PlatformXeDocs
Get API Key

Multi-App Permissions with Federation

Set up federated authorization between two applications.

This guide walks through setting up federated authorization between two applications using PlatformXe's federation system.

Prerequisites

  • Enterprise plan on PlatformXe
  • Two applications with PlatformXe API keys (permissions:manage scope)

Step 1: Create a federation group

The owning application creates the group:

const group = await px.permissions.createFederationGroup({
  name: 'My Organization',
  description: 'Shared permissions across Lettings and Concierge',
});

const groupId = group.data.id;

Step 2: Add member applications

Add both applications with unique prefixes:

// Add Lettings app
await px.permissions.addFederationMember(groupId, {
  organizationId: 'org_lettings',
  prefix: 'LT',
});

// Add Concierge app
await px.permissions.addFederationMember(groupId, {
  organizationId: 'org_concierge',
  prefix: 'CC',
});

Step 3: Register modules in each app

Each app registers its own modules:

// In Lettings app
await px.permissions.registerModule({
  name: 'BOOKINGS',
  actions: ['READ', 'CREATE', 'UPDATE', 'DELETE', 'APPROVE'],
});

await px.permissions.registerModule({
  name: 'PROPERTIES',
  actions: ['READ', 'CREATE', 'UPDATE', 'DELETE', 'PUBLISH'],
});

// In Concierge app
await px.permissions.registerModule({
  name: 'TASKS',
  actions: ['READ', 'CREATE', 'ASSIGN', 'COMPLETE'],
});

Step 4: Pull modules into the federation

const result = await px.permissions.federationPull(groupId);
console.log(result.data.modules);
// ['LT:BOOKINGS', 'LT:PROPERTIES', 'CC:TASKS']

Step 5: Create roles spanning both apps

await px.permissions.createRole({
  name: 'Operations Manager',
  model: 'FULL',
});

await px.permissions.setModulePermissions('role_ops_mgr', {
  modules: [
    { moduleId: 'LT:BOOKINGS', actions: ['READ', 'APPROVE'] },
    { moduleId: 'LT:PROPERTIES', actions: ['READ', 'LIST'] },
    { moduleId: 'CC:TASKS', actions: ['READ', 'CREATE', 'ASSIGN'] },
  ],
});

Step 6: Push permissions to member apps

await px.permissions.federationPush(groupId);

Step 7: Validate with shadow check

Before cutting over, run shadow checks in each app:

const result = await px.permissions.shadowCheck({
  adminId: 'user_ops_mgr',
  path: 'LT:BOOKINGS',
  action: 'APPROVE',
  localDecision: true,
});

if (result.data.discrepancy) {
  console.warn('Mismatch — investigate before cutover');
}

Run shadow checks under production traffic for at least one week per app before switching reads to PlatformXe. See the Federation Migration Guide for the full cutover process.