# Use Access Grants to Access Resources This page details how a server-side application can use Inrupt’s [solid-client-access-grants library](https://inrupt.github.io/solid-client-access-grants-js/) to access Pod Resources with approved Access Grants. {% hint style="info" %} **Access Requests and Grants** The following Inrupt products are available to support Access Requests and Grants: * **`solid-client-access-grants`** library for managing Access Requests and Grants * Inrupt’s Enterprise Solid Server provides support for [Access Requests and Grants](/security/authorization/access-requests-grants.md). ESS serializes the Access Requests and Grants as Verifiable Credentials. * Inrupt’s [Authorization Management Component](/security/authorization/access-requests-grants.md#authorization-management-component-amc) supports Access Request management. {% endhint %} ### Read/Write APIs The **`@inrupt/solid-client-access-grants`** library provides various [read and write APIs](https://inrupt.github.io/solid-client-access-grants-js/modules/resource.html) that allows agents with appropriate Access Grants to read/write Pod resources; such as: | | | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | {% hint style="warning" %} Ensure that you are using the APIs from the **`@inrupt/solid-client-access-grants`** and **not** the **`@inrupt/solid-client`** library. {% endhint %} These APIs support the use of **Bearer** tokens (not DPoP tokens). ### Specify Bearer Token Type for Session Inrupt’s Enterprise Solid Server supports [UMA flow](https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html#protocol-flow-details-sec) to exchange the Access Grants for access tokens. These UMA access tokens can then be used to access the resources. The **`solid-client-access-grants`**’s [read and write APIs](https://inrupt.github.io/solid-client-access-grants-js/modules/resource.html) handle the UMA exchange and sends the returned UMA access token to access the resource. The library’s read and write APIs support the use of **Bearer** tokens (and not DPoP tokens), and as such, they require the authenticated [Sessions](https://inrupt.github.io/solid-client-authn-js/node/classes/Session.html) to use Bearer tokens (instead of the default DPoP). To obtain an authenticated Session that uses Bearer tokens, set the [tokenType](https://inrupt.github.io/solid-client-authn-js/node/interfaces/ILoginInputOptions.html#tokentype) for the [Session](https://inrupt.github.io/solid-client-authn-js/node/classes/Session.html) during the [Session.login()](https://inrupt.github.io/solid-client-authn-js/node/classes/Session.html#login). For example, the following server-side code instantiates a Session and specifies the [tokenType](https://inrupt.github.io/solid-client-authn-js/node/interfaces/ILoginInputOptions.html#tokentype) of **`Bearer`** during login (the default **`tokenType`** is **`DPoP`**): 
import { Session } from "@inrupt/solid-client-authn-node";
//...

const session = new Session();

// ...

if (!session.info.isLoggedIn) {
  await sessionTokenTypeBearer.login({
    clientId: process.env.CLIENT_ID,
    clientSecret: process.env.CLIENT_SECRET,
    oidcIssuer: process.env.IDP,
    tokenType: "Bearer", // Specify the tokenType option
  });
}
The application uses the client credentials received during client registration. For more information on static registration of client applications, see [Authentication Single-User Application](/guides/authentication-in-solid/authentication-single-user-application.md). ### Retrieve Access Grants As part of the Access Request/Grant flow, when the Resource Owner grants the Access Request, the **`id`** of the Access Grant (serialized as VC) is sent back to the requesting app as a query parameter. The requesting app can use [getAccessGrantFromRedirectUrl](https://inrupt.github.io/solid-client-access-grants-js/functions/index.getAccessRequestFromRedirectUrl.html) to get the Access Grant (serialized as VC) ```javascript import { getAccessGrantFromRedirectUrl } from "@inrupt/solid-client-access-grants"; // ... const myAccessGrantVC = await getAccessGrantFromRedirectUrl( myURL, { fetch: session.fetch } // fetch from the authenticated Session ); ``` ### Read and Write `SolidDataset` If the requestor has an Access Grant that allows the requestor to perform read/write operations on a [SolidDataset](/reference/glossary.md#soliddataset), the requestor can use the appropriate **`@inrupt/solid-client-access-grants`** [read and write APIs](https://inrupt.github.io/solid-client-access-grants-js/modules/resource.html); for example: | [getSolidDataset](https://inrupt.github.io/solid-client-access-grants-js/functions/index.getSolidDataset.html) | To read/fetch a SolidDataset from a Pod. | | -------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | | [saveSolidDatasetAt](https://inrupt.github.io/solid-client-access-grants-js/functions/index.saveSolidDatasetAt.html) | To write a SolidDataset to a Pod. | | [deleteSolidDataset](https://inrupt.github.io/solid-client-access-grants-js/functions/index.deleteSolidDataset.html) | To delete a SolidDataset from a Pod. | To use these functions, the authenticated session must use **`Bearer`** token type. To read or modify the data in a local SolidDataset (e.g., **`getThing`**, **`addUrl`**, **`setThing`** of a fetched SolidDataset or a new SolidDataset), use the **`@inrupt/solid-client`** library’s functions. For example: 
import {
   getSolidDataset,
   saveSolidDatasetAt
} from "@inrupt/solid-client-access-grants";

import {
  getThing,
  getStringNoLocale,
  addUrl,
  addStringNoLocale,
  buildThing,
  createThing,
  setThing
} from "@inrupt/solid-client";

// ...


// Use `getSolidDataset` from `@inrupt/solid-client-access-grants`
const mySolidDataset = await getSolidDataset(
   resourceURL,
   myAccessGrantVC,  // Access Grant (serialized as VC) that provides the user read access to get the SolidDataset
   { fetch : session.fetch } // fetch from the authenticated Session with tokenType Bearer
)

// Use functions from `@inrupt/solid-client` to modify the SolidDataset
// const myDataThing = getThing( ... );
// ...
// let myUpdatedSolidDataset = ...;
// ...

// Use `saveSolidDatasetAt` from `@inrupt/solid-client-access-grants`
const savedSolidDataset = await saveSolidDatasetAt(
  resourceURL,
  myUpdatedSolidDataset,
  myAccessGrantVC,             // Access Grant (serialized as VC) that grants the user write access to save the SolidDataset
  { fetch: session.fetch }     // authenticated Session with tokenType Bearer
);
{% hint style="warning" %} Ensure that you are using the APIs from the **`@inrupt/solid-client-access-grants`** and **not** the **`@inrupt/solid-client`** library. {% endhint %} To access the contents of the SolidDataset, use the **`@inrupt/solid-client`** library’s functions. For examples, see: * [Read Data](/sdk/javascript-sdk/read-and-write-rdf-data.md#read) * [Write a New SolidDataset](/sdk/javascript-sdk/read-and-write-rdf-data.md#write-a-new-soliddataset) * [Modify an Existing SolidDataset](/sdk/javascript-sdk/read-and-write-rdf-data.md#modify-an-existing-soliddataset) ### Read and Write Non-RDF Files If the requestor has an Access Grant that allows the requestor to perform read/write operations on a non-RDF file (e.g., `.pdf`, `.jpeg`, etc.), the requestor can use the appropriate **`@inrupt/solid-client-access-grants`** [read and write APIs](https://inrupt.github.io/solid-client-access-grants-js/modules/resource.html); for example:
solid-client-access-grants FunctionsDescription
getFileTo read/fetch a file from a Pod.
overwriteFile

To update an existing file in a Pod.

Unlike the corresponding function in @inrupt/solid-client, you cannot use solid-client-access-grants overwriteFile to save a new file.

saveFileInContainerTo write a new file to a Pod.
deleteFileTo delete a file from a Pod.
{% hint style="info" %} The authenticated session must use **`Bearer`** token type. {% endhint %} {% hint style="warning" %} Ensure that you are using the APIs from the **`@inrupt/solid-client-access-grants`** and **not** the **`@inrupt/solid-client`** library. {% endhint %} For example: 
import {
   getFile, overwriteFile
} from "@inrupt/solid-client-access-grants";

// ...

const file = await getFile(
  fileURL,               // File in Pod to Read
  myAccessGrantVC,       // Access Grant (serialized as VC) that grants the user read access to the File
  { fetch: session.fetch }  // authenticated Session with tokenType Bearer
);

// ...

const updated = await overwriteFile(
  fileURL,               // URL for the file
  fileWithNewContent,    // File
  myAccessGrantVC,       // Access Grant (serialized as VC) that grants the user read access to the File
  { contentType: fileWithNewContent.type,
    fetch: session.fetch }  // authenticated Session with tokenType Bearer
);
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.inrupt.com/sdk/javascript-sdk/access-requests-and-grants/use-access-grants-to-access-resources.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.