Authorization Resources endpoints for Internal ID

[swaroopAkkineniWorkos]

linear: https://linear.app/workos/issue/ENT-4372/sdk-updates

I decided to break up the work for ENT-4372 into a smaller pr's that we can be easily reviewed and merge them into ENT-4372-base-authorization-branch. Then we can have one final merge that merges ENT-4372-base-authorization-branch into the main.

desc: the goal of this pr is to implement the following endpoints in the node sdk.

getResource()    ~ GET /authorization/resources/{resource_id}
createResource() ~ POST /authorization/resources
updateResource() ~ PATCH /authorization/resources/{resource_id}
deleteResource() ~ DELETE /authorization/resources/{resource_id}

Each one should call their corresponding new fga endpoint

getResource() ~ https://github.com/workos/workos/blob/85a2309cabfd6c11dd0fc4f39fed3abc9c45c0bc/packages/api/src/authorization-resources/authorization-resources.controller.ts#L179
createResource() ~ https://github.com/workos/workos/blob/85a2309cabfd6c11dd0fc4f39fed3abc9c45c0bc/packages/api/src/authorization-resources/authorization-resources.controller.ts#L219
updateResource() ~ https://github.com/workos/workos/blob/85a2309cabfd6c11dd0fc4f39fed3abc9c45c0bc/packages/api/src/authorization-resources/authorization-resources.controller.ts#L301
deleteResource() ~ https://github.com/workos/workos/blob/85a2309cabfd6c11dd0fc4f39fed3abc9c45c0bc/packages/api/src/authorization-resources/authorization-resources.controller.ts#L330

[linear]

ENT-4372 SDK Updates

[swaroopAkkineniWorkos]

@greptile plz review this pr

[swaroopAkkineniWorkos]

@claude plz review this pr

[greptile-apps]

_{9 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

src/fga/serializers/authorization-resource.serializer.ts
Undefined optional fields

This serializer also always includes description / parent_resource_id even when the options don’t set them, which can result in sending undefined values to the API. Suggest omitting optional keys unless explicitly provided (same pattern as in the Authorization serializers).

export const serializeCreateAuthorizationResourceOptions = (
  options: CreateAuthorizationResourceOptions,
): SerializedCreateAuthorizationResourceOptions => ({
  organization_id: options.organizationId,
  resource_type_slug: options.resourceTypeSlug,
  external_id: options.externalId,
  name: options.name,
  ...(options.description !== undefined && { description: options.description }),
  ...(options.parentResourceId !== undefined && {
    parent_resource_id: options.parentResourceId,
  }),
});

[swaroopAkkineniWorkos]

@greptile plz re-review this pr

[swaroopAkkineniWorkos]

@greptile plz re-review this pr

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds Authorization Resources support to the Node SDK by introducing new resource interfaces, serializers/deserializers, a fixture, and unit tests. The Authorization client gains getResource, createResource, updateResource, and deleteResource, with request bodies serialized to omit optional fields when not provided and to preserve explicit null for clearing fields.

The new code fits into the existing src/authorization module structure (interfaces + serializers + client methods), mirroring patterns used for roles and permissions. Unit tests assert endpoint paths and request body shapes for omitted vs null fields.

One functional mismatch remains: the new methods currently call /authorization/resources... endpoints, but the PR description states these should call the corresponding FGA endpoints instead.

Confidence Score: 3/5

• This PR is not safe to merge as-is due to a clear endpoint mismatch with the stated intent.
• Most changes are straightforward (types/serializers/tests) and follow existing patterns, but the core client methods are wired to /authorization/resources rather than the FGA endpoints the PR is meant to target for Internal ID support, which is likely to cause runtime failures or incorrect behavior.
• src/authorization/authorization.ts

Important Files Changed

Filename	Overview
src/authorization/authorization.spec.ts	Adds unit tests covering get/create/update/delete authorization resources, including omitted vs null optional fields.
src/authorization/authorization.ts	Adds get/create/update/delete Resource methods, but currently targets /authorization/resources endpoints despite PR intent to call FGA endpoints.
src/authorization/fixtures/authorization-resource.json	Adds fixture JSON for authorization_resource API response used by new tests.
src/authorization/interfaces/authorization-resource.interface.ts	Introduces interfaces for AuthorizationResource plus create/update option and serialized shapes (supports optional vs null fields).
src/authorization/interfaces/index.ts	Exports new authorization-resource interfaces from the authorization interfaces barrel.
src/authorization/serializers/authorization-resource.serializer.ts	Adds deserializer mapping snake_case API response to camelCase AuthorizationResource.
src/authorization/serializers/create-authorization-resource-options.serializer.ts	Adds serializer for createResource that omits optional keys unless explicitly provided (undefined vs null preserved).
src/authorization/serializers/index.ts	Exports new authorization-resource serializers from the authorization serializers barrel.
src/authorization/serializers/update-authorization-resource-options.serializer.ts	Adds serializer for updateResource that omits undefined keys while allowing explicit null to clear fields.

Sequence Diagram

sequenceDiagram
  participant U as SDK Consumer
  participant A as Authorization client
  participant W as WorkOS HTTP client
  participant API as WorkOS API

  U->>A: getResource(resourceId)
  A->>W: GET /authorization/resources/{resourceId}
  W->>API: HTTP GET
  API-->>W: AuthorizationResourceResponse
  W-->>A: data
  A-->>U: AuthorizationResource (deserialized)

  U->>A: createResource(options)
  A->>A: serializeCreateResourceOptions(options)
  A->>W: POST /authorization/resources (body)
  W->>API: HTTP POST
  API-->>W: AuthorizationResourceResponse (201)
  W-->>A: data
  A-->>U: AuthorizationResource (deserialized)

  U->>A: updateResource({resourceId, ...})
  A->>A: serializeUpdateResourceOptions(options)
  A->>W: PATCH /authorization/resources/{resourceId} (body)
  W->>API: HTTP PATCH
  API-->>W: AuthorizationResourceResponse
  W-->>A: data
  A-->>U: AuthorizationResource (deserialized)

  U->>A: deleteResource(resourceId)
  A->>W: DELETE /authorization/resources/{resourceId}
  W->>API: HTTP DELETE
  API-->>W: 204 No Content
  W-->>A: void
  A-->>U: void

Loading

[greptile-apps]

_{9 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Doesn’t call FGA endpoints

PR description says these Authorization Resources methods should call the corresponding FGA endpoints, but Authorization.getResource/createResource/updateResource/deleteResource are wired to /authorization/resources... instead of /fga/v1/resources.... As-is, this will hit a different API surface than intended and will break in environments where only the FGA endpoints exist/are supported for Internal IDs.

[swaroopAkkineniWorkos]

sorry, this is my fault. The new endpoints are part of the new fga flow

[atainter]

Looks good, but we might want to support those two extra options for the parent resources external_id + type slug

[atainter]

We're also going to support parentResourceExternalId + parentResourceTypeSlug. I haven't added support for them yet, but it's an action item from our bug bash

[swaroopAkkineniWorkos]

updated!, mind doublechecking when you get a chance @atainter. Gonna merge this into my base branchbut if anything is wrong, I can always update the base branch

[atainter]

the prefix will be authz_resource_ after we merge https://github.com/workos/workos/pull/52102

[swaroopAkkineniWorkos]

updated in prep for it