Authorization at Scale: Access Levels, Roles, and Compact Decisions

Authentication answers "who are you?" Authorization answers the harder question: "are you allowed to do this?" By the time a request reaches this stage, we've already validated the token and confirmed the tenant. Now we need to decide — before the request touches any upstream service — whether this specific identity has permission to call this specific endpoint. That decision runs hundreds of millions of times a day. It needs to be fast, correct, and cheap to reason about when something goes wro