData map[string]interface{}
48
    json.NewDecoder(r.Body).Decode(&projectData)
49

50
    newProject := createProjectForOrg(projectData, orgId)
51
    json.NewEncoder(w).Encode(newProject)
52
}
53

54
// Route setup with middleware
55
http.HandleFunc("/api/projects", validateAndExtractAuth(requirePermission("projects:read")(getProjectsHandler)))
56
http.HandleFunc("/api/projects/create", validateAndExtractAuth(requirePermission("projects:create")(createProjectHandler)))

1
@RestController
2
public class ProjectController {
3

4
    // Helper method to check permissions
5
    private boolean hasPermission(Map<String, Object> user, String requiredPermission) {
6
        List<String> permissions = (List<String>) user.get("permissions");
7
        return permissions != null && permissions.contains(requiredPermission);
8
    }
9

10
    // Annotation-based permission checking
11
    @GetMapping("/api/projects")
12
    @PreAuthorize("hasPermission('projects:read')")
13
    public ResponseEntity<List<Project>> getProjects(HttpServletRequest request) {
14
        Map<String, Object> user = (Map<String, Object>) request.getAttribute("user");
15
        String orgId = (String) user.get("organizationId");
16

17
        // User has projects:read permission - allow access
18
        List<Project> projects = projectService.getProjectsForOrg(orgId);
19
        return ResponseEntity.ok(projects);
20
    }
21

22
    @PostMapping("/api/projects")
23
    public ResponseEntity<Project> createProject(
24
        @RequestBody CreateProjectRequest request,
25
        HttpServletRequest httpRequest
26
    ) {
27
        Map<String, Object> user = (Map<String, Object>) httpRequest.getAttribute("user");
28

29
        // Check permission manually
30
        if (!hasPermission(user, "projects:create")) {
31
            return ResponseEntity.status(HttpStatus.FORBIDDEN)
32
                .body(null);
33
        }
34

35
        String orgId = (String) user.get("organizationId");
36
        Project newProject = projectService.createProject(request, orgId);
37
        return ResponseEntity.ok(newProject);
38
    }
39

40
    @DeleteMapping("/api/projects/{projectId}")
41
    public ResponseEntity<Map<String, Boolean>> deleteProject(
42
        @PathVariable String projectId,
43
        HttpServletRequest request
44
    ) {
45
        Map<String, Object> user = (Map<String, Object>) request.getAttribute("user");
46
        List<String> roles = (List<String>) user.get("roles");
47

48
        // Check if user has either admin role or specific delete permission
49
        if (!hasPermission(user, "projects:delete") && !roles.contains("admin")) {
50
            return ResponseEntity.status(HttpStatus.FORBIDDEN)
51
                .body(Map.of("error", true));
52
        }
53

54
        String orgId = (String) user.get("organizationId");
55
        projectService.deleteProject(projectId, orgId);
56
        return ResponseEntity.ok(Map.of("success", true));
57
    }
58
}

By implementing both role-based and permission-based access control, your application now has a comprehensive security framework that protects different routes and endpoints. You can combine both approaches to create fine-grained access control that matches your application’s specific requirements.

Admin bypass pattern: Allow users with admin role to bypass certain permission checks while maintaining granular control for other users

Resource ownership pattern: Combine role/permission checks with resource ownership verification (e.g., users can only edit their own projects unless they have admin role)

Time-based access pattern: Consider implementing time-based restrictions for sensitive operations, especially for roles with elevated permissions