A policy based authorization module

Usage no npm install needed!

<script type="module">
  import nearformUdaruCore from 'https://cdn.skypack.dev/@nearform/udaru-core';



npm travis coveralls snyk

Udaru is a Policy Based Access Control (PBAC) authorization module. It supports Organizations, Teams and User entities that are used to build the access model. The policies attached to these entities define the 'Actions' that can be performed by an entity on various 'Resources'.

See the Udaru website for complete documentation on Udaru.

udaru-core is a lower level library that's primarily used by udaru-hapi-plugin and udaru-hapi-16-plugin, but can also be used directly for other purposes.


To install via npm:

npm install @nearform/udaru-core


Simple example taken from examples/list-orgs.js:

const udaru = require('@nearform/udaru')()
udaru.organizations.list({}, (err, orgs) => {
  if (err) {
  } else {



Hooks are registered using the udaru.hooks.add method and allow you to listen to specific events in udaru.

Each udaru method exposes a namespaced hook (e.g.: the udaru.authorize.isUserAuthorized method exposes the authorize:isUserAuthorized hook).

The hook is a node-style callback with three arguments: the method arguments, the method result values and a callback to invoke once done.

If the hook returns a promise, the execution will await its completion.

Hooks errors or rejections are ignored unless the hooks.propagateErrors configuration variable is set to true.

Simple example taken from examples/hooks.js:

const udaru = require('@nearform/udaru')()

udaru.hooks.add('authorize:isUserAuthorized', function (error, args, result, done) {
  if (error) {
    console.error(`Authorization errored: ${error}`)
    return done(error)

  console.log(`Access to ${args[0]} got access: ${result[0].access}`)

udaru.authorize.isUserAuthorized('resource', 'action', 'uid', 'oid', cb) {
  console.log(err, cb.access)


Copyright nearForm Ltd 2017. Licensed under MIT.