Skip to main content

Triggering Data Updates

OPAL allows for other components to notify it (and through it all the OPAL clients , and their next-door policy agents) of data updates, triggering each client [subscribed to the published topic] to fetch the data it needs.

What is this good for?

Let's try an example - say your application has a billing service, and you want to allow access only to users who have billing enabled (enforced via a policy agent). You now need changes to the state of the billing service to be propagated to each of the enforcement points/agents (and preferably instantly [Users who've paid - don't like to wait 😅 ]). With the OPAL's data-update-triggers feature the billing-service, another service monitoring it, or even a person can trigger updates as they need - knowing OPAL will take it from there to all the points that need it.

First, you need to obtain a data-source identity token (JWT)

Every service that publishes to OPAL needs a datasource identity token. Obtaining one is easy, but you need access to the corresponding OPAL Server master token.

Obtain a data source token with the cli:

opal-client obtain-token MY_MASTER_TOKEN --uri= --type datasource

If you don't want to use the cli, you can obtain the JWT directly from the deployed OPAL server via its REST API:

curl --request POST '' \
--header 'Authorization: Bearer MY_MASTER_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
"type": "datasource",

The /token API endpoint can receive more parameters, as documented here.

This example assumes that:

  • You deployed OPAL server to
  • The master token of your deployment is MY_MASTER_TOKEN.
    • In real life, use a cryptographically secure secret. If you followed our tutorials while deploying OPAL, you probably generated one with opal-server generate-secret.

How to trigger updates

There are a few ways to trigger updates:

Option 1: Trigger a data update with the CLI

Can be run both from opal-client and opal-server.


  • With $token being a JWT we generated in step 1.

  • we publish a data-event regarding two topics users and billing pointing clients to to obtain the data they need. we also provide the clients with the credentials they'll need to connect to the server (as HTTP authorization headers)

  • opal-client publish-data-update $token --src-url -t users -t billing --src-config '{"headers":{"authorization":"bearer secret-token"}}'
  • (Yes... We did... We put authorization in your authorization 😜  😅 )

  • See this recording showing the command including getting the JWT for the server with the obtain-token command.

Option 2: Trigger a data update with OPAL Server REST API

Option 3: Write your own - import code from the OPAL's packages

  • One of the great things about OPAL being written in Python is that you can easily reuse its code. See the code for the DataUpdate model at opal_common/schemas/ and use it within your own code to send an update to the server