The SDK provides two methods for getting an authorization verdict on a Resource-action pair (that is, whether the logged-in User is authorized to perform the specified action on the specified Resource).
The isAuthorizedSync method will use locally-cached instances of the User and the configured RBAC policy. If the RBAC policy has not been loaded, this method will always return false. The SWR caching strategy is detailed here.
The isAuthorized method determines whether the logged-in user is allowed to perform the specified action on the specified resource. It will return a Promise that resolves after the RBAC policy has been loaded. Returns true if the user can perform the action, false otherwise.
If the user is not logged in, this method will always return false. If the resource or action provided are not valid for the configured RBAC policy, this method will return false.
As a best practice, authorization checks for sensitive actions should also occur on the backend.
In React, the @stytch/react library provides the useStytchIsAuthorized hook that implements these methods for you. It returns two boolean values.
- isAuthorized indicates whether the User is authorized. It could be false even if the User is actually authorized if the result is from the cache and the underlying data has changed.
- fromCache indicates whether the value was returned from the application cache. If true, a state refresh is in progress.
In Next.js, useStytchIsAuthorized also returns a third boolean value.
- isInitialized indicates whether the cache is initialized.