10Duke Entitlements Authorization API

Table of Contents


The 10Duke Entitlements employs two main endpoints to serve client requests. These are:

  • /authz/ - an endpoint for requesting authorization decisions
  • /graph/ - an endpoint for requesting data access and business logical operations other than authorization decisions. Please see the 10Duke Entitlements Graph API reference.

This API reference is concerned with the /authz endpoint.


The '/authz/' service is used for all authorization cases. In order to receive authorization decisions, the client application does not need to know whether decisions will be based on Role-based Authorization or Licensing. Authorization decisions are always returned in a uniform manner independent of the authorization engine, and all supported response formats are applicable to all authorization requests. However, depending on the engine actually used for responding to an authorization request, additional metadata contained by the response may vary. For instance, the Licensing Engine may include license expiration date in the response, but the Role-based Authorization Engine cannot do this because there is no concept of expiration in role-based authorization.

The syntax for calling /authz/ by URL pattern is:



  • <> denotes a variable
  • [] denotes optional parts of the URL name
  • _x denotes a permission or licensed item name to check actions
  • _x denotes a permission action list

Response types

Plain text

Plain text responses contain a "&" separated list of true of false values mapping to the list of permission name parameters provided in the original request.


The JSON Web Token response payload contains 3 parts, which are separated by a "." character. Each part is Base64 encoded. JWT supports signed and secure authorization tokens to be stored and handled in client applications.

The first part is a header, which e.g. contains signature and cryptography method algorithm used, e.g.: {"alg":"RS256"}

The second part contains the token payload, e.g.:


The third part contains signature produced of header and payload


The JSON response is a license grant entity serialized as a JSON object.

    "exp": 1410266853,
    "AppFeature-XYZ": true,
    "iss": "52e24d8a-dfe6-4b6a-80ad-cddf798c0210",
    "jti": "269c9f73-229c-4895-bfc2-1827d20bc8d5",
    "iat": 1410180453,
    "ibe": 1411478986,
    "rfr": 1410181053


Request example

Example where the scenario to check if a permission to read Profile entities and delete Person entities is granted to the caller:


Response example

Content-Type:text/plain; charset=utf-8

Response body:

Request example

The same example, with Json web token response:


Response example

Content-Type:application/jwt; charset=utf-8

Response body:

General parameters

Predefined parameters for API calls (other parameter names denote licensed items or permission names):

Parameters name Valid values / description
consumptionMode cache or checkOut

This parameter is optional, defaults to cache
consumeDuration license consumption (check-out / reservation) duration in milliseconds.

This parameter is optional.

The underlying implementation may choose to grant different duration depending on model.
doConsume Parameter for consume / don't consume licenses when checking.

This parameter is optional, default to false and is not needed when using default consume mode or definind consumptionMode explicitly
release true or false to release consumed license

Use of this parameter also requires use of parameter AssignmentConsumptionId
AssignmentConsumptionId Identifier of the license assignment to release

License and permission checks

Hardware / device locked licenses


  • Ties check / consume to user and hardware
  • Is applicable if using concurrent consumption constraint

Please note the hw=HW_ID parameter in addition to the licensed item name. Variants with different response types:





General license checks, not locked to specific device(s)


  • Ties check / consume to user only
  • Is not applicable if using concurrent consumption constraint
GET /authz/?LICENSED_ITEM_NAME&hw=hw-id-here

Please note the hw=hw-id-here parameter in addition to the licensed item name. Variants with different response types:


GET /authz/.json?LICENSED_ITEM_NAME&hw=hw-id-here


GET /authz/.jwt?LICENSED_ITEM_NAME&hw=hw-id-here

License Checks with client defined duration


  • Ties check / consume to user only
GET /authz/?LICENSED_ITEM_NAME&hw=hw-id-here&consumeDuration=3600000

Please note the consumeDuration=... parameter in addition to the licensed item name. Variants with different response types follow the same pattern as explained earlier

Checks with specified entitlement ID

License checks can be restricted to scope of an entitlement. Id of the entitlement can be specified in the path part of the /authz/ URL:


Here, ENTITLEMENT_ID is the UUID that uniquely identifies the entitlement targeted by the license check.

Permission checks


Predefined permission actions:

  • create
  • read
  • update
  • delete
  • query
  • impersonate