I'm sorry, but the knowledge sources do not contain a Go SDK code example that demonstrates how to use the Expand API specifically to list all permissions an identity has. The available documentation and examples focus on expanding a subject set to see who has access to an object (i.e., "who can access this resource?"), rather than "what can this identity access?" or "what permissions does this identity have?" via the Expand API. The Expand API is typically used to expand a relationship tuple (such as object, relation, and namespace) into a tree showing all subjects (identities) who have access to that object and why, not the other way around. For example, you can expand who has access to a file or video, but not directly list all permissions for a given identity using the Expand API. If you want to list all objects a user has access to, you would typically use the List API, not the Expand API. If you need to see why a user has access to an object, you use the Expand API on that object and relation, not on the user/identity itself [Expand API: display who has access to an object](https://www.ory.sh/docs/keto/guides/expand-api-display-who-has-access) [API Reference: expandPermissions](https://www.ory.sh/docs/reference/api). If you need to see how to call the Expand API using the Go SDK for a specific object/relation, please clarify, and I can provide an example for that use case.

Based on the knowledge sources, there is no complete Go SDK code example provided for querying the Permissions Expand API to list all users or roles and the permits they have on a given object. However, the documentation does explain that the Expand API is used to expand a subject set (such as an object and relation) into a tree of subjects (users or roles) who have that permission on the object, and why. This is typically used to answer "who has access to this object and why?" [Expand API: display who has access to an object](https://www.ory.sh/docs/keto/guides/expand-api-display-who-has-access). The REST API endpoint for this is:

GET /relation-tuples/expand?namespace=<namespace>&object=<object>&relation=<relation>

While the Go SDK documentation references the Expand API, it does not provide a direct code sample for this endpoint. The closest available information is that you would use the Expand API with the object, namespace, and relation you want to inspect, and the response will be a tree of users/roles and their permissions on that object [Expand API Reference](https://www.ory.sh/docs/reference/api#expandPermissions). Summary: - The Expand API is used to list all users/roles and the permits they have on a given object. - No Go SDK code example is provided in the knowledge sources. - You would call the Expand API with the object, namespace, and relation to get the tree of subjects with access. If you need to see the REST API usage or want to see the Go SDK usage for a different API (such as Check or List), please let me know!

Certainly! Here’s how you can use the Ory Permissions (Keto) REST API for the Expand, Check, and List operations, based strictly on the knowledge sources: --- ## 1. Expand API (REST) To display all users or roles (subjects) who have a specific permission (relation) on a given object, use the Expand API: REST API Request:

GET /relation-tuples/expand?namespace=<namespace>&object=<object>&relation=<relation>

- Replace

<namespace>

,

<object>

, and

<relation>

with your values. Purpose: This will return a tree of all subjects (users, roles, or subject sets) who have the specified relation (permission) on the object, and why. [Expand API: display who has access to an object](https://www.ory.sh/docs/keto/guides/expand-api-display-who-has-access) --- ## 2. Check API (REST and Go SDK) REST API Request:

GET /relation-tuples/check/openapi?namespace=<namespace>&object=<object>&relation=<relation>&subject_id=<subject_id>

- This checks if a specific subject (user or role) has a given permission on an object. Go SDK Example:

go check, r, err := ory.PermissionApi.CheckPermission(oryAuthedContext).     Namespace(namespace).     Object(object).     Relation(relation).     SubjectId(subjectId).     Execute() if err != nil {     // handle error } if check.Allowed {     fmt.Println(subjectId + " can " + relation + " the " + object) }

This code checks if a subject (e.g., user "Bob") can perform an action (e.g., "view") on an object (e.g., "secret_post") in a namespace (e.g., "Blog") [Go SDK example](https://www.ory.sh/docs/keto/sdk/go). --- ## 3. List API (REST) Purpose: To list all objects a user has access to, or all users who have a specific role or permission, use the List API by querying relationships. REST API Request:

GET /relation-tuples?namespace=<namespace>&relation=<relation>&subject_id=<subject_id>

- To list all objects a user has access to, specify the user as

subject_id

. - To list all users with a specific role, specify the role as

relation

. Example Use Cases: - List all files a user can read. - List all members of a group. For more details and examples, see the [API overview](https://www.ory.sh/docs/keto/concepts/api-overview) and [List API guide](https://www.ory.sh/docs/keto/guides/list-api-display-objects#listing-objects). --- If you need a specific example for any of these APIs, let me know the namespace, object, relation, and subject you want to use!

Certainly! Here’s how you can make a REST request to the Ory Permissions (Keto) Expand API using Go, including authentication headers. Note: - For Ory Network, you must include the

Authorization: Bearer <ORY_API_KEY>

header [Ory API Reference](https://www.ory.sh/docs/reference/api). - For self-hosted Keto, the Expand API does not require authentication by default [Keto REST API Reference](https://www.ory.sh/docs/keto/reference/rest-api). Below is a Go example for Ory Network (with authentication):

go package main  import (  "fmt"  "io/ioutil"  "net/http"  "os" )  func main() {  // Set your Ory Network project URL and API key  url := "https://<your-project>.<http://projects.oryapis.com/relation-tuples/expand?namespace=Blog&object=secret_post&relation=view|projects.oryapis.com/relation-tuples/expand?namespace=Blog&object=secret_post&relation=view>"  apiKey := os.Getenv("ORY_API_KEY") // Make sure to set this environment variable   req, err := http.NewRequest("GET", url, nil)  if err != nil {   panic(err)  }   // Add the Authorization header  req.Header.Add("Authorization", "Bearer "+apiKey)   client := &http.Client{}  resp, err := <http://client.Do|client.Do>(req)  if err != nil {   panic(err)  }  defer resp.Body.Close()   body, err := ioutil.ReadAll(resp.Body)  if err != nil {   panic(err)  }   fmt.Println(string(body)) }

Replace

<your-project>

with your Ory Network project slug, and ensure the

ORY_API_KEY

environment variable is set. - For Ory Network, authentication is required for this endpoint [Ory API Reference](https://www.ory.sh/docs/reference/api). - For self-hosted Keto, authentication is not required for the Expand API [Keto REST API Reference](https://www.ory.sh/docs/keto/reference/rest-api). If you need a self-hosted example (without auth), simply omit the

Authorization

header.

Certainly! Here is a Go example that makes a REST request to the Ory Permissions (Keto) Expand API, includes the Authorization header, and prints the JSON response body as a string. This approach is directly aligned with the documented API usage, which expects a JSON response [Ory API Reference](https://www.ory.sh/docs/reference/api):

go package main  import (  "fmt"  "io/ioutil"  "net/http"  "os" )  func main() {  // Replace with your Ory Network project URL and parameters  url := "https://<your-project>.<http://projects.oryapis.com/relation-tuples/expand?namespace=Blog&object=secret_post&relation=view|projects.oryapis.com/relation-tuples/expand?namespace=Blog&object=secret_post&relation=view>"  apiKey := os.Getenv("ORY_API_KEY") // Set your API key in the environment   req, err := http.NewRequest("GET", url, nil)  if err != nil {   panic(err)  }   // Add the Authorization header for Ory Network  req.Header.Add("Authorization", "Bearer "+apiKey)  req.Header.Add("Accept", "application/json") // Ensure JSON response   client := &http.Client{}  resp, err := <http://client.Do|client.Do>(req)  if err != nil {   panic(err)  }  defer resp.Body.Close()   body, err := ioutil.ReadAll(resp.Body)  if err != nil {   panic(err)  }   fmt.Println(string(body)) // Prints the JSON response }

- The

Accept: application/json

header ensures the response is in JSON format. - The response from the Expand API is a JSON object representing the expanded permission tree [Ory API Reference](https://www.ory.sh/docs/reference/api). If you are using self-hosted Keto, the authentication header is not required for the Expand API [Keto REST API Reference](https://www.ory.sh/docs/keto/reference/rest-api).