Picket Docs

Incremental Authorization

Incrementally authorize users for different parts of your app
Incremental Authorization Demo
Click the link to see a live demo of Picket Incremental Authorization​

What is Incremental Authorization?

The best example of incremental authorization is a Web3 community site. Imagine every NFT has an exclusive community site. Only token holders can access their NFTs' respective communities and content. With an infinite number of possible NFT-based communities, it would be impossible to check if a user has access to every community on the site at once; instead, we want to verify a user's token ownership incrementally.
Picket incremental authorization makes managing access across different token-gated communities and content simple. With Picket incremental authorization, users log in once and gradually prove token ownership to access various token-gated communities.
Once users prove token ownership, they don't need to be re-authorized until they log out. Picket handles the complexity of caching, refreshing, and validating token balances for a user.

When to Use Incremental Authorization?

The two most common use cases for incremental authorization are

1. An app that gates different content by different tokens

For example, an NFT-based Reddit, which requires NFT ownership to access the NFT's subreddit.
In this scenario, each time users try access a a subreddit, Picket will verify they have the required NFT. Once verified, users will have access to that subreddit for the remainder of their session or until they logout.

2. An app where token ownership enhances the user experience rather than gates it

For example, a social web3 app in which users log in with their wallet to view content; however, only owners of the community token can post and comment on content.
In this scenario, users will log in with Picket to access the app. Any attempts to create or comment on content will be restricted to only token holders.

Why Use Picket for Incremental Authorization?

As always, Picket makes incremental authorization as simple as a few API calls.
Picket handles the heavy lifting around updating users' session access tokens, caching token balances, revalidating permissions, and more. No matter the environment, Picket helps you keep the content secure. The developer experience is seamless across the Frontend and Backend.

How it Works

Picket JS / Picket React
If you are using a Picket client library like picket-js or picket-react, incremental authorization works out of the box! If you are curious about what is going on under-the-hood, keep reading.
End-to-End Incremental Authorization Flow

The Authorize (Authz) Endpoint

The /authz endpoint powers Picket's incremental auth