Authorize a deployment request | Astro AI

Authentication is the per-deployment JWT injected as ASTRO_AUTHZ_TOKEN. The token’s sub claim identifies the deployment; no other deployment ID is passed in the request.

Returns 200 with the decision on every authoritative answer. Identity fields are only populated when allowed: true — denials don’t leak mapping state.

Callback used by the messaging container — and by any agent that handles its own HTTP requests (e.g. a frontend agent) — to check whether an inbound request should be allowed against this deployment's grants. Authentication is the per-deployment JWT injected as `ASTRO_AUTHZ_TOKEN`. The token's `sub` claim identifies the deployment; no other deployment ID is passed in the request. Returns `200` with the decision on every authoritative answer. Identity fields are only populated when `allowed: true` — denials don't leak mapping state.

Authentication

AuthorizationBearer

Per-deployment JWT signed by astro-server (HS256). Injected into the agent and messaging containers as the ASTRO_AUTHZ_TOKEN environment variable. The sub claim identifies the deployment.

Query parameters

identity_typeenumOptional

user for a signed-in user, slack for a Slack user, or empty for anonymous (only valid when an anyone grant exists for the adapter).

Allowed values:

identity_idstringOptional

The user id corresponding to identity_type — the platform user id for user, the Slack user id for slack. Must be supplied together with identity_type; providing one without the other returns 400.

identity_scopestringOptional

Adapter-specific disambiguator for identity_id. For slack, this is the workspace team_id (Slack user ids are only unique within a team). Omit for web.

adapterenumRequired

The adapter handling the request.

Allowed values:

Response

Authorization decision

allowedboolean

Whether the request is allowed.

user_idstring

Resolved platform user id. Echoed back for identity_type=user; looked up via Slack identity mappings for identity_type=slack (empty when no mapping exists). Only present when allowed: true.

slack_user_idstring

The Slack user id from the request, echoed back so callers can attribute unlinked Slack users to a namespaced trace id. Only present when allowed: true and identity_type=slack.

slack_team_idstring

The Slack workspace id (team_id) from the request, echoed back. Only present when allowed: true and identity_type=slack.

Errors

400

Bad Request Error

401

Unauthorized Error

500

Internal Server Error

$	curl -G https://astropods.com/api/v1/deployments/authorize \
>	-H "Authorization: Bearer <token>" \
>	-H "Content-Type: application/json" \
>	-d adapter=slack \
>	-d identity_type=slack \
>	-d identity_id=U12345678 \
>	-d identity_scope=T87654321

1	{
2	"allowed": true,
3	"user_id": "user-987654321",
4	"slack_user_id": "U12345678",
5	"slack_team_id": "T87654321"
6	}