Dynamic Policies Powered by JavaScript

Write custom access rules in JavaScript to enforce any scenario—without rebuilding your authorization logic. Perfect for advanced, one-off, or calculated permission needs.

How JavaScript-Based Policies Work in Keymate

Keymate lets you define advanced access logic directly in JavaScript. You can reference user attributes, tokens, request parameters, and apply logic using the familiar grant() / deny() methods supported by Keycloak's native JS Policy engine. With built-in simulation and audit tools, these dynamic policies become maintainable, testable, and safer.

JavaScript Policy Evaluation Flow

Keymate lets you define advanced access logic directly in JavaScript. You can reference user attributes, tokens, request parameters, and apply logic using the familiar grant() / deny() methods supported by Keycloak's native JS Policy engine.

With built-in simulation and audit tools, these dynamic policies become maintainable, testable, and safer.

Example: Example JS policy: if (user.department === "Sales" && resource.type === "Proposal") { grant(); } else if (context.time >= "18:00") { deny("No access after working hours"); } else { deny(); }

Key Components:

User Attributes & Token

Request Context (time, IP, etc.)

JavaScript Policy Script

Keycloak JS Policy Engine

grant() / deny() Methods

Access Decision (Granted/Denied with Reason)

What Makes Dynamic Policies in Keymate Unique

JavaScript Editor with Syntax Highlighting

Write logic directly with auto-complete, validation, and grant/deny guidance.

Full Token + Context Access

Access token claims, session context, and request parameters in script.

Sandboxed Evaluation

Scripts are isolated and validated for secure, deterministic execution.

"Why Denied?" Debugging

Trace which branch of your JS logic was executed and why.

Audit and Versioning Support

Track changes in JS scripts and revert if needed.

Environment-Specific Logic

Write logic per DEV/TEST/PROD with separation and labels.

Leverage the full power of JavaScript for fine-grained, dynamic access control.

Frequently Asked Questions

Understanding Keymate's JavaScript-Based Access Policies.

A dynamic policy allows you to define access logic using a scripting language—commonly JavaScript—so that permissions can be computed based on runtime conditions like user role, time of day, or request context. These policies are natively supported in Keymate using JavaScript.

While static rules rely on fixed roles or attribute values, JavaScript-based policies can evaluate logic, branches, or multiple conditions dynamically. This allows greater flexibility for real-world scenarios where access logic can't be predefined. Dynamic evaluation is supported and observable in Keymate.

Use dynamic policies when you need to express complex, contextual, or exception-based logic—such as temporary overrides, time-based access, or cross-resource dependencies. These cases are difficult to model with RBAC or ABAC alone, and are easier to implement in Keymate with JavaScript.

Yes. When implemented with sandboxing and audit controls, JavaScript-based policies are secure and maintainable. Keymate ensures policy scripts are isolated, versioned, and logged for production-grade safety.

Definitely. Good platforms offer simulation and dry-run tools to evaluate how a policy will behave with different users or tokens. Keymate includes a built-in policy testing console for JavaScript policies.

Yes. You can access user attributes, request metadata, and environment variables directly within the JavaScript code to make fine-tuned decisions. This flexibility is built into Keymate.

How to Use Dynamic Policies in Keymate

Leverage the flexibility of JavaScript to implement custom access control logic tailored to your exact needs.

Steps to Create and Enforce JavaScript-Based Policies

Choose "Dynamic" policy type in Admin Console

Select the JavaScript policy type when creating a new access policy in Keymate's management interface.

Use JS editor to write your logic

Utilize the built-in editor with syntax highlighting and auto-completion to script your policy using grant() and deny() methods.

Use "Test Policy" panel to simulate with token/context

Before deploying, test your JavaScript policy against various user profiles, token claims, and request contexts.

Tag policy to environment (DEV/TEST/PROD)

Assign your dynamic policy to specific environments to manage its lifecycle from development to production.

Enforce via SDK or Gateway plugin

Integrate with Keymate's SDKs or API Gateway plugins to enforce your JavaScript policies in real-time.

Explore the Dynamic Policy Editor

Experience the power of Keymate’s Dynamic Policy Editor to build, test, and manage your JavaScript policies.

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.