syntax = "proto3"; package openfga.v1; import "google/api/annotations.proto"; import "google/api/field_behavior.proto"; import "google/api/visibility.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; import "google/protobuf/wrappers.proto"; import "openfga/v1/authzmodel.proto"; import "openfga/v1/openfga.proto"; import "protoc-gen-openapiv2/options/annotations.proto"; import "validate/validate.proto"; service OpenFGAService { rpc Read(ReadRequest) returns (ReadResponse) { option (google.api.http) = { post: "/stores/{store_id}/read" body: "*" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Get tuples from the store that matches a query, without following userset rewrite rules" tags: ["Relationship Tuples"] operation_id: "Read" description: "The Read API will return the tuples for a certain store that match a " "query filter specified in the body of the request. \n" "The API doesn't guarantee order by any field. \n" "It is different from the `/stores/{store_id}/expand` API in that it only " "returns relationship tuples that are stored in the system and satisfy the query. \n" "In the body:\n" "1. `tuple_key` is optional. If not specified, it will return all tuples in the store.\n" "2. `tuple_key.object` is mandatory if `tuple_key` is specified. It can be a full object (e.g., " "`type:object_id`) or type only (e.g., `type:`).\n" "3. `tuple_key.user` is mandatory if tuple_key is specified in the case the `tuple_key.object` is a type only.\n" "## Examples\n" "### Query for all objects in a type definition\n" "To query for all objects that `user:bob` has `reader` relationship in " "the `document` type definition, call read API with body of\n" "```json\n" "{\n" " \"tuple_key\": {\n" " \"user\": \"user:bob\",\n" " \"relation\": \"reader\",\n" " \"object\": \"document:\"\n" " }\n" "}\n" "```\n" "The API will return tuples and a continuation token, something like\n" "```json\n" "{\n" " \"tuples\": [\n" " {\n" " \"key\": {\n" " \"user\": \"user:bob\",\n" " \"relation\": \"reader\",\n" " \"object\": \"document:2021-budget\"\n" " },\n" " \"timestamp\": \"2021-10-06T15:32:11.128Z\"\n" " }\n" " ],\n" " \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\"\n" "}\n" "```\n" "This means that `user:bob` has a `reader` relationship with 1 document " "`document:2021-budget`. Note that this API, unlike the List Objects API, does not evaluate the tuples in the store.\n" "The continuation token will be empty if there are no more tuples to query.\n" "### Query for all stored relationship tuples that have a particular relation and object\n" "To query for all users that have `reader` relationship with " "`document:2021-budget`, call read API with body of \n" "```json\n" "{\n" " \"tuple_key\": {\n" " \"object\": \"document:2021-budget\",\n" " \"relation\": \"reader\"\n" " }\n" "}\n" "```\n" "The API will return something like \n" "```json\n" "{\n" " \"tuples\": [\n" " {\n" " \"key\": {\n" " \"user\": \"user:bob\",\n" " \"relation\": \"reader\",\n" " \"object\": \"document:2021-budget\"\n" " },\n" " \"timestamp\": \"2021-10-06T15:32:11.128Z\"\n" " }\n" " ],\n" " \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\"\n" "}\n" "```\n" "This means that `document:2021-budget` has 1 `reader` (`user:bob`). " "Note that, even if the model said that all `writers` are also `readers`, the API will not return writers such as " "`user:anne` because it only returns tuples and does not evaluate them.\n" "### Query for all users with all relationships for a particular document\n" "To query for all users that have any relationship with " "`document:2021-budget`, call read API with body of \n" "```json\n" "{\n" " \"tuple_key\": {\n" " \"object\": \"document:2021-budget\"\n" " }\n" "}\n" "```\n" "The API will return something like \n" "```json\n" "{\n" " \"tuples\": [\n" " {\n" " \"key\": {\n" " \"user\": \"user:anne\",\n" " \"relation\": \"writer\",\n" " \"object\": \"document:2021-budget\"\n" " },\n" " \"timestamp\": \"2021-10-05T13:42:12.356Z\"\n" " },\n" " {\n" " \"key\": {\n" " \"user\": \"user:bob\",\n" " \"relation\": \"reader\",\n" " \"object\": \"document:2021-budget\"\n" " },\n" " \"timestamp\": \"2021-10-06T15:32:11.128Z\"\n" " }\n" " ],\n" " \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\"\n" "}\n" "```\n" "This means that `document:2021-budget` has 1 `reader` (`user:bob`) " "and 1 `writer` (`user:anne`).\n" }; } rpc Write(WriteRequest) returns (WriteResponse) { option (google.api.http) = { post: "/stores/{store_id}/write" body: "*" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Add or delete tuples from the store" tags: ["Relationship Tuples"] operation_id: "Write" description: "The Write API will update the tuples for a certain store. Tuples and " "type definitions allow OpenFGA to determine whether a " "relationship exists between an object and an user.\n" "In the body, `writes` adds new tuples and `deletes` removes existing tuples. When deleting a tuple, any `condition` specified with it is ignored.\n" "The API is not idempotent: if, later on, you try to add the same tuple key (even if the `condition` is different), or if you try to delete a non-existing tuple, it will throw an error.\n" "An `authorization_model_id` may be specified in the body. If it is, it will be used to assert that each written tuple (not deleted) " "is valid for the model specified. If it is not specified, the latest authorization model ID will be used.\n" "## Example\n" "### Adding relationships\n" "To add `user:anne` as a `writer` for `document:2021-budget`, call " "write API with the following \n" "```json\n" "{\n" " \"writes\": {\n" " \"tuple_keys\": [\n" " {\n" " \"user\": \"user:anne\",\n" " \"relation\": \"writer\",\n" " \"object\": \"document:2021-budget\"\n" " }\n" " ]\n" " },\n" " \"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\"\n" "}\n" "```\n" "### Removing relationships\n" "To remove `user:bob` as a `reader` for `document:2021-budget`, call " "write API with the following \n" "```json\n" "{\n" " \"deletes\": {\n" " \"tuple_keys\": [\n" " {\n" " \"user\": \"user:bob\",\n" " \"relation\": \"reader\",\n" " \"object\": \"document:2021-budget\"\n" " }\n" " ]\n" " }\n" "}\n" "```\n" }; } rpc Check(CheckRequest) returns (CheckResponse) { option (google.api.http) = { post: "/stores/{store_id}/check" body: "*" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Check whether a user is authorized to access an object" tags: ["Relationship Queries"] operation_id: "Check" description: "The Check API queries to check if the user has a certain relationship with an object in a certain store.\n" "A `contextual_tuples` object may also be included in the body of the request. This object contains one field `tuple_keys`, which is an array of tuple keys. Each of these tuples may have an associated `condition`.\n" "You may also provide an `authorization_model_id` in the body. This will be used to assert that the input `tuple_key` is valid for the model specified. " "If not specified, the assertion will be made against the latest authorization model ID. It is strongly recommended to specify authorization model id for better performance.\n" "You may also provide a `context` object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly.\n" "The response will return whether the relationship exists in the field `allowed`.\n\n" "## Example\n" "In order to check if user `user:anne` of type `user` has a `reader` relationship with object `document:2021-budget` given the following contextual tuple\n" "```json\n" "{\n" " \"user\": \"user:anne\",\n" " \"relation\": \"member\",\n" " \"object\": \"time_slot:office_hours\"\n" "}\n" "```\n" "the Check API can be used with the following request body:\n" "```json\n" "{\n" " \"tuple_key\": {\n" " \"user\": \"user:anne\",\n" " \"relation\": \"reader\",\n" " \"object\": \"document:2021-budget\"\n" " },\n" " \"contextual_tuples\": {\n" " \"tuple_keys\": [\n" " {\n" " \"user\": \"user:anne\",\n" " \"relation\": \"member\",\n" " \"object\": \"time_slot:office_hours\"\n" " }\n" " ]\n" " },\n" " \"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\"\n" "}\n" "```\n" "OpenFGA's response will include `{ \"allowed\": true }` if there is a relationship " "and `{ \"allowed\": false }` if there isn't." }; } rpc Expand(ExpandRequest) returns (ExpandResponse) { option (google.api.http) = { post: "/stores/{store_id}/expand" body: "*" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a certain relationship" tags: ["Relationship Queries"] operation_id: "Expand" description: "The Expand API will return all users and usersets " "that have certain relationship with an object in a certain store.\n" "This is different from the `/stores/{store_id}/read` API in that both users and " "computed usersets are returned.\n" "Body parameters `tuple_key.object` and `tuple_key.relation` are all required.\n" "The response will return a tree whose leaves are the specific users and usersets. " "Union, intersection and difference operator are located in the intermediate nodes.\n\n" "## Example\n" "To expand all users that have the `reader` relationship with object `document:2021-budget`, " "use the Expand API with the following request body\n" "```json\n" "{\n" " \"tuple_key\": {\n" " \"object\": \"document:2021-budget\",\n" " \"relation\": \"reader\"\n" " },\n" " \"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\"\n" "}\n" "```\n" "OpenFGA's response will be a userset tree of the users and usersets that have " "read access to the document.\n" "```json\n" "{\n" " \"tree\":{\n" " \"root\":{\n" " \"type\":\"document:2021-budget#reader\",\n" " \"union\":{\n" " \"nodes\":[\n" " {\n" " \"type\":\"document:2021-budget#reader\",\n" " \"leaf\":{\n" " \"users\":{\n" " \"users\":[\n" " \"user:bob\"\n" " ]\n" " }\n" " }\n" " },\n" " {\n" " \"type\":\"document:2021-budget#reader\",\n" " \"leaf\":{\n" " \"computed\":{\n" " \"userset\":\"document:2021-budget#writer\"\n" " }\n" " }\n" " }\n" " ]\n" " }\n" " }\n" " }\n" "}\n" "```\n" "The caller can then call expand API for the `writer` relationship for the `document:2021-budget`." }; } rpc ReadAuthorizationModels(ReadAuthorizationModelsRequest) returns (ReadAuthorizationModelsResponse) { option (google.api.http) = {get: "/stores/{store_id}/authorization-models"}; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Return all the authorization models for a particular store" tags: ["Authorization Models"] operation_id: "ReadAuthorizationModels" description: "The ReadAuthorizationModels API will return all the authorization models for a certain store.\n" "OpenFGA's response will contain an array of all authorization models, sorted in descending order of creation.\n\n" "## Example\n" "Assume that a store's authorization model has been configured twice. To get all the authorization models that have been created in this store, call GET authorization-models. The API will return a response that looks like:\n" "```json\n" "{\n" " \"authorization_models\": [\n" " {\n" " \"id\": \"01G50QVV17PECNVAHX1GG4Y5NC\",\n" " \"type_definitions\": [...]\n" " },\n" " {\n" " \"id\": \"01G4ZW8F4A07AKQ8RHSVG9RW04\",\n" " \"type_definitions\": [...]\n" " },\n" " ],\n" " \"continuation_token\": \"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\"\n" "}\n" "```\n" "If there are no more authorization models available, the `continuation_token` field will be empty\n" "```json\n" "{\n" " \"authorization_models\": [\n" " {\n" " \"id\": \"01G50QVV17PECNVAHX1GG4Y5NC\",\n" " \"type_definitions\": [...]\n" " },\n" " {\n" " \"id\": \"01G4ZW8F4A07AKQ8RHSVG9RW04\",\n" " \"type_definitions\": [...]\n" " },\n" " ],\n" " \"continuation_token\": \"\"\n" "}\n" "```\n" "" }; } rpc ReadAuthorizationModel(ReadAuthorizationModelRequest) returns (ReadAuthorizationModelResponse) { option (google.api.http) = {get: "/stores/{store_id}/authorization-models/{id}"}; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Return a particular version of an authorization model" tags: ["Authorization Models"] operation_id: "ReadAuthorizationModel" description: "The ReadAuthorizationModel API returns an authorization model by its identifier.\n" "The response will return the authorization model for the particular version.\n\n" "## Example\n" "To retrieve the authorization model with ID `01G5JAVJ41T49E9TT3SKVS7X1J` for the store, " "call the GET authorization-models by ID API with `01G5JAVJ41T49E9TT3SKVS7X1J` as the " "`id` path parameter. The API will return:\n" "```json\n" "{\n" " \"authorization_model\":{\n" " \"id\":\"01G5JAVJ41T49E9TT3SKVS7X1J\",\n" " \"type_definitions\":[\n" " {\n" " \"type\":\"user\"\n" " },\n" " {\n" " \"type\":\"document\",\n" " \"relations\":{\n" " \"reader\":{\n" " \"union\":{\n" " \"child\":[\n" " {\n" " \"this\":{}\n" " },\n" " {\n" " \"computedUserset\":{\n" " \"object\":\"\",\n" " \"relation\":\"writer\"\n" " }\n" " }\n" " ]\n" " }\n" " },\n" " \"writer\":{\n" " \"this\":{}\n" " }\n" " }\n" " }\n" " ]\n" " }\n" "}\n" "```\n" "In the above example, there are 2 types (`user` and `document`). The `document` type " "has 2 relations (`writer` and `reader`)." }; } rpc WriteAuthorizationModel(WriteAuthorizationModelRequest) returns (WriteAuthorizationModelResponse) { option (google.api.http) = { post: "/stores/{store_id}/authorization-models" body: "*" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Create a new authorization model" tags: ["Authorization Models"] operation_id: "WriteAuthorizationModel" description: "The WriteAuthorizationModel API will add a new authorization model " "to a store.\n" "Each item in the `type_definitions` array is a type " "definition as specified in the field `type_definition`.\n" "The response will return the authorization model's ID in the `id` field.\n\n" "## Example\n" "To add an authorization model with `user` and `document` type definitions, call POST " "authorization-models API with the body: \n" "```json\n" "{\n" " \"type_definitions\":[\n" " {\n" " \"type\":\"user\"\n" " },\n" " {\n" " \"type\":\"document\",\n" " \"relations\":{\n" " \"reader\":{\n" " \"union\":{\n" " \"child\":[\n" " {\n" " \"this\":{}\n" " },\n" " {\n" " \"computedUserset\":{\n" " \"object\":\"\",\n" " \"relation\":\"writer\"\n" " }\n" " }\n" " ]\n" " }\n" " },\n" " \"writer\":{\n" " \"this\":{}\n" " }\n" " }\n" " }\n" " ]\n" "}\n" "```\n" "OpenFGA's response will include the version id for this authorization model, " "which will look like \n" "```\n" "{\"authorization_model_id\": \"01G50QVV17PECNVAHX1GG4Y5NC\"}\n" "```\n" responses: { key: "201" value: { description: "A successful response." schema: { json_schema: {ref: ".openfga.v1.WriteAuthorizationModelResponse"} } } } }; } rpc WriteAssertions(WriteAssertionsRequest) returns (WriteAssertionsResponse) { option (google.api.http) = { put: "/stores/{store_id}/assertions/{authorization_model_id}" body: "*" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Upsert assertions for an authorization model ID" tags: ["Assertions"] operation_id: "WriteAssertions" description: "The WriteAssertions API will upsert new assertions for an authorization model id, " "or overwrite the existing ones. An assertion is an object that contains a " "tuple key, and the expectation of whether a call to the Check API of that tuple key " "will return true or false. " responses: { key: "204" value: { description: "A successful response." schema: { json_schema: {ref: ".openfga.v1.WriteAssertionsResponse"} } } } }; } rpc ReadAssertions(ReadAssertionsRequest) returns (ReadAssertionsResponse) { option (google.api.http) = {get: "/stores/{store_id}/assertions/{authorization_model_id}"}; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Read assertions for an authorization model ID" tags: ["Assertions"] operation_id: "ReadAssertions" description: "The ReadAssertions API will return, for a given authorization model id, " "all the assertions stored for it. An assertion is an object that contains a " "tuple key, and the expectation of whether a call to the Check API of that tuple key " "will return true or false. " }; } rpc ReadChanges(ReadChangesRequest) returns (ReadChangesResponse) { option (google.api.http) = {get: "/stores/{store_id}/changes"}; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Return a list of all the tuple changes" tags: ["Relationship Tuples"] operation_id: "ReadChanges" description: "The ReadChanges API will return a paginated list of tuple changes (additions and deletions) that occurred " "in a given store, sorted by ascending time. The response will include a continuation token " "that is used to get the next set of changes. If there are no changes after the provided continuation token, " "the same token will be returned in order for it to be used when new changes are recorded. " "If the store never had any tuples added or removed, this token will be empty.\n" "You can use the `type` parameter to only get the list of tuple changes that affect objects of that type.\n" "When reading a write tuple change, if it was conditioned, the condition will be returned.\n" "When reading a delete tuple change, the condition will NOT be returned regardless of whether it was originally conditioned or not.\n" }; } rpc CreateStore(CreateStoreRequest) returns (CreateStoreResponse) { option (google.api.http) = { post: "/stores", body: "*" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Create a store" tags: ["Stores"] operation_id: "CreateStore" description: "Create a unique OpenFGA store which will be used to store authorization models and relationship tuples." responses: { key: "201" value: { description: "A successful response." schema: { json_schema: {ref: ".openfga.v1.CreateStoreResponse"} } } } }; } rpc UpdateStore(UpdateStoreRequest) returns (UpdateStoreResponse) { option (google.api.method_visibility).restriction = "UNIMPLEMENTED"; option (google.api.http) = { patch: "/stores/{store_id}", body: "*" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Update a store" tags: ["Stores"] operation_id: "UpdateStore" description: "Updates an existing store." responses: { key: "200" value: { description: "A successful response." schema: { json_schema: {ref: ".openfga.v1.UpdateStoreResponse"} } } } }; } rpc DeleteStore(DeleteStoreRequest) returns (DeleteStoreResponse) { option (google.api.http) = {delete: "/stores/{store_id}"}; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Delete a store" tags: ["Stores"] operation_id: "DeleteStore" description: "Delete an OpenFGA store. This does not delete the data associated with the store, like tuples or authorization models." responses: { key: "204" value: { description: "A successful response." schema: { json_schema: {ref: ".openfga.v1.DeleteStoreResponse"} } } } }; } rpc GetStore(GetStoreRequest) returns (GetStoreResponse) { option (google.api.http) = {get: "/stores/{store_id}"}; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "Get a store" tags: ["Stores"] operation_id: "GetStore" description: "Returns an OpenFGA store by its identifier" }; } rpc ListStores(ListStoresRequest) returns (ListStoresResponse) { option (google.api.http) = {get: "/stores"}; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "List all stores" tags: ["Stores"] operation_id: "ListStores" description: "Returns a paginated list of OpenFGA stores and a continuation token to get additional stores.\n" "The continuation token will be empty if there are no more stores.\n" }; } rpc StreamedListObjects(StreamedListObjectsRequest) returns (stream StreamedListObjectsResponse) { option (google.api.http) = { post: "/stores/{store_id}/streamed-list-objects", body: "*" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "[EXPERIMENTAL] Stream all objects of the given type that the user has a relation with" tags: ["Relationship Queries"] operation_id: "StreamedListObjects" description: "The Streamed ListObjects API is very similar to the the ListObjects API, with two differences: \n" "1. Instead of collecting all objects before returning a response, it streams them to the client as they are collected. \n" "2. The number of results returned is only limited by the execution timeout specified in the flag OPENFGA_LIST_OBJECTS_DEADLINE. \n" }; } rpc ListObjects(ListObjectsRequest) returns (ListObjectsResponse) { option (google.api.http) = { post: "/stores/{store_id}/list-objects", body: "*" }; option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { summary: "List all objects of the given type that the user has a relation with" tags: ["Relationship Queries"] operation_id: "ListObjects" description: "The ListObjects API returns a list of all the objects of the given type that the user " "has a relation with. To achieve this, both the store tuples and the authorization model are used.\n" "An `authorization_model_id` may be specified in the body. If it is not specified, the latest authorization " "model ID will be used. It is strongly recommended to specify authorization model id for better performance.\n" "You may also specify `contextual_tuples` that will be treated as regular tuples. Each of these tuples may have an associated `condition`.\n" "You may also provide a `context` object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly.\n" "The response will contain the related objects in an array in the \"objects\" field of the response and they will " "be strings in the object format `:` (e.g. \"document:roadmap\").\n" "The number of objects in the response array will be limited by the execution timeout specified in the flag OPENFGA_LIST_OBJECTS_DEADLINE " "and by the upper bound specified in the flag OPENFGA_LIST_OBJECTS_MAX_RESULTS, whichever is hit first.\n" "The objects given will not be sorted, and therefore two identical calls can give a given different set of objects." }; } } message ListObjectsRequest { string store_id = 1 [ json_name = "store_id", (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; string authorization_model_id = 2 [ json_name = "authorization_model_id", (validate.rules).string = { pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$", ignore_empty: true }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""} ]; string type = 3 [ json_name = "type", (validate.rules).string = {pattern: "^[^:#@\\s]{1,254}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"document\""}, (google.api.field_behavior) = REQUIRED ]; string relation = 4 [ (validate.rules).string = {pattern: "^[^:#@\\s]{1,50}$"}, (google.api.field_behavior) = REQUIRED, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"reader\""} ]; string user = 5 [ (validate.rules).string = { min_bytes: 1, max_bytes: 512 }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { min_length: 1, max_length: 512, example: "\"user:anne\"" }, (google.api.field_behavior) = REQUIRED ]; openfga.v1.ContextualTupleKeys contextual_tuples = 6 [json_name = "contextual_tuples"]; // Additional request context that will be used to evaluate any ABAC conditions encountered // in the query evaluation. google.protobuf.Struct context = 7; } message ListObjectsResponse { repeated string objects = 1 [ json_name = "objects", (google.api.field_behavior) = REQUIRED, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "[\"document:roadmap\",\"document:planning\"]"} ]; } message StreamedListObjectsRequest { string store_id = 1 [ json_name = "store_id", (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; string authorization_model_id = 2 [ json_name = "authorization_model_id", (validate.rules).string = { pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$", ignore_empty: true }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""} ]; string type = 3 [ json_name = "type", (validate.rules).string = {pattern: "^[^:#@\\s]{1,254}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"document\""}, (google.api.field_behavior) = REQUIRED ]; string relation = 4 [ (validate.rules).string = {pattern: "^[^:#@\\s]{1,50}$"}, (google.api.field_behavior) = REQUIRED, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"reader\""} ]; string user = 5 [ (validate.rules).string = { min_bytes: 1, max_bytes: 512 }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { min_length: 1, max_length: 512, example: "\"user:anne\"" }, (google.api.field_behavior) = REQUIRED ]; openfga.v1.ContextualTupleKeys contextual_tuples = 6 [json_name = "contextual_tuples"]; // Additional request context that will be used to evaluate any ABAC conditions encountered // in the query evaluation. google.protobuf.Struct context = 7; } // The response for a StreamedListObjects RPC. message StreamedListObjectsResponse { string object = 1 [ json_name = "object", (google.api.field_behavior) = REQUIRED, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"document:roadmap\""} ]; } // Note: store_id is a ULID using pattern ^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$ // which excludes I, L, O, and U // because of https://github.com/ulid/spec#encoding message ReadRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; ReadRequestTupleKey tuple_key = 2 [json_name = "tuple_key"]; google.protobuf.Int32Value page_size = 3 [ json_name = "page_size", (validate.rules).int32 = { gte: 1, lte: 100 }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "50"} ]; string continuation_token = 4 [ json_name = "continuation_token", (validate.rules).string.max_bytes = 5120, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\""} ]; } message ReadRequestTupleKey { string user = 1 [ (validate.rules).string = {max_bytes: 512}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { max_length: 512, example: "\"user:anne\"" } ]; string relation = 2 [ (validate.rules).string = { pattern: "^[^:#@\\s]{1,50}$", ignore_empty: true }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { max_length: 50, example: "\"reader\"" } ]; string object = 3 [ (validate.rules).string = { pattern: "^[^\\s]{2,256}$", ignore_empty: true }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { max_length: 256, example: "\"document:2021-budget\"" } ]; } message ReadResponse { repeated openfga.v1.Tuple tuples = 1 [(google.api.field_behavior) = REQUIRED]; string continuation_token = 2 [ json_name = "continuation_token", (google.api.field_behavior) = REQUIRED, (validate.rules).string.max_bytes = 5120, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "The continuation token will be empty if there are no more tuples.", example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\"" } ]; } message WriteRequestWrites { repeated TupleKey tuple_keys = 1 [ json_name = "tuple_keys", (google.api.field_behavior) = REQUIRED, (validate.rules).repeated.min_items = 1, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {minimum: 1} ]; } message WriteRequestDeletes { repeated TupleKeyWithoutCondition tuple_keys = 1 [ json_name = "tuple_keys", (google.api.field_behavior) = REQUIRED, (validate.rules).repeated.min_items = 1, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {minimum: 1} ]; } message WriteRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; WriteRequestWrites writes = 2; WriteRequestDeletes deletes = 3; string authorization_model_id = 4 [ json_name = "authorization_model_id", (validate.rules).string = { pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$", ignore_empty: true }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""} ]; } message WriteResponse {} message CheckRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; CheckRequestTupleKey tuple_key = 2 [ json_name = "tuple_key", (validate.rules).message.required = true, (google.api.field_behavior) = REQUIRED ]; openfga.v1.ContextualTupleKeys contextual_tuples = 3 [json_name = "contextual_tuples"]; string authorization_model_id = 4 [ json_name = "authorization_model_id", (validate.rules).string = { pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$", ignore_empty: true }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""} ]; // Defaults to false. Making it true has performance implications. bool trace = 5 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { read_only: true, example: "false" }]; // Additional request context that will be used to evaluate any ABAC conditions encountered // in the query evaluation. google.protobuf.Struct context = 6; } message CheckRequestTupleKey { string user = 1 [ (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[^\\s]{2,512}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { max_length: 512, example: "\"user:anne\"" } ]; string relation = 2 [ (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[^:#@\\s]{1,50}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { max_length: 50, example: "\"reader\"" } ]; string object = 3 [ (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[^\\s]{2,256}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { max_length: 256, example: "\"document:2021-budget\"" } ]; } message CheckResponse { bool allowed = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "true"}]; // For internal use only. string resolution = 2; } message ExpandRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; ExpandRequestTupleKey tuple_key = 2 [ json_name = "tuple_key", (validate.rules).message.required = true, (google.api.field_behavior) = REQUIRED ]; string authorization_model_id = 3 [ json_name = "authorization_model_id", (validate.rules).string = { pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$", ignore_empty: true }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""} ]; } message ExpandRequestTupleKey { string relation = 1 [ (google.api.field_behavior) = REQUIRED, (validate.rules).string = { pattern: "^[^:#@\\s]{1,50}$", ignore_empty: true }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { max_length: 50, example: "\"reader\"" } ]; string object = 2 [ (google.api.field_behavior) = REQUIRED, (validate.rules).string = { pattern: "^[^\\s]{2,256}$", ignore_empty: true }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { max_length: 256, example: "\"document:2021-budget\"" } ]; } message ExpandResponse { openfga.v1.UsersetTree tree = 1; } message ReadAuthorizationModelRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; string id = 2 [ json_name = "id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""} ]; } message ReadAuthorizationModelResponse { AuthorizationModel authorization_model = 1 [json_name = "authorization_model"]; } message WriteAuthorizationModelRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; repeated TypeDefinition type_definitions = 2 [ (google.api.field_behavior) = REQUIRED, json_name = "type_definitions", (validate.rules).repeated = {min_items: 1}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {minimum: 1} ]; string schema_version = 3 [ json_name = "schema_version", (google.api.field_behavior) = REQUIRED, (validate.rules).string = { in: [ "1.0", "1.1", "1.2" ], ignore_empty: false } ]; map conditions = 4 [ json_name = "conditions", (validate.rules).map.max_pairs = 25, (validate.rules).map.keys.string = {pattern: "^[^:#@\\s]{1,50}$"} ]; } message WriteAuthorizationModelResponse { string authorization_model_id = 1 [ json_name = "authorization_model_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""} ]; } message ReadAuthorizationModelsRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; google.protobuf.Int32Value page_size = 2 [ json_name = "page_size", (validate.rules).int32 = { gte: 1, lte: 100 }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "50"} ]; string continuation_token = 3 [ json_name = "continuation_token", (validate.rules).string.max_bytes = 5120, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\""} ]; } message ReadAuthorizationModelsResponse { repeated AuthorizationModel authorization_models = 1 [ json_name = "authorization_models", (google.api.field_behavior) = REQUIRED ]; string continuation_token = 2 [ json_name = "continuation_token", (validate.rules).string.max_bytes = 5120, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "The continuation token will be empty if there are no more models.", example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\"" } ]; } message WriteAssertionsRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; string authorization_model_id = 2 [ json_name = "authorization_model_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""} ]; repeated openfga.v1.Assertion assertions = 3 [ json_name = "assertions", (google.api.field_behavior) = REQUIRED, (validate.rules).repeated = { min_items: 0, max_items: 100 }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { minimum: 0, maximum: 100 } ]; } message WriteAssertionsResponse {} message ReadAssertionsRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; string authorization_model_id = 2 [ json_name = "authorization_model_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""} ]; } message ReadAssertionsResponse { string authorization_model_id = 1 [ json_name = "authorization_model_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""} ]; repeated openfga.v1.Assertion assertions = 2; } message ReadChangesRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; string type = 2 [(validate.rules).string = { pattern: "^[^:#\\s]{1,254}$", ignore_empty: true }]; google.protobuf.Int32Value page_size = 3 [ json_name = "page_size", (validate.rules).int32 = { gte: 1, lte: 100 }, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "50"} ]; string continuation_token = 4 [ json_name = "continuation_token", (validate.rules).string.max_bytes = 5120, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\""} ]; } message ReadChangesResponse { repeated openfga.v1.TupleChange changes = 1 [(google.api.field_behavior) = REQUIRED]; string continuation_token = 2 [ json_name = "continuation_token", (validate.rules).string.max_bytes = 5120, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "The continuation token will be identical if there are no new changes." example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\"" } ]; } message CreateStoreRequest { string name = 1 [ (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[a-zA-Z0-9\\s\\.\\-\\/^_&@]{3,64}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"my-store-name\""} ]; } message CreateStoreResponse { string id = 1 [ (google.api.field_behavior) = REQUIRED, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; string name = 2 [(google.api.field_behavior) = REQUIRED]; google.protobuf.Timestamp created_at = 3 [ json_name = "created_at", (google.api.field_behavior) = REQUIRED ]; google.protobuf.Timestamp updated_at = 4 [ json_name = "updated_at", (google.api.field_behavior) = REQUIRED ]; } message UpdateStoreRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; string name = 2 [ (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[a-zA-Z0-9\\s\\.\\-\\/^_&@]{3,64}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"my-new-store-name\""} ]; } message UpdateStoreResponse { string id = 1 [ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""}, (google.api.field_behavior) = REQUIRED ]; string name = 2 [(google.api.field_behavior) = REQUIRED]; google.protobuf.Timestamp created_at = 3 [ json_name = "created_at", (google.api.field_behavior) = REQUIRED ]; google.protobuf.Timestamp updated_at = 4 [ json_name = "updated_at", (google.api.field_behavior) = REQUIRED ]; } message DeleteStoreRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; } message DeleteStoreResponse {} message GetStoreRequest { string store_id = 1 [ json_name = "store_id", (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""} ]; } message GetStoreResponse { string id = 1 [ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""}, (google.api.field_behavior) = REQUIRED ]; string name = 2 [(google.api.field_behavior) = REQUIRED]; google.protobuf.Timestamp created_at = 3 [ json_name = "created_at", (google.api.field_behavior) = REQUIRED ]; google.protobuf.Timestamp updated_at = 4 [ json_name = "updated_at", (google.api.field_behavior) = REQUIRED ]; google.protobuf.Timestamp deleted_at = 5 [json_name = "deleted_at"]; } message ListStoresRequest { google.protobuf.Int32Value page_size = 1 [ json_name = "page_size", (validate.rules).int32 = { gte: 1, lte: 100 } ]; string continuation_token = 2 [ json_name = "continuation_token", (validate.rules).string.max_bytes = 5120, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\""} ]; } message ListStoresResponse { repeated openfga.v1.Store stores = 1 [(google.api.field_behavior) = REQUIRED]; string continuation_token = 2 [ json_name = "continuation_token", (google.api.field_behavior) = REQUIRED, (validate.rules).string.max_bytes = 5120, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "The continuation token will be empty if there are no more stores.", example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\"" } ]; } message AssertionTupleKey { string object = 1 [ (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[^\\s]{2,256}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { max_length: 256, example: "\"document:2021-budget\"" } ]; string relation = 2 [ (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[^:#@\\s]{1,50}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { max_length: 50, example: "\"reader\"" } ]; string user = 3 [ (google.api.field_behavior) = REQUIRED, (validate.rules).string = {pattern: "^[^\\s]{2,512}$"}, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { max_length: 512, example: "\"user:anne\"" } ]; } message Assertion { AssertionTupleKey tuple_key = 1 [ (validate.rules).message.required = true, json_name = "tuple_key", (google.api.field_behavior) = REQUIRED ]; bool expectation = 2 [ json_name = "expectation", (google.api.field_behavior) = REQUIRED ]; } message Assertions { repeated Assertion assertions = 1 [(google.api.field_behavior) = REQUIRED]; }