Warden

Identity (TypeID)

How Warden uses prefix-qualified, globally unique identifiers for every entity.

Every entity in Warden has a TypeID. TypeIDs are globally unique, sortable, URL-safe identifiers built on UUIDv7 with a human-readable prefix that tells you what kind of entity you're looking at.

A TypeID looks like this:

role_01h455vb4pex5vsknk084sn02q

The role prefix identifies this as a role. The suffix is a base32-encoded UUIDv7 that encodes creation time, so IDs sort chronologically.

Auto-assigned by default. Every store's Create* method generates a TypeID for you when the input's ID field is nil — see the auto-ID note in Roles & Permissions. The DSL goes further: .warden source never references TypeIDs at all. Roles cite each other by slug (role editor : viewer), permissions by name (grants = ["doc:read"]), namespaces by path (/eng/admin). TypeIDs are an implementation detail you only see when you're calling the store directly or inspecting the database.

The id package

The id package wraps the TypeID Go library (v2) with a single ID struct. All entity types share the same struct -- the prefix distinguishes them.

Creating IDs

import "github.com/xraph/warden/id"

roleID       := id.New(id.PrefixRole)         // role_01h455vb...
permissionID := id.New(id.PrefixPermission)   // perm_01h455vb...
assignmentID := id.New(id.PrefixAssignment)   // asgn_01h455vb...
policyID     := id.New(id.PrefixPolicy)       // wpol_01h455vb...

Convenience constructors: id.NewRoleID(), id.NewPermissionID(), id.NewAssignmentID(), id.NewPolicyID(), id.NewRelationID(), id.NewCheckLogID(), id.NewResourceTypeID(), id.NewConditionID().

Parsing IDs

parsed, err := id.Parse("role_01h455vb4pex5vsknk084sn02q")
parsed, err := id.ParseWithPrefix("role_01h455vb...", id.PrefixRole)  // validates prefix
parsed, err := id.ParseRoleID("role_01h455vb...")                     // convenience

Nil ID

var empty id.ID
empty.IsNil()  // true
empty.String() // ""
id.Nil.IsNil() // true

Database storage

id.ID implements Scanner and driver.Valuer. Stores as a string, returns NULL for nil IDs.

JSON serialization

id.ID implements TextMarshaler and TextUnmarshaler. Nil IDs serialize as empty strings.

Prefix reference

ConstantPrefixEntity
id.PrefixRoleroleRole
id.PrefixPermissionpermPermission
id.PrefixAssignmentasgnAssignment
id.PrefixPolicywpolPolicy
id.PrefixRelationrelRelation
id.PrefixCheckLogchklogCheck log
id.PrefixResourceTypertypeResource type
id.PrefixConditioncondCondition

Authorization Models

Understanding RBAC, ABAC, ReBAC, and PBAC and when to use each.

Decision Model

How Warden merges decisions from RBAC, ABAC, ReBAC, and PBAC evaluators.

On this page

The id packageCreating IDsParsing IDsNil IDDatabase storageJSON serializationPrefix reference