Skip to main content

Access Rules

Access Rules are the building blocks for constructing fine-grained access control policies for an Application. When performing an operation through the Basis Theory API, Access Rules are evaluated in priority order until the first rule is found with matching container or conditions. Once a matching rule is identified, the transform defined on the rule determines if and how Token data will be returned from the API. If no matching rules are found, access to the requested resource is denied with a 403 Forbidden error.

Access Rules Logic

Access Rules will be applied with an implicit OR operator. This means that if any of the rules match, the operation will be allowed. If no rules match, the operation will be denied.

Access Rule Conditions will be applied with an implicit AND operator. This means that all conditions must be met for the rule to match.

Access Rule

AttributeTypeDescription
descriptionstringA description of this Access Rule
priorityintThe priority of the rule, beginning with 1 and higher values having lower precedence
containerstring(Optional) The container of Tokens this rule is scoped to
conditionsarray(Optional) List of conditions to be satisfied for the rule to be used. Only apply to sessions
transformstringThe transform to apply to accessed Tokens
permissionsarrayList of permissions to grant on this Access Rule

See Access Rules for more information.

container is only required for public and privateapplications, whilst conditions is only required for sessions. They are mutually exclusive.

Access Rule Transforms

NameTypeDescription
RedactredactRedacts the data property from Token responses
MaskmaskReturns the masked value in the data property on Token responses if a mask is defined, otherwise data is redacted
RevealrevealReturns the plaintext value in the data property in Token responses

Access Rule Conditions

AttributeTypeDescription
attributestringThe token attribute the condition is evaluated on. Either id or container
operatorstringThe operator used for the evaluation. Either starts_with or equals
valuestringThe value to evaluate against the token attribute