Okta FGA Authorization Policy

This policy will authorize requests using Okta FGA. If the request is not authorized, a 403 response will be returned.


This policy is in beta. You can use it today, but it may change in non-backward compatible ways before the final release.


The configuration shows how to configure the policy in the 'policies.json' document.

{ "name": "my-okta-fga-authz-inbound-policy", "policyType": "okta-fga-authz-inbound", "handler": { "export": "OktaFGAAuthZInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "authorizationModelId": "$env(FGA_MODEL_ID)", "credentials": { "clientId": "$env(FGA_CLIENT_ID)", "clientSecret": "$env(FGA_CLIENT_SECRET)" }, "region": "us1", "storeId": "$env(FGA_STORE_ID)" } } }

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • region <string> (Required) -
    The region your store is deployed.
    Allowed values are us1, eu1, and au1.
  • storeId <string> (Required) -
    The ID of the store.
  • authorizationModelId <string> (Required) -
    The ID of the authorization model.
  • allowUnauthorizedRequests <boolean> -
    Indicates whether the request should continue if authorization fails. Default is false which means unauthorized users will automatically receive a 403 response.
    Defaults to false.
  • credentials <object> (Required) -
    • clientId <string> (Required) -
      The client ID.
    • clientSecret <string> (Required) -
      The client secret.

Using the Policy

Read more about how policies work