Back to workCase study
From JWT Roles to Workspace-Scoped Authorization
Replaced flat JWT role checks with Fine-Grained Authorization to support per-workspace permissions across cloud portal and product services.
- OpenFGA
- TypeScript
- Node.js
- Auth0
- React
- REST APIs
- JWT
Context
Authorization logic was duplicated across services and route handlers, with inconsistent workspace checks.
Large tenants needed users to have different permission levels by workspace, not one global role.
Migration had to be incremental across multiple teams and codebases.
Approach
- Defined a shared permission model and mapped legacy role checks to explicit authorization actions.
- Introduced common middleware and helper APIs to avoid direct OpenFGA coupling in app code.
- Used shadow-mode parity checks during rollout, logging mismatches before switching authority.
Outcomes
- Enabled workspace-scoped authorization for enterprise tenants at scale.
- Improved auditability with queryable, explicit relationship data.
- Completed cross-team migration without a high-risk, all-at-once cutover.