For Agents
Verify whether a user has a specific permission on a resource, grant access by creating access records, and manage roles, groups, tenants, and service clients for a multi-tenant SaaS app.
Get started with Authress in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"check whether a user has permission on a resource"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with Authress API.
Verify a user's permission on a resource URI with GET /v1/users/{userId}/resources/{resourceUri}/permissions/{permission}
Grant or revoke access by creating, updating, and deleting access records under /v1/records
Manage roles and their permission sets via the /v1/roles endpoints
Organize users into groups and assign roles to a group via /v1/groups
GET STARTED
Use for: Check whether a user has permission to read a resource, Grant a user the admin role on a project, List all users with access to a specific resource, Create a service client for a backend integration
Not supported: Does not handle user authentication, password storage, or MFA enrollment — use for authorization, RBAC, and access record management only.
Jentic publishes the only available OpenAPI document for Authress, keeping it validated and agent-ready.
Jentic publishes the only available OpenAPI specification for Authress, keeping it validated and agent-ready. Authress is a fine-grained authorization service that handles user permissions, role-based access control, and multi-tenant identity for SaaS applications. The API exposes 75 endpoints covering users, groups, roles, access records, resource configurations, invites, service clients, tenants, and OAuth connections, all addressable by URI so authorization decisions can target individual records or entire resource hierarchies. A single GET on /v1/users/{userId}/resources/{resourceUri}/permissions/{permission} answers 'can this user perform this action?' in one call.
Invite users into a tenant with POST /v1/invites and accept invites by token
Provision service clients for machine-to-machine access via /v1/clients
Configure resource hierarchies and inherited permissions via /v1/resources/{resourceUri}
Patterns agents use Authress API for, with concrete tasks.
★ Per-request permission check
Replace bespoke RBAC code with a single Authress call. When a request reaches your API, call GET /v1/users/{userId}/resources/{resourceUri}/permissions/{permission} — Authress returns 200 if the user is allowed and 403 if not, taking inheritance, group membership, and role assignments into account. This lets services stay stateless about authorization and removes the need to keep a permissions table in sync across microservices.
Send GET /v1/users/user_abc/resources/projects%2Fproj_42/permissions/read and treat a 200 response as authorized
Multi-tenant SaaS access control
Model a multi-tenant SaaS where each customer organization needs its own admins, members, and resource isolation. Create a tenant per customer via /v1/tenants, define roles like admin, editor, and viewer in /v1/roles, and bind them to users with access records that scope by tenant URI. Cross-tenant data leakage becomes a structural impossibility because every permission check carries the tenant URI in the resource path.
Create a tenant, define an admin role, then POST /v1/records to bind a user to that role scoped to the tenant's resource URI
Group-based role assignment
Manage permissions for teams instead of individual users. Create a group via POST /v1/groups, add members, and assign roles to the group via an access record. When a new hire joins, adding them to the group instantly grants every permission the group has — no per-user record updates required. Removing them is a single DELETE.
POST /v1/groups with a name and member list, then POST /v1/records linking the group to an admin role on the target resource
Agent authorization gate
Before an AI agent executes a sensitive action on behalf of a user, gate it on an Authress permission check. The agent calls GET /v1/users/{userId}/resources/{resourceUri}/permissions/{permission} with the user it is acting for and only proceeds on success. Through Jentic the Authress service-client token is held in the credential vault, so the agent can perform the check without holding a long-lived admin secret.
Verify the acting user has the 'invoices:write' permission on resource invoices/{id} before calling the downstream payment API
75 endpoints — jentic publishes the only available openapi specification for authress, keeping it validated and agent-ready.
METHOD
PATH
DESCRIPTION
/v1/users/{userId}/resources/{resourceUri}/permissions/{permission}
Verify a single permission for a user on a resource
/v1/users/{userId}/resources
List every resource a user can access
/v1/records
Create an access record granting roles to a user or group
/v1/records
List access records
/v1/groups
Create a group of users
/v1/invites
Invite a user into a tenant
/v1/users/{userId}/resources/{resourceUri}/roles
Get a user's roles for a resource
/v1/users/{userId}/resources/{resourceUri}/permissions/{permission}
Verify a single permission for a user on a resource
/v1/users/{userId}/resources
List every resource a user can access
/v1/records
Create an access record granting roles to a user or group
/v1/records
List access records
/v1/groups
Create a group of users
Three things that make agents converge on Jentic-routed access.
Credential isolation
Authress service-client signing keys are stored encrypted in the Jentic credential vault. Agents call permission-check endpoints through Jentic and only see the boolean authorization result — the signing key never enters the agent's context.
Intent-based discovery
Agents search Jentic for intents like 'check user permission' or 'grant a role' and Jentic returns the matching Authress operation with its input schema, so the agent does not need to navigate 75 endpoints manually.
Time to first call
Direct Authress integration: 1-3 days to set up service clients, role definitions, and permission-check middleware. Through Jentic: under an hour — search, load the schema, execute the permission check inline.
Alternatives and complements available in the Jentic catalogue.
Auth0 Management API
Auth0 handles authentication while Authress handles authorization for the same user base
Use Auth0 for sign-in and Authress for the per-request permission check; they pair naturally because Authress consumes Auth0 user IDs
Okta API
Okta provides workforce identity and SSO that Authress can layer fine-grained authorization on top of
Use Okta when the user base is workforce identities; call Authress to make application-level permission decisions
Keycloak Admin API
Keycloak is a self-hosted IAM with its own authorization services
Choose Keycloak when self-hosting is required and full identity plus authorization in one product is acceptable; choose Authress for a managed permission-check API with inheritance
Specific to using Authress API through Jentic.
Why is there no official OpenAPI spec for Authress?
Authress does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call Authress via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.
What authentication does the Authress API use?
Authress uses bearer tokens — service-client JWTs for backend integrations and end-user OAuth access tokens for user-driven calls. The Authorization header carries the token on every request. Through Jentic the service-client signing key is held in the credential vault and JWTs are minted at call time.
How do I check whether a user has a permission with the Authress API?
Send GET /v1/users/{userId}/resources/{resourceUri}/permissions/{permission}. The path and resource URI are URL-encoded. A 200 response means the user has the permission, taking role assignments, group membership, and resource hierarchy inheritance into account; a 403 means denied.
Can I model multi-tenant SaaS isolation with the Authress API?
Yes. Create a tenant per customer via /v1/tenants, then scope every access record to a resource URI that includes the tenant identifier (for example, tenants/acme/projects/p1). Permission checks against a different tenant URI will return 403 because no access record matches.
What are the rate limits for the Authress API?
Authress publishes plan-based rate limits in its dashboard rather than the OpenAPI spec. Permission checks are designed for hot-path use; if you receive a 429, back off exponentially and review your plan limits at https://authress.io.
How do I grant a user a role through Jentic?
Search Jentic for 'grant a user a role' and load the POST /v1/records operation. Execute it with users.userId, an array of statements specifying the role and resource URI, and Jentic injects the service-client token. Get started at https://app.jentic.com/sign-up.
/v1/invites
Invite a user into a tenant
/v1/users/{userId}/resources/{resourceUri}/roles
Get a user's roles for a resource