# Access Requests and Grants

Inrupt’s Enterprise Solid Server (ESS) provides support for Access Request and Grants. With Access Requests and Grants:

* An [agent](https://docs.inrupt.com/reference/glossary#agent) can request access to [Resources](https://docs.inrupt.com/reference/glossary#resource) hosted on a [Pod](https://docs.inrupt.com/reference/glossary#pods). This Access Request includes the specific [access mode](https://docs.inrupt.com/reference/glossary#access-modes) (e.g., read, write, append) being requested, the Resources to access, the Purpose for which the data will be used, and other optional fields.
* The owner of the requested Resources (i.e., individuals with Control access to the requested Resources) can review the Access Request and either approve the Access Request, resulting in an Access Grant, or deny the Access Request, resulting in an Access Denial.
* If the requesting agent has an Access Grant, the requesting agent can exchange the Access Grant for an access token in order to access the Resources.

{% hint style="warning" %}
**Important**

* An Access Request that specifies a [Container](https://docs.inrupt.com/reference/glossary#container) also applies to the Container’s descendants unless explicitly specified otherwise in the Request with an **`inherit: false`**.
* An Access Grant that specifies a [Container](https://docs.inrupt.com/reference/glossary#container) also applies to the Container’s descendants unless explicitly specified otherwise in the approved Access Grant with an **`inherit: false`**.

To set the **`inherit`** field in Access Requests/Access Grants, **`@inrupt/solid-client-access-grants-js`** adds an **`inherit: <boolean>`** option to [issueAccessRequest](https://inrupt.github.io/solid-client-access-grants-js/functions/index.issueAccessRequest.html) and [approveAccessRequest](https://inrupt.github.io/solid-client-access-grants-js/functions/index.approveAccessRequest.html).
{% endhint %}

### Inrupt Client Library

To support ESS’ [Access Request and Grants feature](https://docs.inrupt.com/security/authorization/access-requests-grants), Inrupt provides the **`@inrupt/solid-client-access-grants`** library. This library contains APIs to manage Access Requests and Grants issued by ESS.

```javascript
npm install @inrupt/solid-client-access-grants
```

### Usage Scenario

In the following usage scenario, a user wants to print some photos that are stored in their Pod. The user visits the ExamplePrinter’s web application, which provides photo printing services. When the ExamplePrinter’s web application asks for the photos to print, the user enters the URLs of the photos. To continue, the ExamplePrinter’s website asks for access to read the photos.

For example, assume the user **`snoringsue`** with the WebID (**`https://id.example.com/snoringsue`**) is on ExamplePrinter’s web application to print the following photos:

* **`"https://storage.example.com/someContainer/myphotos/apples.jpg"`**
* **`"https://storage.example.com/someContainer/myphotos/persimmons.jpg"`**
* **`"https://storage.example.com/someContainer/myphotos/grapes.jpg"`**.

The following diagram gives an overview of the flow (in the example, the Access Request and Grants are serialized as VCs)

<figure><img src="https://2584838151-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLMLxFYifBOpjrf8rQMX1%2Fuploads%2Fgit-blob-95c80d25ed05ec29fa0fa02438c8209cb0705fec%2Faccess-grant-flow.svg?alt=media" alt=""><figcaption></figcaption></figure>

Sequence diagram of the Access Request flow where `snoringsue` is requested access to her photos by ExamplePrinter and approves the Request.

### Next Steps

| [Manage Access Requests](https://docs.inrupt.com/sdk/javascript-sdk/access-requests-and-grants/manage-access-requests)                                       | To make Access Requests. If access is granted, use the Access Grants to access the resource (such as the ExamplePrinter application in above diagram).                |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Manage Access Grants](https://docs.inrupt.com/sdk/javascript-sdk/access-requests-and-grants/manage-access-grants)                                           | To approve or deny Access Requests (such as the Access Management application in above diagram).                                                                      |
| [Use Access Grants to Access Resources](https://docs.inrupt.com/sdk/javascript-sdk/access-requests-and-grants/use-access-grants-to-access-resources)         | To query for Access Credentials based on a set of filters.                                                                                                            |
| [Inspect Access Requests and Access Grants](https://docs.inrupt.com/sdk/javascript-sdk/access-requests-and-grants/inspect-access-requests-and-access-grants) | To get values out of Access Requests and Access Grants (such as how the ExamplePrinter application in the above diagram determines which resources it has access to). |