Bedrock Authorization Platform

The authorization engine for the AI era. Govern users, services, and AI agents with hierarchical scopes, resource policies, and conditional permissions.

Quickstart

Get started in 5 minutes

Core Concepts

Understand the fundamentals

Why Bedrock?

Bedrock solves authorization problems traditional RBAC cannot:

Hierarchical Scopes

Org → Workspace → Project → Environment with full inheritance

Resource Policies

Fine-grained allow/deny on specific resources or collections

Conditional Permissions

JSON Logic expressions for dynamic, context-aware access

AI Agent Governance

Same authorization model for users, services, and AI agents

Multi-tenant Isolation

Complete tenant separation with scope hierarchies

Tag-based Access

Dynamic permissions based on resource and subject tags

How It Works

┌─────────────────────────────────────────────────────────────────┐
│                     EVALUATION ORDER                            │
├─────────────────────────────────────────────────────────────────┤
│  1. Resource Policies    →  Explicit allow/deny on resources    │
│  2. Resource Hierarchy   →  Inherit from parent resources       │
│  3. Role-Based Perms     →  Subject → Scope → Role → Permission │
└─────────────────────────────────────────────────────────────────┘

Learn about Evaluation

Understand how Bedrock decides if an action is allowed

Core Concepts

Concept	Description	Learn More
Scope	Hierarchical node (org, workspace, project)	Scopes →
Subject	Actor: user, service, agent, api_key	Subjects →
Role	Bundle of permissions assigned to subjects	Roles →
Permission	Action + resource type + pattern	Permissions →
Resource	Protected object with type and owner	Resources →
Collection	Dynamic resource group via match rules	Collections →
Policy	Allow/deny rule on resource or collection	Policies →
Tag	Metadata for conditional access	Tags →

Quick Example

import { BedrockEngine } from '@bedrock/core';

// 1. Create engine with your storage
const bedrock = new BedrockEngine(storage);

// 2. Set up your authorization structure
await bedrock.createScope({ id: 'scope_acme', name: 'Acme Corp' });
await bedrock.createRole({ id: 'role_editor', scopeId: 'scope_acme', name: 'Editor' });
await bedrock.createPermission({ 
  scopeId: 'scope_acme', 
  action: 'write', 
  resourceType: 'document',
  resourcePattern: '*'
});

// 3. Assign role to subject
await bedrock.createMembership({ subjectId: 'user_jane', scopeId: 'scope_acme' });
await bedrock.createRoleAssignment({ membershipId: 'membership_1', roleId: 'role_editor' });

// 4. Evaluate permissions
const decision = await bedrock.evaluate({
  actor: { subjectId: 'user_jane', subjectType: 'user' },
  scopeId: 'scope_acme',
  action: 'write',
  resource: { resourceType: 'document', resourcePattern: '*' }
});

console.log(decision.allowed); // true

Full Quickstart Guide

Complete setup with all features

Use Cases

User Governance

Traditional RBAC for users across your organization hierarchy

Agent Governance

Control what AI agents can access and do within your systems

Multi-tenant Apps

Isolate permissions across tenants with hierarchical scopes

SaaS Platforms

Model complex SaaS authorization with workspaces and projects

AI Agent Governance

As organizations deploy AI agents (LLM-powered assistants, autonomous workflows, MCP servers), they face new challenges:

Challenge	Bedrock Solution
What can this agent access?	Scoped permissions via roles
Can I trust this agent here?	Scope-level overrides
How do I audit agent actions?	Unified subject model
How do I revoke agent access?	Same as revoking user access

Bedrock treats agents as first-class subjects:

// Register an AI agent
await bedrock.createSubject({ 
  id: 'agent_assistant',
  type: 'agent',
  externalId: 'openai-assistant-123'
});

// Add to scope with restricted role
await bedrock.createMembership({ 
  subjectId: 'agent_assistant', 
  scopeId: 'scope_production' 
});
await bedrock.createRoleAssignment({ 
  membershipId: 'membership_agent',
  roleId: 'role_readonly'  // Agents get read-only in production
});

Agent Governance Guide

Complete guide to managing AI agent permissions

API Reference

REST API

Complete API documentation for all endpoints

TypeScript SDK

Native TypeScript/JavaScript integration

Getting Started

Core Concepts

Resources

Tags

Delegation

Use Cases

Modeling Guides

Bedrock Authorization Platform

Quickstart

Core Concepts

Why Bedrock?

Hierarchical Scopes

Resource Policies

Conditional Permissions

AI Agent Governance

Multi-tenant Isolation

Tag-based Access

How It Works

Learn about Evaluation

Core Concepts

Quick Example

Full Quickstart Guide

Use Cases

User Governance

Agent Governance

Multi-tenant Apps

SaaS Platforms

AI Agent Governance

Agent Governance Guide

API Reference

REST API

TypeScript SDK

Getting Started

Core Concepts

Resources

Tags

Delegation

Use Cases

Modeling Guides

Quickstart

Core Concepts

​Why Bedrock?

Hierarchical Scopes

Resource Policies

Conditional Permissions

AI Agent Governance

Multi-tenant Isolation

Tag-based Access

​How It Works

Learn about Evaluation

​Core Concepts

​Quick Example

Full Quickstart Guide

​Use Cases

User Governance

Agent Governance

Multi-tenant Apps

SaaS Platforms

​AI Agent Governance

Agent Governance Guide

​API Reference

REST API

TypeScript SDK

Why Bedrock?

How It Works

Core Concepts

Quick Example

Use Cases

AI Agent Governance

API Reference