Workflow
RBAC entitlement check API
Resolves role inheritance, expands wildcard permissions (e.g. billing:*), and decides whether a subject's roles grant a permission, listing the effective permission set. Answers 'Can this subject perform this action?', 'What permissions do these roles grant?'.
Price$0.02per request
MethodPOST
Route/v1/workflow/entitlement-check
StatusLive
MIME typeapplication/json
Rate limit120/minute
Cache0s public
rbacentitlementpermissionauthorizationrolesaccess-controlaclworkflow
API URL
Integration docshttps://x402.hexl.dev/v1/workflow/entitlement-checkExample request
{
"roles": [
{
"name": "admin",
"permissions": [
"billing:*"
],
"inherits": [
"viewer"
]
},
{
"name": "viewer",
"permissions": [
"read"
]
}
],
"subjectRoles": [
"admin"
],
"permission": "billing:refund"
}Example response
{
"allowed": true,
"effectivePermissions": [
"billing:*",
"read"
],
"resolvedRoles": [
"admin",
"viewer"
],
"grantedBy": [
"billing:*"
],
"interpretation": "Access to 'billing:refund' granted via billing:*."
}Input schema
{
"type": "object",
"required": [
"roles",
"subjectRoles",
"permission"
],
"properties": {
"roles": {
"type": "array",
"examples": [
[
{
"name": "admin",
"permissions": [
"billing:*"
],
"inherits": [
"viewer"
]
},
{
"name": "viewer",
"permissions": [
"read"
]
}
]
]
},
"subjectRoles": {
"type": "array",
"items": {
"type": "string"
},
"examples": [
[
"admin"
]
]
},
"permission": {
"type": "string",
"examples": [
"billing:refund"
]
}
}
}Output schema
{
"type": "object",
"additionalProperties": true
}