FGA_BASE: adding base types and module registraiton

[swaroopAkkineniWorkos]

Description

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[ ] Yes

If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.

[linear]

ENT-5224 Update Python sdk for fga

[swaroopAkkineniWorkos]

@greptile review

[greptile-apps]

Greptile Summary

This PR adds foundational types and HTTP infrastructure for the new Fine-Grained Authorization (FGA) module:

• New authorization types: AccessEvaluation, Resource, RoleAssignment (with nested RoleAssignmentRole / RoleAssignmentResource), and AuthorizationOrganizationMembership — all Pydantic models inheriting from WorkOSModel, following established SDK patterns.
• delete_with_body HTTP method: Adds a new method to both SyncHTTPClient and AsyncHTTPClient that allows sending a JSON body with DELETE requests, enabled via a force_include_body flag in the base _prepare_request method. This is needed for FGA endpoints that accept DELETE with a request body.
• ListableResource registration: The new types are registered as constraints in the ListableResource TypeVar for pagination support.
• Test coverage: Comprehensive unit tests for all new types (deserialization, optional fields) and for the delete_with_body method (both sync and async), plus mock fixtures for Resource and RoleAssignment.

The implementation is clean, symmetric across sync/async, and consistent with existing SDK conventions. The OrganizationMembershipStatus literal is duplicated between the authorization and user_management modules — could be consolidated in a shared location.

Confidence Score: 4/5

• This PR is safe to merge — it adds new types and a well-tested HTTP utility with no breaking changes to existing behavior.
• Score of 4 reflects clean, well-structured additions that follow existing patterns, with comprehensive test coverage. Deducted one point for the minor duplication of OrganizationMembershipStatus and the fact that the new mock fixtures and types are not yet exercised by any module-level integration (this is explicitly a "base types" PR, so that's expected).
• src/workos/types/authorization/organization_membership.py has a duplicated type alias that could drift out of sync with user_management.

Important Files Changed

Filename	Overview
src/workos/types/authorization/access_evaluation.py	New simple Pydantic model with a single authorized: bool field. Minimal and correct.
src/workos/types/authorization/organization_membership.py	New AuthorizationOrganizationMembership type distinct from user_management's OrganizationMembership. Duplicates OrganizationMembershipStatus literal type, but well-documented rationale for the separate model.
src/workos/types/authorization/resource.py	New Resource model for authorization resources with appropriate required and optional fields. Clean implementation.
src/workos/types/authorization/role_assignment.py	New RoleAssignment model with nested RoleAssignmentRole and RoleAssignmentResource types. Properly structured.
src/workos/types/list_resource.py	Registers new types (Resource, RoleAssignment, AuthorizationOrganizationMembership) as listable resources in the TypeVar constraint. Follows existing pattern.
src/workos/utils/_base_http_client.py	Adds force_include_body parameter to _prepare_request to allow DELETE requests with a JSON body. Logic correctly bypasses the bodyless validation and includes json in the return dict.
src/workos/utils/http_client.py	Adds delete_with_body method to both SyncHTTPClient and AsyncHTTPClient. Symmetric implementation that correctly uses force_include_body=True.
tests/test_async_http_client.py	Adds three async tests for the new delete_with_body method: sending JSON, sending params, and verifying regular DELETE with body still raises ValueError.
tests/test_sync_http_client.py	Adds three sync tests for the new delete_with_body method, mirroring the async test coverage.
tests/test_authorization_types.py	Comprehensive tests for all new authorization types including deserialization, optional fields, and nested model validation.

Class Diagram

%%{init: {'theme': 'neutral'}}%%
classDiagram
    class WorkOSModel {
        +dict()
    }
    class AccessEvaluation {
        +bool authorized
    }
    class Resource {
        +Literal object
        +str id
        +str external_id
        +str name
        +Optional~str~ description
        +str resource_type_slug
        +str organization_id
        +Optional~str~ parent_resource_id
        +str created_at
        +str updated_at
    }
    class RoleAssignment {
        +Literal object
        +str id
        +RoleAssignmentRole role
        +RoleAssignmentResource resource
        +str created_at
        +str updated_at
    }
    class RoleAssignmentRole {
        +str slug
    }
    class RoleAssignmentResource {
        +str id
        +str external_id
        +str resource_type_slug
    }
    class AuthorizationOrganizationMembership {
        +Literal object
        +str id
        +str user_id
        +str organization_id
        +str organization_name
        +LiteralOrUntyped status
        +Optional~Mapping~ custom_attributes
        +str created_at
        +str updated_at
    }
    class BaseHTTPClient {
        +_prepare_request(force_include_body)
    }
    class SyncHTTPClient {
        +request()
        +delete_with_body()
    }
    class AsyncHTTPClient {
        +request()
        +delete_with_body()
    }

    WorkOSModel <|-- AccessEvaluation
    WorkOSModel <|-- Resource
    WorkOSModel <|-- RoleAssignment
    WorkOSModel <|-- RoleAssignmentRole
    WorkOSModel <|-- RoleAssignmentResource
    WorkOSModel <|-- AuthorizationOrganizationMembership
    RoleAssignment *-- RoleAssignmentRole
    RoleAssignment *-- RoleAssignmentResource
    BaseHTTPClient <|-- SyncHTTPClient
    BaseHTTPClient <|-- AsyncHTTPClient

Loading

_{Last reviewed commit: 526eb7d}

[greptile-apps]

_{13 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Duplicated OrganizationMembershipStatus literal

This exact same Literal["active", "inactive", "pending"] type alias is already defined in src/workos/types/user_management/organization_membership.py:7. Consider importing from a shared location or re-exporting from one module to the other to avoid the definitions drifting apart over time.