---
title: "3. Authorization and Access Rules"
path: "/developers/scrypto/03-authorization-and-badges"
version: "2.3.0"
author: "Hydrate"
createdAt: "2026-02-19T06:44:48.860Z"
updatedAt: "2026-03-16T18:26:10.116Z"
---

# 3. Authorization and Access Rules

## Introduction

In most smart contract platforms, access control is based on the caller's *address* — a pattern that leads to fragile permission systems and common exploits like reentrancy. Radix takes a fundamentally different approach: access is gated by **[badges](https://docs.radixdlt.com/docs/authorization)**, which are standard [resources](/contents/tech/core-concepts/asset-oriented-programming) (fungible or non-fungible) that serve as unforgeable credentials. A caller is authorised not because of *who they are* but because of *what they hold*.

This pattern is central to [Scrypto](/developers/legacy-docs/updates/roadmap/scrypto/scrypto) development and appears in virtually every non-trivial dApp on Radix.

## How It Works

### [Access Rules](https://docs.radixdlt.com/docs/authorization)

When a component is instantiated, its methods can be protected with [access rules](/contents/tech/core-concepts/access-rules-and-auth-zones) that specify which badge(s) must be present for a call to succeed. The [Radix Engine](/contents/tech/core-protocols/radix-engine) checks these rules automatically before executing any method — there is no manual `require(msg.sender == owner)` logic.

```
enable_method_auth! {
    roles {
        admin => updatable_by: [];
        minter => updatable_by: [admin];
    },
    methods {
        mint_tokens => restrict_to: [minter, admin];
        update_price => restrict_to: [admin];
        buy => PUBLIC;
    }
}
```

### [Proofs](https://docs.radixdlt.com/docs/auth) and the Auth Zone

When a method requires a badge, the caller provides a [Proof](/contents/tech/core-concepts/buckets-proofs-and-vaults) — a cryptographic attestation that a resource exists in the caller's possession without transferring it. Proofs can be placed on the **Auth Zone** (a transaction-scoped container) so that multiple method calls within the same transaction can share the same authorisation context.

```
# [Transaction manifest](https://docs.radixdlt.com/docs/transaction-manifest): create proof and call restricted method
CREATE_PROOF_FROM_ACCOUNT_OF_AMOUNT
    Address("account_rdx...")
    Address("resource_rdx...admin_badge...")
    Decimal("1")
;
CALL_METHOD
    Address("component_rdx...")
    "update_price"
    Decimal("1.50")
;
```

## Common Badge Patterns

### Admin Badge

The most basic pattern: mint a single non-fungible badge at instantiation and return it to the deployer. Methods like `withdraw_fees`, `update_config`, or `pause` are gated behind this badge.

### User Badge

The [User Badge Pattern](/developers/legacy-docs/build/scrypto-1/scrypto-design-patterns/user-badge-pattern) issues a non-fungible badge to each user when they register. The badge's non-fungible data stores user-specific state (balances, permissions, membership tier). Methods read the caller's badge data to personalise behaviour without maintaining a separate user registry.

### Multi-Signature

[Access rules](https://docs.radixdlt.com/docs/authorization) support boolean logic: `require_n_of(2, [badge_a, badge_b, badge_c])` creates a 2-of-3 multi-sig gate. This is useful for treasury management, protocol upgrades, or any high-stakes operation.

### Soulbound Badges

By creating a non-transferable resource (restrict `Deposit` and `Withdraw` actions), a badge becomes soulbound to the original recipient's account. This is ideal for identity credentials, certificates, or membership tokens that should not change hands.

## External Links

- [Authorization — Proofs — Official Docs](https://docs.radixdlt.com/docs/auth)

- [User Badge Pattern — Official Docs](https://docs.radixdlt.com/docs/user-badge-pattern)

- [Account Deposit Patterns — Official Docs](https://docs.radixdlt.com/docs/account-deposit-patterns)

<Infobox>
| **Badge-Gated Authorization** |
| Pattern Type | Access Control |
| Difficulty | Beginner–Intermediate |
| Concepts | [Access Rules](/contents/tech/core-concepts/access-rules-and-auth-zones), [Proofs](/contents/tech/core-concepts/buckets-proofs-and-vaults), [Badges](https://docs.radixdlt.com/docs/authorization) |
| Official Docs | [Authorization — Proofs](https://docs.radixdlt.com/docs/auth) |
| Example | [User Badge Pattern](/developers/legacy-docs/build/scrypto-1/scrypto-design-patterns/user-badge-pattern) |
</Infobox>