Documentation / @agentick/mcp / RoleBasedAuthzOptions
Interface: RoleBasedAuthzOptions
Defined in: server/security/stages.ts:145
Properties
getRoles()?
optionalgetRoles: (ctx,op) =>string[] |undefined
Defined in: server/security/stages.ts:169
Function that returns the user's roles for a request. Default: ctx.user?.roles ?? []. Override for multi-tenant or scope-based models.
Parameters
ctx
op
Returns
string[] | undefined
rules
rules:
Record<string,string[]>
Defined in: server/security/stages.ts:163
Rules map. Keys are operation patterns. Values are the roles that pass.
Pattern syntax:
- "tool_call:toolName" → exact tool call match
- "tool_call:*" → any tool call
- "resource_read:*" → any resource read
- "resource_read:uri_prefix" → resource read whose name starts with prefix
- "prompt_get:*" → any prompt
- "session_create" → session creation
- "*" → catch-all (applied if no specific rule matches)
Rules are evaluated from most specific to least specific. The first matching rule wins. Missing a matching rule means DENY.
Empty roles: [] for a pattern means "any authenticated user passes".