Objects are identifiers for some kind of application objects. They can represent e.g. a file, network port, physical item, ... . It is up to the application to map its objects to an unambiguous identifier. The limit on object identifiers is 64 characters. We recommend the usage of UUIDs as they provide a high entropy and thus unique identifiers. It is however possible to use e.g. URLs or opaque tokens of any kind. Please check the limitations. Ory Keto will consider objects equal iff their string representation is equal.
In the basic case an application uses the same object identifiers as it uses
internally, e.g. a UUIDv4 like
61e75133-efff-4281-8148-a1806919f568 or SHA-1
Head over to the basic full feature example to see an example with some context.
Because the Keto client can use arbitrary strings as objects, it is tempting to encode application data within the object. We strongly discourage this practice. Instead, you should use a UUID to map application data to Keto objects. This is required to ensure:
- single source of truth and easy data update
- free choice of encoding (Keto does not allow the characters
- unlimited data size (Keto only allows up to 64 characters)
For example, this could be used to implement checks on value ranges. The application knows the following mapping of comparison conditions and UUIDs:
Keto has the following relation tuples:
The application will have to translate an incoming "set value" request to the corresponding condition the value fulfills. It is important to understand that Ory Keto does not know how to interpret any of the information. Rather, the application has to preprocess and map the value to the corresponding UUID.