Skip to main content

Authorization (Authz)

The authorization (authz) system is a fundamental concept in the IXO ecosystem, built on top of the Cosmos SDK’s authz module. This guide explains the core concepts and implementation details that developers need to understand when working with authorization.

Core Concepts

Basic Structure

Authorization in IXO follows the Cosmos SDK’s authz module implementation (ADR 30), which enables one account (granter) to grant specific privileges to another account (grantee). Each authorization is stored on-chain with three key components: 
{
  "granter": "address",
  "grantee": "address",
  "msg_type_url": "message_type"
}
This structure means there can only be one authorization for a specific message type between any two accounts. If a new authorization is granted for the same message type between the same accounts, it will override the previous one.

Authorization Interface

Authorizations are implemented using the Authorization interface, which allows for customization of grant parameters and limits. The most basic implementation is GenericAuthorization, which provides unlimited rights to execute a specific message type.

Built-in Authorization Types

The Cosmos SDK provides three built-in authorization implementations:

GenericAuthorization

Provides unlimited rights to execute a specific message type without any restrictions.

SendAuthorization

Allows sending tokens with specific limits (amount restrictions) for the /cosmos.bank.v1beta1.MsgSend message type.

StakeAuthorization

Provides authorization for staking-related operations with specific parameters.

IXO Custom Authorizations

IXO implements several custom authorization types for specific message types:
  • Message type: /ixo.claims.v1beta1.MsgSubmitClaim
  • Description: Authorization for submitting claims
  • Message type: /ixo.claims.v1beta1.MsgEvaluateClaim
  • Description: Authorization for evaluating claims
  • Message type: /ixo.claims.v1beta1.MsgWithdrawPayment
  • Description: Authorization for withdrawing payments
  • Message type: /ixo.claims.v1beta1.MsgCreateClaimAuthorization
  • Description: Authorization for creating claims

Constraints and Lists

Custom authorizations in IXO use lists for constraints because there can only be one grant between accounts for a specific message type. For example, if an admin (granter) wants to grant a user (grantee) the right to submit claims for multiple collections, they must include all constraints in a single authorization.

Important Considerations

  1. Authorization Override: When granting a new authorization for the same message type between the same accounts, it will override any existing authorization, including its constraints.
  2. Query Requirements: When querying authorizations, you need the actual message type (e.g., /ixo.claims.v1beta1.MsgSubmitClaim), not the authorization type.
  3. Revocation: To revoke an authorization, you need to specify the correct message type URL, not the authorization type.