Obligations
An obligation is a PDP-to-PEP directive that accompanies an access decision: "permit, provided these controls are enforced." Obligations are scoped to a namespace and can carry multiple values and triggers. See Obligations for the policy concept.
Setup
All examples on this page assume you have created a platform client. See Authentication for full details including DPoP key binding.
- Go
- JavaScript
import (
"context"
"log"
"github.com/opentdf/platform/sdk"
)
client, err := sdk.New("http://localhost:8080",
sdk.WithClientCredentials("opentdf", "secret", nil),
)
if err != nil {
log.Fatal(err)
}
// All Go snippets below use `client` and `context.Background()`.
// The Obligations service is accessed via client.Obligations.
import { authTokenInterceptor, clientCredentialsTokenProvider } from '@opentdf/sdk';
import { PlatformClient } from '@opentdf/sdk/platform';
const platform = new PlatformClient({
interceptors: [authTokenInterceptor(clientCredentialsTokenProvider({
clientId: 'opentdf', clientSecret: 'secret',
oidcOrigin: 'http://localhost:8080/auth/realms/opentdf',
}))],
platformUrl: 'http://localhost:8080',
});
// All JavaScript snippets below use `platform`.
// The Obligations service is accessed via platform.v1.obligation.
Obligation Definitions
List Obligations
Signature
- Go
- JavaScript
client.Obligations.ListObligations(ctx, &obligations.ListObligationsRequest{...})
await platform.v1.obligation.listObligations({ ... })
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
namespaceId | string (UUID) | No | Filter to obligations in this namespace. |
namespaceFqn | string (URI) | No | Filter by namespace FQN. Alternative to namespaceId. |
Without a filter, returns all obligations across all namespaces.
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.ListObligations(context.Background(),
&obligations.ListObligationsRequest{},
)
if err != nil {
log.Fatal(err)
}
for _, obl := range resp.GetObligations() {
log.Printf("Obligation: %s FQN: %s\n", obl.GetName(), obl.GetFqn())
}
To filter by namespace:
resp, err := client.Obligations.ListObligations(context.Background(),
&obligations.ListObligationsRequest{
NamespaceFqn: "https://example.com",
},
)
const resp = await platform.v1.obligation.listObligations({});
for (const obl of resp.obligations) {
console.log(`Obligation: ${obl.name} FQN: ${obl.fqn}`);
}
To filter by namespace:
const resp = await platform.v1.obligation.listObligations({
namespaceFqn: 'https://example.com',
});
Returns
A list of Obligation objects.
Get an Obligation
Signature
- Go
- JavaScript
client.Obligations.GetObligation(ctx, &obligations.GetObligationRequest{...})
await platform.v1.obligation.getObligation({ ... })
Parameters
Provide one of the following (exactly one is required):
| Parameter | Type | Description |
|---|---|---|
id | string (UUID) | The obligation UUID. |
fqn | string | The obligation FQN (e.g., https://example.com/obl/drm). |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.GetObligation(context.Background(),
&obligations.GetObligationRequest{
Fqn: "https://example.com/obl/drm",
},
)
if err != nil {
log.Fatal(err)
}
log.Printf("Obligation ID: %s\n", resp.GetObligation().GetId())
const resp = await platform.v1.obligation.getObligation({
fqn: 'https://example.com/obl/drm',
});
console.log(`Obligation ID: ${resp.obligation?.id}`);
Returns
A single Obligation object.
Get Obligations by FQNs
Batch-fetch multiple obligations by FQN in a single request.
Signature
- Go
- JavaScript
client.Obligations.GetObligationsByFQNs(ctx, &obligations.GetObligationsByFQNsRequest{...})
await platform.v1.obligation.getObligationsByFQNs({ ... })
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
fqns | []string | Yes | Obligation FQNs to look up. |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.GetObligationsByFQNs(context.Background(),
&obligations.GetObligationsByFQNsRequest{
Fqns: []string{
"https://example.com/obl/drm",
"https://example.com/obl/audit",
},
},
)
if err != nil {
log.Fatal(err)
}
for fqn, obl := range resp.GetFqnObligationMap() {
log.Printf("%s → %s\n", fqn, obl.GetId())
}
const resp = await platform.v1.obligation.getObligationsByFQNs({
fqns: [
'https://example.com/obl/drm',
'https://example.com/obl/audit',
],
});
for (const [fqn, obl] of Object.entries(resp.fqnObligationMap)) {
console.log(`${fqn} → ${obl.id}`);
}
Returns
A map of FQN to Obligation object.
Create an Obligation
Signature
- Go
- JavaScript
client.Obligations.CreateObligation(ctx, &obligations.CreateObligationRequest{...})
await platform.v1.obligation.createObligation({ ... })
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
namespaceId | string (UUID) | Yes* | The parent namespace. Required unless namespaceFqn is provided. |
namespaceFqn | string (URI) | Yes* | The parent namespace FQN. Alternative to namespaceId. |
name | string | Yes | Obligation name (e.g., drm, audit). |
values | []string | No | Initial values to create with the obligation. Can also be added later via Create Obligation Value. |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.CreateObligation(context.Background(),
&obligations.CreateObligationRequest{
NamespaceFqn: "https://example.com",
Name: "drm",
Values: []string{"watermarking", "no-download"},
},
)
if err != nil {
log.Fatal(err)
}
log.Printf("Created obligation: %s FQN: %s\n",
resp.GetObligation().GetId(), resp.GetObligation().GetFqn())
const resp = await platform.v1.obligation.createObligation({
namespaceFqn: 'https://example.com',
name: 'drm',
values: ['watermarking', 'no-download'],
});
console.log(`Created obligation: ${resp.obligation?.id} FQN: ${resp.obligation?.fqn}`);
Returns
The created Obligation object. The resulting FQN follows the convention <namespace>/obl/<name> (e.g., https://example.com/obl/drm).
Update an Obligation
Signature
- Go
- JavaScript
client.Obligations.UpdateObligation(ctx, &obligations.UpdateObligationRequest{...})
await platform.v1.obligation.updateObligation({ ... })
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
id | string (UUID) | Yes | The obligation ID to update. |
name | string | No | New name. Only set fields are updated. |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.UpdateObligation(context.Background(),
&obligations.UpdateObligationRequest{
Id: "3f4a7c12-...",
Name: "digital-rights",
},
)
if err != nil {
log.Fatal(err)
}
log.Printf("Updated obligation FQN: %s\n", resp.GetObligation().GetFqn())
const resp = await platform.v1.obligation.updateObligation({
id: '3f4a7c12-...',
name: 'digital-rights',
});
console.log(`Updated obligation FQN: ${resp.obligation?.fqn}`);
Returns
The updated Obligation object.
Delete an Obligation
Signature
- Go
- JavaScript
client.Obligations.DeleteObligation(ctx, &obligations.DeleteObligationRequest{...})
await platform.v1.obligation.deleteObligation({ ... })
Parameters
Provide one of the following (exactly one is required):
| Parameter | Type | Description |
|---|---|---|
id | string (UUID) | The obligation UUID. |
fqn | string | The obligation FQN. |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.DeleteObligation(context.Background(),
&obligations.DeleteObligationRequest{
Fqn: "https://example.com/obl/drm",
},
)
if err != nil {
log.Fatal(err)
}
log.Printf("Deleted obligation: %s\n", resp.GetObligation().GetId())
const resp = await platform.v1.obligation.deleteObligation({
fqn: 'https://example.com/obl/drm',
});
console.log(`Deleted obligation: ${resp.obligation?.id}`);
Returns
The deleted Obligation object.
Obligation Object
| Field | Type | Description |
|---|---|---|
id | string (UUID) | Unique identifier, generated by the platform. |
name | string | The obligation name (e.g., drm, audit). |
fqn | string | Fully qualified name, e.g., https://example.com/obl/drm. |
values | []ObligationValue | The values defined under this obligation. |
namespace | Namespace | The parent namespace. |
metadata | Metadata | Optional labels. |
Obligation Values
Each obligation can carry one or more values. Value FQNs follow the convention <namespace>/obl/<obligation_name>/value/<value> (e.g., https://example.com/obl/drm/value/watermarking).
Get an Obligation Value
Signature
- Go
- JavaScript
client.Obligations.GetObligationValue(ctx, &obligations.GetObligationValueRequest{...})
await platform.v1.obligation.getObligationValue({ ... })
Parameters
Provide one of the following (exactly one is required):
| Parameter | Type | Description |
|---|---|---|
id | string (UUID) | The value UUID. |
fqn | string | The value FQN (e.g., https://example.com/obl/drm/value/watermarking). |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.GetObligationValue(context.Background(),
&obligations.GetObligationValueRequest{
Fqn: "https://example.com/obl/drm/value/watermarking",
},
)
if err != nil {
log.Fatal(err)
}
log.Printf("Value ID: %s\n", resp.GetValue().GetId())
const resp = await platform.v1.obligation.getObligationValue({
fqn: 'https://example.com/obl/drm/value/watermarking',
});
console.log(`Value ID: ${resp.value?.id}`);
Returns
A single Obligation Value object.
Get Obligation Values by FQNs
Signature
- Go
- JavaScript
client.Obligations.GetObligationValuesByFQNs(ctx, &obligations.GetObligationValuesByFQNsRequest{...})
await platform.v1.obligation.getObligationValuesByFQNs({ ... })
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
fqns | []string | Yes | Obligation value FQNs to look up. |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.GetObligationValuesByFQNs(context.Background(),
&obligations.GetObligationValuesByFQNsRequest{
Fqns: []string{
"https://example.com/obl/drm/value/watermarking",
"https://example.com/obl/drm/value/no-download",
},
},
)
if err != nil {
log.Fatal(err)
}
for fqn, val := range resp.GetFqnValueMap() {
log.Printf("%s → %s\n", fqn, val.GetId())
}
const resp = await platform.v1.obligation.getObligationValuesByFQNs({
fqns: [
'https://example.com/obl/drm/value/watermarking',
'https://example.com/obl/drm/value/no-download',
],
});
for (const [fqn, val] of Object.entries(resp.fqnValueMap)) {
console.log(`${fqn} → ${val.id}`);
}
Returns
A map of FQN to Obligation Value object.
Create an Obligation Value
Signature
- Go
- JavaScript
client.Obligations.CreateObligationValue(ctx, &obligations.CreateObligationValueRequest{...})
await platform.v1.obligation.createObligationValue({ ... })
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
obligationId | string (UUID) | Yes* | The parent obligation. Required unless obligationFqn is provided. |
obligationFqn | string | Yes* | The parent obligation FQN. Alternative to obligationId. |
value | string | Yes | The value string (e.g., watermarking, encrypt-at-rest). |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.CreateObligationValue(context.Background(),
&obligations.CreateObligationValueRequest{
ObligationFqn: "https://example.com/obl/drm",
Value: "encrypt-at-rest",
},
)
if err != nil {
log.Fatal(err)
}
log.Printf("Created value: %s FQN: %s\n",
resp.GetValue().GetId(), resp.GetValue().GetFqn())
const resp = await platform.v1.obligation.createObligationValue({
obligationFqn: 'https://example.com/obl/drm',
value: 'encrypt-at-rest',
});
console.log(`Created value: ${resp.value?.id} FQN: ${resp.value?.fqn}`);
Returns
The created Obligation Value object.
Update an Obligation Value
Signature
- Go
- JavaScript
client.Obligations.UpdateObligationValue(ctx, &obligations.UpdateObligationValueRequest{...})
await platform.v1.obligation.updateObligationValue({ ... })
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
id | string (UUID) | Yes | The value ID to update. |
value | string | No | New value string. |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.UpdateObligationValue(context.Background(),
&obligations.UpdateObligationValueRequest{
Id: "9a1b2c3d-...",
Value: "encrypt-at-rest-v2",
},
)
if err != nil {
log.Fatal(err)
}
log.Printf("Updated value FQN: %s\n", resp.GetValue().GetFqn())
const resp = await platform.v1.obligation.updateObligationValue({
id: '9a1b2c3d-...',
value: 'encrypt-at-rest-v2',
});
console.log(`Updated value FQN: ${resp.value?.fqn}`);
Returns
The updated Obligation Value object.
Delete an Obligation Value
Signature
- Go
- JavaScript
client.Obligations.DeleteObligationValue(ctx, &obligations.DeleteObligationValueRequest{...})
await platform.v1.obligation.deleteObligationValue({ ... })
Parameters
Provide one of the following (exactly one is required):
| Parameter | Type | Description |
|---|---|---|
id | string (UUID) | The value UUID. |
fqn | string | The value FQN. |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.DeleteObligationValue(context.Background(),
&obligations.DeleteObligationValueRequest{
Fqn: "https://example.com/obl/drm/value/watermarking",
},
)
if err != nil {
log.Fatal(err)
}
log.Printf("Deleted value: %s\n", resp.GetValue().GetId())
const resp = await platform.v1.obligation.deleteObligationValue({
fqn: 'https://example.com/obl/drm/value/watermarking',
});
console.log(`Deleted value: ${resp.value?.id}`);
Returns
The deleted Obligation Value object.
Obligation Value Object
| Field | Type | Description |
|---|---|---|
id | string (UUID) | Unique identifier, generated by the platform. |
value | string | The value string (e.g., watermarking, no-download). |
fqn | string | Fully qualified name, e.g., https://example.com/obl/drm/value/watermarking. |
obligation | Obligation | The parent obligation. |
triggers | []ObligationTrigger | Triggers associated with this value. |
metadata | Metadata | Optional labels. |
Triggers
A trigger links an obligation value to a specific action + attribute value combination. When that action is performed on data carrying that attribute value, the obligation fires.
Add an Obligation Trigger
Signature
- Go
- JavaScript
client.Obligations.AddObligationTrigger(ctx, &obligations.AddObligationTriggerRequest{...})
await platform.v1.obligation.addObligationTrigger({ ... })
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
obligationValue | IdFqnIdentifier | Yes | The obligation value to trigger. Provide id or fqn. |
action | IdNameIdentifier | Yes | The action that fires this trigger. Provide id or name (e.g., read). |
attributeValue | IdFqnIdentifier | Yes | The attribute value that must be present on the data. Provide id or fqn. |
Example
- Go
- JavaScript
import (
"github.com/opentdf/platform/protocol/go/common"
"github.com/opentdf/platform/protocol/go/policy/obligations"
)
resp, err := client.Obligations.AddObligationTrigger(context.Background(),
&obligations.AddObligationTriggerRequest{
ObligationValue: &common.IdFqnIdentifier{
Fqn: "https://example.com/obl/drm/value/watermarking",
},
Action: &common.IdNameIdentifier{
Name: "read",
},
AttributeValue: &common.IdFqnIdentifier{
Fqn: "https://example.com/attr/classification/value/secret",
},
},
)
if err != nil {
log.Fatal(err)
}
log.Printf("Added trigger: %s\n", resp.GetTrigger().GetId())
const resp = await platform.v1.obligation.addObligationTrigger({
obligationValue: { fqn: 'https://example.com/obl/drm/value/watermarking' },
action: { name: 'read' },
attributeValue: { fqn: 'https://example.com/attr/classification/value/secret' },
});
console.log(`Added trigger: ${resp.trigger?.id}`);
Returns
The created Obligation Trigger object.
List Obligation Triggers
Signature
- Go
- JavaScript
client.Obligations.ListObligationTriggers(ctx, &obligations.ListObligationTriggersRequest{...})
await platform.v1.obligation.listObligationTriggers({ ... })
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
namespaceFqn | string (URI) | No | Filter to triggers in this namespace. |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.ListObligationTriggers(context.Background(),
&obligations.ListObligationTriggersRequest{
NamespaceFqn: "https://example.com",
},
)
if err != nil {
log.Fatal(err)
}
for _, trigger := range resp.GetTriggers() {
log.Printf("Trigger ID: %s\n", trigger.GetId())
}
const resp = await platform.v1.obligation.listObligationTriggers({
namespaceFqn: 'https://example.com',
});
for (const trigger of resp.triggers) {
console.log(`Trigger ID: ${trigger.id}`);
}
Returns
A list of Obligation Trigger objects.
Remove an Obligation Trigger
Signature
- Go
- JavaScript
client.Obligations.RemoveObligationTrigger(ctx, &obligations.RemoveObligationTriggerRequest{...})
await platform.v1.obligation.removeObligationTrigger({ ... })
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
id | string (UUID) | Yes | The trigger ID to remove. |
Example
- Go
- JavaScript
import "github.com/opentdf/platform/protocol/go/policy/obligations"
resp, err := client.Obligations.RemoveObligationTrigger(context.Background(),
&obligations.RemoveObligationTriggerRequest{
Id: "7e8f9a0b-...",
},
)
if err != nil {
log.Fatal(err)
}
log.Printf("Removed trigger: %s\n", resp.GetTrigger().GetId())
const resp = await platform.v1.obligation.removeObligationTrigger({
id: '7e8f9a0b-...',
});
console.log(`Removed trigger: ${resp.trigger?.id}`);
Returns
The removed Obligation Trigger object.
Obligation Trigger Object
| Field | Type | Description |
|---|---|---|
id | string (UUID) | Unique identifier, generated by the platform. |
obligationValue | ObligationValue | The obligation value this trigger fires for. |
action | Action | The action that activates this trigger (e.g., read). |
attributeValue | Value | The attribute value that must be present on the data. |
metadata | Metadata | Optional labels. |