Consuming Fabric
Fabric is the canonical source of truth for identity, tenancy, and authorization. All services must defer to Fabric for permission decisions, tenant state, and canonical IDs.
Frontend Usage
Section titled “Frontend Usage”Use Fabric as the canonical source for:
- Organizations
- Teams
- Memberships
- Invitations
- Effective permissions
Recommended Pattern
Section titled “Recommended Pattern”- Authenticate user (JWT or API key)
- Fetch
GET /v1/meto get the current principal - Fetch memberships, orgs, and teams
- Fetch effective permissions for the active context
- Cache only for UX convenience
- Never trust frontend-only authorization
import { FabricClient } from "@fabric-platform/sdk";
const fabric = new FabricClient({ apiKey: "fab_xxx" });
// Get current userconst me = await fabric.getMe();
// Get their organizationsconst orgs = await fabric.getMyOrganizations();
// Check a permissionconst result = await fabric.checkPermission({ resource: `organization:${orgId}`, action: "read",});from fabric_platform import FabricClient
fabric = FabricClient(api_key="fab_xxx")
# Get current userme = fabric.get_me()
# Get their organizationsorgs = fabric.get_my_organizations()
# Check a permissionresult = fabric.check_permission( action="read", resource=f"organization:{org_id}",)use fabric_sdk::FabricClient;
let client = FabricClient::new("https://gofabric.dev", api_key)?;
// Get current userlet me = client.get_me().await?;
// Get their organizationslet orgs = client.get_my_organizations().await?;
// Check a permissionlet result = client.check_permission("read", Some(&format!("organization:{org_id}"))).await?;# Get current usercurl -H 'Authorization: Bearer fab_xxx' \ https://gofabric.dev/v1/me
# Get their organizationscurl -H 'Authorization: Bearer fab_xxx' \ https://gofabric.dev/v1/me/organizations
# Check a permissioncurl -X POST https://gofabric.dev/v1/authz/check \ -H 'Authorization: Bearer fab_xxx' \ -H 'content-type: application/json' \ -d '{"resource":"organization:<org-id>","action":"read"}'Backend Usage
Section titled “Backend Usage”Backend services should:
- Call Fabric for authz checks or embed a trusted decision token
- Use Fabric org/team IDs as canonical
- Avoid duplicating org/team/role truth
- Use API keys or service account tokens for service-to-service calls
// Check permission before a sensitive actionconst allowed = await fabric.checkPermission({ resource: `organization:${orgId}`, action: "invite",});if (!allowed) throw new Error("Forbidden");# Check permission before a sensitive actionallowed = fabric.check_permission("invite", resource=f"organization:{org_id}")if not allowed: raise PermissionError("Forbidden")// Check permission before a sensitive actionlet allowed = client.check_permission("invite", Some(&format!("organization:{org_id}"))).await?;if !allowed { return Err("Forbidden".into()); }# Check permission before a sensitive actioncurl -X POST https://gofabric.dev/v1/authz/check \ -H 'Authorization: Bearer fab_your_api_key' \ -H 'content-type: application/json' \ -d '{"resource":"organization:<org-id>","action":"invite"}'GraphQL Alternative
Section titled “GraphQL Alternative”Fabric also provides a GraphQL API at POST /graphql (enabled with --features graphql). GraphQL is useful when:
- You need nested data in one request (e.g., organizations with their teams and members)
- You want client-driven field selection to reduce over-fetching
- You need real-time subscriptions for workflow events via WebSocket
GraphQL uses the same authentication (JWT / API key), RBAC, ACL, and audit logging as REST. See the API Endpoints reference for the full schema and API Examples for query samples.
# One request instead of multiple REST calls{ me { principalId } myOrganizations { id name teams(first: 10) { id name } }}Response Envelope
Section titled “Response Envelope”Every REST response conforms to a consistent envelope structure:
| Field | Description |
|---|---|
meta | request_id, trace_id, timestamp, status, version |
context | principal_id, organization_id, team_id |
data | The response payload |
error | Error details (if applicable) |
links | Pagination and related resource links |
This applies uniformly across REST, SSE, WebSockets, and webhooks. GraphQL uses its own standard response format ({ data, errors, extensions }) instead of the envelope.
SSE payloads emit serialized envelope JSON in the data field of the event.