---
descriptions:
  check_authorization:
    organization_membership_id: The ID of the organization membership to check.
    permission_slug: The slug of the permission to check.
    resource_id: >-
      The ID of the resource to check. Use either this or resource_external_id +
      resource_type_slug.
    resource_external_id: The external ID of the resource. Requires resource_type_slug.
    resource_type_slug: The resource type slug. Required with resource_external_id.
    authorized: Whether the organization membership has the permission on the resource.
reference:
  curl:
    - key: check_authorization
      id: check_authorization
      url: /reference/fga/access-check/check
      title: >-
        /authorization/organization_memberships/:organization_membership_id/check
      type: POST
      parameters:
        - key: organization_membership_id
          type: string
          description: (check_authorization.organization_membership_id)
        - key: permission_slug
          type: string
          description: (check_authorization.permission_slug)
        - key: resource_id
          type: string
          optional: true
          description: (check_authorization.resource_id)
        - key: resource_external_id
          type: string
          optional: true
          description: (check_authorization.resource_external_id)
        - key: resource_type_slug
          type: string
          optional: true
          description: (check_authorization.resource_type_slug)
      returns:
        - key: authorization_check
          type: object
          properties:
            - key: authorized
              type: boolean
              description: (check_authorization.authorized)
  js:
    - key: check
      id: check_authorization
      url: /reference/fga/access-check/check
      title: authorization.check()
      parameters:
        - key: options
          type: object
          unwrap: true
          properties:
            - key: organizationMembershipId
              type: string
              description: (check_authorization.organization_membership_id)
            - key: permissionSlug
              type: string
              description: (check_authorization.permission_slug)
            - key: resourceId
              type: string
              optional: true
              description: (check_authorization.resource_id)
            - key: resourceExternalId
              type: string
              optional: true
              description: (check_authorization.resource_external_id)
            - key: resourceTypeSlug
              type: string
              optional: true
              description: (check_authorization.resource_type_slug)
      returns:
        - key: AuthorizationCheckResult
          type: object
          properties:
            - key: authorized
              type: boolean
              description: (check_authorization.authorized)
originalPath: .tmp-workos-clone/packages/docs/content/reference/fga/access-check/check.mdx
---

## Check authorization

Check if an organization membership has a specific permission on a resource. This endpoint considers all sources of access:

- Direct role assignments on the resource
- Inherited permissions from parent resources
- Organization-level roles

You must provide either `resource_id` or both `resource_external_id` and `resource_type_slug` to identify the resource.

<Callout type="info">
  For org-wide permissions, you can check the JWT directly without making an API
  call. Use this endpoint for resource-specific permission checks.
</Callout>

<CodeBlock referenceId="check_authorization">
  <CodeBlockTab title="Request" file="check-authorization-request" />
  <CodeBlockTab title="Response" file="check-authorization-response" />
</CodeBlock>