X Enterprises
fastify-xauth-jwks

hasPermission

Check if a JWT user payload contains any of the specified permissions.

hasPermission

Check whether a decoded JWT user payload contains at least one of the specified permissions. Reads user.permissions which may be a single string or an array of strings. Returns false if the user object is missing or has no permissions claim.

Signature

import { hasPermission } from "@xenterprises/fastify-xauth-jwks/utils";

hasPermission(user: object, permissions: string | string[]): boolean

Params

NameTypeRequiredDescription
userobjectYesDecoded JWT payload (e.g., request.user). Must have a permissions property.
permissionsstring | string[]YesPermission name or array of permission names. Returns true if the user has any of the specified permissions.

Returns

booleantrue if the user has at least one of the specified permissions, false otherwise.

Throws

Does not throw.

Examples

Basic — check a single permission

import { hasPermission } from "@xenterprises/fastify-xauth-jwks/utils";

fastify.delete("/admin/users/:id", async (request, reply) => {
  if (!hasPermission(request.user, "users:delete")) {
    return reply.code(403).send({ error: "Permission denied" });
  }

  await db.users.delete(request.params.id);
  return { deleted: true };
});

Realistic — check read or write permission

import { hasPermission } from "@xenterprises/fastify-xauth-jwks/utils";

fastify.put("/admin/content/:id", async (request, reply) => {
  if (!hasPermission(request.user, ["content:write", "content:admin"])) {
    return reply.code(403).send({ error: "Write permission required" });
  }

  const updated = await db.content.update(request.params.id, request.body);
  return updated;
});

See Also

  • requirePermission — Prebuilt preHandler hook using hasPermission
  • hasRole — Check broad role claims instead of fine-grained permissions

AI Context

package: "@xenterprises/fastify-xauth-jwks"
import: hasPermission from "@xenterprises/fastify-xauth-jwks/utils"
use-when: Check if a JWT payload contains any of the specified permission values — for conditional logic in handlers
returns: boolean

getUserId

Get the authenticated user's ID from a Fastify request object.

hasRole

Check if a JWT user payload contains any of the specified roles.

Copyright © 2026