/
Contact usSee pricingStart building
    Overview
    Changelog

    Pre-built UI

    StytchB2B
      Configuration
      Callbacks
    Admin Portal
      SSO
      Org Settings
      Member Management
      SCIM
    B2BIdentityProviderBeta
      Configuration
      UI Callbacks

    Headless

    Organizations
      Get Organization
      Get Organization by Slug
      Update Organization
      Delete Organization
    Members
      Get Member
      Create Member
      Update Member
      Search Members
      Delete Member
      Reactivate Member
      Delete Member Password
      Delete Member MFA Phone Number
      Delete Member MFA TOTP
      Unlink Retired Member Email
      Update Self
      Delete Self Password
      Delete Self MFA Phone Number
      Delete Self MFA TOTP
      Unlink Retired Self Email
      Update Member (Deprecated)
      Delete Member MFA Phone Number (Deprecated)
    RBAC
      Is Authorized
      Permissions
    Email Magic Links
      Login or Signup
      Invite
      Authenticate
      Send Discovery Email
      Authenticate Discovery Magic Link
    Email One-time Passcodes (OTPs)
      Login or Signup
      Authenticate OTP
      Send Discovery Email OTP
      Authenticate Discovery Email OTP
    OAuth
      Start OAuth Flow
      Google One Tap
      Authenticate
      Start Discovery OAuth Flow
      Discovery Authenticate
    Session Management
      Get Session
      Authenticate Session
      Revoke Session
      Update Session
      Exchange Session
      Get Tokens
      Revoke Sessions for Member
    SSO
      Start SSO Flow
      Authenticate
      Get SSO Connections
      Discover SSO Connections
      Delete SSO Connection
      Create SAML Connection
      Update SAML Connection
      Update SAML Connection by Metadata URL
      Delete Verification Certificate
      Create OIDC Connection
      Update OIDC Connection
      Create External Connection
      Update External Connection
    Discovery
      List Discovered Organizations
      Create Organization via Discovery
      Exchange Intermediate Session
    Passwords
      Authenticate
      Reset by Email Start
      Reset by Email
      Reset by Existing Password
      Reset by Session
      Strength Check
    • Discovery

      • Authenticate
        Reset by Email Start
        Reset by Email
    SCIM
      Create SCIM Connection
      Update SCIM Connection
      Delete SCIM Connection
      Get SCIM Connection
      SCIM Token Rotation Start
      SCIM Token Rotation Complete
      SCIM Token Rotation Cancel
      Get SCIM Connection Groups
    Multi-Factor Authentication
    • One-Time Passcodes

      • SMS Send
        SMS Authenticate
    • Time-Based One-Time Passcodes

      • TOTP Create
        TOTP Authenticate
    • Recovery Codes

      • Recovery Codes Recover
        Rotate Recovery Codes
        Get Recovery Codes
    Impersonation
      Authenticate

    More Resources

    Cookies & session management
    SWR & caching
    TypeScript
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Frontend SDKs

/

Headless

/

RBAC

/

Is Authorized

isAuthorized

The SDK provides two methods for getting an authorization verdict on a Resource-action pair (that is, whether the logged-in Member is authorized to perform the specified action on the specified Resource).

The isAuthorizedSync method will use locally-cached instances of the Member and the configured RBAC policy. If the RBAC policy has not been loaded, this method will always return false. The SWR caching strategy is detailed here.

The isAuthorized method determines whether the logged-in member is allowed to perform the specified action on the specified resource. It will return a Promise that resolves after the RBAC policy has been loaded. Returns true if the member can perform the action, false otherwise.

If the member is not logged in, this method will always return false. If the resource or action provided are not valid for the configured RBAC policy, this method will return false.

As a best practice, authorization checks for sensitive actions should also occur on the backend.

In React, the @stytch/react library provides the useStytchIsAuthorized hook that implements these methods for you. It returns two boolean values.

  • isAuthorized indicates whether the Member is authorized. It could be false even if the Member is actually authorized if the result is from the cache and the underlying data has changed.
  • fromCache indicates whether the value was returned from the application cache. If true, a state refresh is in progress.

In Next.js, useStytchIsAuthorized also returns a third boolean value.

  • isInitialized indicates whether the cache is initialized.
import { useStytchIsAuthorized } from '@stytch/react/b2b';

export const EditDocuments = () => {
  const { isAuthorized } = useStytchIsAuthorized('documents', 'edit');

  const editDocument = () => {
    //...
  };

  return (
    <button disabled={!isAuthorized} onClick={editDocument}>
      Edit
    </button>
  );
};
RESPONSE
200
​
{
    "status_code": 200,
    "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141"
    "is_authorized": true,
}