Recipes / Policy rules
Policy rules · 12 recipes
Policy rules
JSON rule trees for the authorization patterns we keep getting asked for.
- Policy rules
Policy rules
Age-over-18 gate
A single derived-claim equality — the simplest possible Policy Engine rule. Use it for any flow that needs proof of majority without ever seeing the birth date.
- age-gate
- derived-claim
- gdpr
- Policy rules
Policy rules
Age-over-21 gate
Same shape as age-over-18, with the threshold raised. Use it for jurisdictions or product categories where 21 is the legal floor (US alcohol, some financial-services flows).
- age-gate
- derived-claim
- gdpr
- Policy rules
Policy rules
Composite — admin OR (manager AND finance)
A nested rule combining `any`, `all`, and equality leaves. Demonstrates arbitrary nesting and short-circuit evaluation.
- gate
- role-based
- composite
- Policy rules
Policy rules
Consent-required gate
ALLOW only if the credential proves age AND the user has explicitly consented in the current session. Combines a credential claim with a non-credential session fact.
- gate
- consent
- gdpr
- Policy rules
Policy rules
MFA required for privileged actions
ALLOW only if MFA was completed in the current session AND the OIDC `acr` value indicates a sufficient assurance level. Use it as a step-up gate before any high-risk action.
- gate
- step-up
- mfa
- Policy rules
Policy rules
Multi-credential issuer requirement
ALLOW only if both a Diploma and a Tax ID credential are present, each from an authorised issuer. Use it for high-stakes onboarding (employer, regulated finance) where one credential isn't enough.
- multi-credential
- gate
- onboarding
- Policy rules
Policy rules
Regional gate — EU only
ALLOW only if `country_code` is one of the 27 EU member states. Use it for services that must enforce EU residency at the protocol level.
- regional
- gate
- gdpr
- Policy rules
Policy rules
Regional gate — explicit allow-list
ALLOW only if `country_code` is in your customer-defined allow-list. The flexible variant of `regional-eu-only` — same shape, you control the list.
- regional
- gate
- Policy rules
Policy rules
Revocation — active and fresh
ALLOW only if the credential is active AND its `valid_until` is in the future. Defends against credentials that aren't revoked yet but are stale.
- revocation
- gate
- freshness
- Policy rules
Policy rules
Role gate — admin only
A single equality on the `role` claim. Allow only credentials whose role is `admin`. The simplest role-based access control you can do.
- gate
- role-based
- Policy rules
Policy rules
Role gate — admin or manager
ALLOW if `role` is in the configured list. Combines `any` over multiple equality leaves — short-circuits on the first match.
- gate
- role-based
- Policy rules
Policy rules
Time gate — business hours only
ALLOW only on weekdays between 09:00 and 18:00 local time. Use it for back-office systems that should be unreachable outside business hours.
- time-based
- gate