authkeep
SIG Protocol alpha·dff0564

check

Make an authorization decision against the derived state.

Make an app-facing authorization decision against the derived relationship state. This command verifies the feed, derives state, and evaluates whether a subject meets the specified requirements. ak allow is an alias for ak check.

Usage

ak check [FLAGS]
ak allow [FLAGS]

Flags

FlagRequiredDefaultDescription
--sig <PATH_OR_URL>YesSIG metadata path or URL.
--subject <DID>YesSubject DID to check.
--require <KEY=VALUE>YesPredicate to evaluate. Repeatable.
--format <FORMAT>NojsonOutput format: json or text.
--explainNoInclude an explanation trace in the output.

Requirements

The --require flag accepts key-value predicates. It can be specified multiple times, and all predicates must match for the decision to be allow.

PredicateExampleDescription
relationship=<TYPE>relationship=employeeSubject must have an active relationship of this type.
role=<NAME>role=deploySubject must hold this role in an active relationship.

Exit Codes

CodeMeaning
0Allow — the subject meets all requirements.
1Deny — the subject does not meet one or more requirements.
2Error — a verification or processing error occurred.

JSON Output

When using --format json (the default), the output includes:

{
  "decision": "allow",
  "subject": "did:web:alice.example.com",
  "requirements": [
    { "key": "relationship", "value": "employee" },
    { "key": "role", "value": "deploy" }
  ],
  "matched_relationship_id": "rel-alice-eng",
  "last_sequence": 3
}

Examples

Allow decision

ak check \
  --sig ./issuer-root/.well-known/sig.json \
  --subject did:web:alice.example.com \
  --require relationship=employee \
  --require role=deploy

Exit code: 0

{
  "decision": "allow",
  "subject": "did:web:alice.example.com",
  "requirements": [
    { "key": "relationship", "value": "employee" },
    { "key": "role", "value": "deploy" }
  ],
  "matched_relationship_id": "rel-alice-eng",
  "last_sequence": 3
}

Deny decision

ak check \
  --sig ./issuer-root/.well-known/sig.json \
  --subject did:web:bob.example.com \
  --require relationship=employee

Exit code: 1

{
  "decision": "deny",
  "subject": "did:web:bob.example.com",
  "requirements": [
    { "key": "relationship", "value": "employee" }
  ],
  "matched_relationship_id": null,
  "last_sequence": 3
}

Explain mode

The --explain flag adds a trace showing how the decision was reached:

ak check \
  --sig ./issuer-root/.well-known/sig.json \
  --subject did:web:alice.example.com \
  --require relationship=employee \
  --require role=admin \
  --explain

Exit code: 1

{
  "decision": "deny",
  "subject": "did:web:alice.example.com",
  "requirements": [
    { "key": "relationship", "value": "employee" },
    { "key": "role", "value": "admin" }
  ],
  "matched_relationship_id": null,
  "last_sequence": 3,
  "explanation": [
    "Found active relationship rel-alice-eng (type=employee)",
    "Requirement relationship=employee: satisfied by rel-alice-eng",
    "Requirement role=admin: not satisfied, available roles are [engineer, deploy]",
    "Decision: deny (1 of 2 requirements met)"
  ]
}

Text format

ak check \
  --sig ./issuer-root/.well-known/sig.json \
  --subject did:web:alice.example.com \
  --require relationship=employee \
  --format text
ALLOW did:web:alice.example.com (relationship=employee) via rel-alice-eng

Notes

  • All requirements must be satisfied for an allow decision. If any single predicate fails, the result is deny.
  • The check runs a full feed verification before evaluating requirements. If verification fails, the exit code is 2.
  • Use --explain during development and debugging to understand why a decision was reached.
  • The allow alias is provided as a convenience for scripts where the intent reads more naturally (e.g., ak allow --subject ... --require ...).