Server mode
HTTP wrapper around an in-process AccessEngine. Use it when other runtimes (Python, Go, edge workers) need authorization without embedding the TypeScript library — they POST a subject and action, get back a Decision.
For Express, Fastify, Hono, or NestJS apps written in TypeScript, use framework middleware and call the engine directly instead.
Create the server
typescript
import { createAuthServer } from "@siremzam/sentinel/server";
const server = createAuthServer({
engine,
port: 3100,
authenticate: (req) => req.headers["x-api-key"] === process.env.AUTH_SERVER_KEY,
maxBodyBytes: 1024 * 1024,
});
await server.start();Always set authenticate in production. Without it, any client on the network can query permissions.
Endpoints
| Endpoint | Method | Description |
|---|---|---|
/health | GET | Status, rules count, uptime |
/rules | GET | Loaded rules (serialization-safe) |
/evaluate | POST | Evaluate authorization request |
POST /evaluate body
json
{
"subject": { "id": "u1", "roles": [{ "role": "admin", "tenantId": "acme" }] },
"action": "invoice:approve",
"resource": "invoice",
"resourceContext": {},
"tenantId": "acme"
}Related
- Server reference
- Security model
- Middleware guides — in-process alternative