Documentation
Getting Started
The minimum path from empty account to the first authorization check.
1. Get a project API key
Your application authenticates to the public /v1/* endpoints with a project API key.
Use that key as:
Authorization: Bearer <api-key>2. Call the HTTP API directly
Call the public /v1/* endpoints from your backend service. Keep the project API key server-side and use your normal HTTP client, retry, timeout, and tracing conventions.
3. Run the first decision
Call POST /v1/check with a subject, feature, and action.
{
"subject": "user:alice",
"feature": "billing",
"action": "read"
}If the subject is allowed, Thauth returns:
4. Add tenant context when needed
Include tenant when the same subject can have different access across customer workspaces.
{
"subject": "user:alice",
"feature": "reports",
"action": "export",
"tenant": "tenant_acme"
}5. Batch checks for UI gating
Use POST /v1/check/batch when one request needs multiple authorization decisions for the same subject and tenant context.
{
"subject": "user:alice",
"tenant": "tenant_acme",
"checks": [
{ "feature": "billing", "action": "read" },
{ "feature": "billing", "action": "write" }
]
}Each batch item still counts as an individual decision for usage.
6. Sync subjects from your app only when needed
Use POST /v1/subjects/upsert if your application is responsible for keeping subject assignments in sync at runtime.
{
"subject_id": "user:alice",
"subject_type": "user",
"role_ids": [
"334858ea-4454-4f5e-84ae-afd1c0644d85"
]
}If the API key is missing or invalid, the current auth middleware responds with plain text:
unauthorizedIf your subjects are already managed outside your customer-facing runtime flow, you may only need GET /v1/config, POST /v1/check, and POST /v1/check/batch.