result := x == y

result := x > y

result := x >= y

result := x < y

result := x <= y

result := x != y

y := abs(x)

Returns the number without its sign.

y := ceil(x)

Rounds the number up to the nearest integer.

z := x / y

Divides the first number by the second number.

y := floor(x)

Rounds the number down to the nearest integer.

z := x - y

Minus subtracts the second number from the first number or computes the difference between two sets.

z := x * y

Multiplies two numbers.

range := numbers.range(a, b)

Returns an array of numbers in the given (inclusive) range. If a==b, then range == [a]; if a > b, then range is in descending order.

z := x + y

Plus adds two numbers together.

y := rand.intn(str, n)

Returns a random integer between 0 and n (n exlusive). If n is 0, then y is always 0. For any given argument pair (str, n), the output will be consistent throughout a query evaluation.

z := x % y

Returns the remainder for of x divided by y, for y != 0.

y := round(x)

Rounds the number to the nearest integer.

n := count(collection)

Count takes a collection or string and returns the number of elements (or characters) in it.

n := max(collection)

Returns the maximum value in a collection.

n := min(collection)

Returns the minimum value in a collection.

n := product(collection)

Muliplies elements of an array or set of numbers

n := sort(collection)

Returns a sorted array.

n := sum(collection)

Sums elements of an array or set of numbers.

z := array.concat(x, y)

Concatenates two arrays.

rev := array.reverse(arr)

Returns the reverse of a given array.

slice := array.slice(arr, start, stop)

Returns a slice of a given array. If start is greater or equal than stop, slice is [].

z := x & y

Returns the intersection of two sets.

y := intersection(xs)

Returns the intersection of the given input sets.

z := x - y

Minus subtracts the second number from the first number or computes the difference between two sets.

z := x | y

Returns the union of two sets.

y := union(xs)

Returns the union of the given input sets.

filtered := json.filter(object, paths)

Filters the object. For example: json.filter({"a": {"b": "x", "c": "y"}}, ["a/b"]) will result in {"a": {"b": "x"}}). Paths are not filtered in-order and are deduplicated before being evaluated.

output := json.patch(object, patches)

Patches an object according to RFC6902. For example: json.patch({"a": {"foo": 1}}, [{"op": "add", "path": "/a/bar", "value": 2}]) results in {"a": {"foo": 1, "bar": 2}. The patches are applied atomically: if any of them fails, the result will be undefined.

output := json.remove(object, paths)

Removes paths from an object. For example: json.remove({"a": {"b": "x", "c": "y"}}, ["a/b"]) will result in {"a": {"c": "y"}}. Paths are not removed in-order and are deduplicated before being evaluated.

filtered := object.filter(object, keys)

Filters the object by keeping only specified keys. For example: object.filter({"a": {"b": "x", "c": "y"}, "d": "z"}, ["a"]) will result in {"a": {"b": "x", "c": "y"}}).

value := object.get(object, key, default)

Returns value of an object’s key if present, otherwise a default. If the supplied key is an array, then object.get will search through a nested object or array using each key in turn. For example: object.get({"a": [{ "b": true }]}, ["a", 0, "b"], false) results in true.

output := object.remove(object, keys)

Removes specified keys from an object.

result := object.subset(super, sub)

Determines if an object sub is a subset of another object super.Object sub is a subset of object super if and only if every key in sub is also in super, and for all keys which sub and super share, they have the same value. This function works with objects, sets, arrays and a set of array and set.If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}} is a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}. If both arguments are sets, then this function checks if every element of sub is a member of super, but does not attempt to recurse. If both arguments are arrays, then this function checks if sub appears contiguously in order within super, and also does not attempt to recurse. If super is array and sub is set, then this function checks if super contains every element of sub with no consideration of ordering, and also does not attempt to recurse.

output := object.union(a, b)

Creates a new object of the asymmetric union of two objects. For example: object.union({"a": 1, "b": 2, "c": {"d": 3}}, {"a": 7, "c": {"d": 4, "e": 5}}) will result in {"a": 7, "b": 2, "c": {"d": 4, "e": 5}}.

output := object.union_n(objects)

Creates a new object that is the asymmetric union of all objects merged from left to right. For example: object.union_n([{"a": 1}, {"b": 2}, {"a": 3}]) will result in {"b": 2, "a": 3}.

output := concat(delimiter, collection)

Joins a set or array of strings with a delimiter.

result := contains(haystack, needle)

Returns true if the search string is included in the base string

result := endswith(search, base)

Returns true if the search string ends with the base string.

output := format_int(number, base)

Returns the string representation of the number in the given base after rounding it down to an integer value.

output := indexof(haystack, needle)

Returns the index of a substring contained inside a string.

output := indexof_n(haystack, needle)

Returns a list of all the indexes of a substring contained inside a string.

y := lower(x)

Returns the input string but with all characters in lower-case.

y := replace(x, old, new)

Replace replaces all instances of a sub-string.

ys := split(x, delimiter)

Split returns an array containing elements of the input string split on a delimiter.

output := sprintf(format, values)

Returns the given string, formatted.

result := startswith(search, base)

Returns true if the search string begins with the base string.

result := strings.any_prefix_match(search, base)

Returns true if any of the search strings begins with any of the base strings.

result := strings.any_suffix_match(search, base)

Returns true if any of the search strings ends with any of the base strings.

output := strings.replace_n(patterns, value)

Replaces a string from a list of old, new string pairs. Replacements are performed in the order they appear in the target string, without overlapping matches. The old string comparisons are done in argument order.

y := strings.reverse(x)

Reverses a given string.

output := substring(value, offset, length)

Returns the portion of a string for a given offset and a length. If length < 0, output is the remainder of the string.

output := trim(value, cutset)

Returns value with all leading or trailing instances of the cutset characters removed.

output := trim_left(value, cutset)

Returns value with all leading instances of the cutset chartacters removed.

output := trim_prefix(value, prefix)

Returns value without the prefix. If value doesn’t start with prefix, it is returned unchanged.

output := trim_right(value, cutset)

Returns value with all trailing instances of the cutset chartacters removed.

output := trim_space(value)

Return the given string with all leading and trailing white space removed.

output := trim_suffix(value, suffix)

Returns value without the suffix. If value doesn’t end with suffix, it is returned unchanged.

y := upper(x)

Returns the input string but with all characters in upper-case.

output := regex.find_all_string_submatch_n(pattern, value, number)

Returns all successive matches of the expression.

output := regex.find_n(pattern, value, number)

Returns the specified number of matches when matching the input against the pattern.

result := regex.globs_match(glob1, glob2)

Checks if the intersection of two glob-style regular expressions matches a non-empty set of non-empty strings. The set of regex symbols is limited for this builtin: only ., *, +, [, -, ] and \ are treated as special symbols.

result := regex.is_valid(pattern)

Checks if a string is a valid regular expression: the detailed syntax for patterns is defined by https://github.com/google/re2/wiki/Syntax.

result := regex.match(pattern, value)

Matches a string against a regular expression.

output := regex.replace(s, pattern, value)

Find and replaces the text using the regular expression pattern.

output := regex.split(pattern, value)

Splits the input string by the occurrences of the given pattern.

result := regex.template_match(template, value, delimiter_start, delimiter_end)

Matches a string against a pattern, where there pattern may be glob-like

result := glob.match(pattern, delimiters, match)

Parses and matches strings against the glob notation. Not to be confused with regex.globs_match.

output := glob.quote_meta(pattern)

Returns a string which represents a version of the pattern where all asterisks have been escaped.

z := bits.and(x, y)

Returns the bitwise “AND” of two integers.

z := bits.lsh(x, s)

Returns a new integer with its bits shifted s bits to the left.

z := bits.negate(x)

Returns the bitwise negation (flip) of an integer.

z := bits.or(x, y)

Returns the bitwise “OR” of two integers.

z := bits.rsh(x, s)

Returns a new integer with its bits shifted s bits to the right.

z := bits.xor(x, y)

Returns the bitwise “XOR” (exclusive-or) of two integers.

num := to_number(x)

Converts a string, bool, or number value to a number: Strings are converted to numbers using strconv.Atoi, Boolean false is converted to 0 and true is converted to 1.

y := units.parse(x)

Converts strings like “10G”, “5K”, “4M”, “1500m” and the like into a number. This number can be a non-integer, such as 1.5, 0.22, etc. Supports standard metric decimal and binary SI units (e.g., K, Ki, M, Mi, G, Gi etc.) m, K, M, G, T, P, and E are treated as decimal units and Ki, Mi, Gi, Ti, Pi, and Ei are treated as binary units.

Note that ’m' and ‘M’ are case-sensitive, to allow distinguishing between “milli” and “mega” units respectively. Other units are case-insensitive.

y := units.parse_bytes(x)

Converts strings like “10GB”, “5K”, “4mb” into an integer number of bytes. Supports standard byte units (e.g., KB, KiB, etc.) KB, MB, GB, and TB are treated as decimal units and KiB, MiB, GiB, and TiB are treated as binary units. The bytes symbol (b/B) in the unit is optional and omitting it wil give the same result (e.g. Mi and MiB).

result := is_array(x)

Returns true if the input value is an array.

result := is_boolean(x)

Returns true if the input value is a boolean.

result := is_null(x)

Returns true if the input value is null.

result := is_number(x)

Returns true if the input value is a number.

result := is_object(x)

Returns true if the input value is an object

result := is_set(x)

Returns true if the input value is a set.

result := is_string(x)

Returns true if the input value is a string.

type := type_name(x)

Returns the type of its input value.

y := base64.decode(x)

Deserializes the base64 encoded input string.

y := base64.encode(x)

Serializes the input string into base64 encoding.

result := base64.is_valid(x)

Verifies the input string is base64 encoded.

y := base64url.decode(x)

Deserializes the base64url encoded input string.

y := base64url.encode(x)

Serializes the input string into base64url encoding.

y := base64url.encode_no_pad(x)

Serializes the input string into base64url encoding without padding.

y := hex.decode(x)

Deserializes the hex-encoded input string.

y := hex.encode(x)

Serializes the input string using hex-encoding.

result := json.is_valid(x)

Verifies the input string is a valid JSON document.

y := json.marshal(x)

Serializes the input term to JSON.

y := json.unmarshal(x)

Deserializes the input string.

y := urlquery.decode(x)

Decodes a URL-encoded input string.

object := urlquery.decode_object(x)

Decodes the given URL query string into an object.

y := urlquery.encode(x)

Encodes the input string into a URL-encoded string.

y := urlquery.encode_object(object)

Encodes the given object into a URL encoded query string.

result := yaml.is_valid(x)

Verifies the input string is a valid YAML document.

y := yaml.marshal(x)

Serializes the input term to YAML.

y := yaml.unmarshal(x)

Deserializes the input string.

output := io.jwt.encode_sign(headers, payload, key)

Encodes and optionally signs a JSON Web Token. Inputs are taken as objects, not encoded strings (see io.jwt.encode_sign_raw).

output := io.jwt.encode_sign_raw(headers, payload, key)

Encodes and optionally signs a JSON Web Token.

output := io.jwt.decode(jwt)

Decodes a JSON Web Token and outputs it as an object.

output := io.jwt.decode_verify(jwt, constraints)

Verifies a JWT signature under parameterized constraints and decodes the claims if it is valid. Supports the following algorithms: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384 and PS512.

result := io.jwt.verify_es256(jwt, certificate)

Verifies if a ES256 JWT signature is valid.

result := io.jwt.verify_es384(jwt, certificate)

Verifies if a ES384 JWT signature is valid.

result := io.jwt.verify_es512(jwt, certificate)

Verifies if a ES512 JWT signature is valid.

result := io.jwt.verify_hs256(jwt, secret)

Verifies if a HS256 (secret) JWT signature is valid.

result := io.jwt.verify_hs384(jwt, secret)

Verifies if a HS384 (secret) JWT signature is valid.

result := io.jwt.verify_hs512(jwt, secret)

Verifies if a HS512 (secret) JWT signature is valid.

result := io.jwt.verify_ps256(jwt, certificate)

Verifies if a PS256 JWT signature is valid.

result := io.jwt.verify_ps384(jwt, certificate)

Verifies if a PS384 JWT signature is valid.

result := io.jwt.verify_ps512(jwt, certificate)

Verifies if a PS512 JWT signature is valid.

result := io.jwt.verify_rs256(jwt, certificate)

Verifies if a RS256 JWT signature is valid.

result := io.jwt.verify_rs384(jwt, certificate)

Verifies if a RS384 JWT signature is valid.

result := io.jwt.verify_rs512(jwt, certificate)

Verifies if a RS512 JWT signature is valid.

output := time.add_date(ns, years, months, days)

Returns the nanoseconds since epoch after adding years, months and days to nanoseconds. undefined if the result would be outside the valid time range that can fit within an int64.

output := time.clock(x)

Returns the [hour, minute, second] of the day for the nanoseconds since epoch.

date := time.date(x)

Returns the [year, month, day] for the nanoseconds since epoch.

output := time.diff(ns1, ns2)

Returns the difference between two unix timestamps in nanoseconds (with optional timezone strings).

now := time.now_ns()

Returns the current time since epoch in nanoseconds.

ns := time.parse_duration_ns(duration)

Returns the duration in nanoseconds represented by a string.

ns := time.parse_ns(layout, value)

Returns the time in nanoseconds parsed from the string in the given format. undefined if the result would be outside the valid time range that can fit within an int64.

ns := time.parse_rfc3339_ns(value)

Returns the time in nanoseconds parsed from the string in RFC3339 format. undefined if the result would be outside the valid time range that can fit within an int64.

day := time.weekday(x)

Returns the day of the week (Monday, Tuesday, …) for the nanoseconds since epoch.

y := crypto.hmac.md5(x, key)

Returns a string representing the MD5 HMAC of the input message using the input key.

y := crypto.hmac.sha1(x, key)

Returns a string representing the SHA1 HMAC of the input message using the input key.

y := crypto.hmac.sha256(x, key)

Returns a string representing the SHA256 HMAC of the input message using the input key.

y := crypto.hmac.sha512(x, key)

Returns a string representing the SHA512 HMAC of the input message using the input key.

y := crypto.md5(x)

Returns a string representing the input string hashed with the MD5 function

y := crypto.sha1(x)

Returns a string representing the input string hashed with the SHA1 function

y := crypto.sha256(x)

Returns a string representing the input string hashed with the SHA256 function

output := crypto.x509.parse_and_verify_certificates(certs)

Returns one or more certificates from the given string containing PEM or base64 encoded DER certificates after verifying the supplied certificates form a complete certificate chain back to a trusted root.

The first certificate is treated as the root and the last is treated as the leaf, with all others being treated as intermediates.

output := crypto.x509.parse_certificate_request(csr)

Returns a PKCS #10 certificate signing request from the given PEM-encoded PKCS#10 certificate signing request.

output := crypto.x509.parse_certificates(certs)

Returns one or more certificates from the given base64 encoded string containing DER encoded certificates that have been concatenated.

output := crypto.x509.parse_rsa_private_key(pem)

Returns a JWK for signing a JWT from the given PEM-encoded RSA private key.

output := graph.reachable(graph, initial)

Computes the set of reachable nodes in the graph from a set of starting nodes.

output := graph.reachable_paths(graph, initial)

Computes the set of reachable paths in the graph from a set of starting nodes.

walk(x, output)

Generates [path, value] tuples for all nested documents of x (recursively). Queries can use walk to traverse documents nested under x.

output := graphql.is_valid(query, schema)

Checks that a GraphQL query is valid against a given schema. The query and/or schema can be either GraphQL strings or AST objects from the other GraphQL builtin functions.

output := graphql.parse(query, schema)

Returns AST objects for a given GraphQL query and schema after validating the query against the schema. Returns undefined if errors were encountered during parsing or validation. The query and/or schema can be either GraphQL strings or AST objects from the other GraphQL builtin functions.

output := graphql.parse_and_verify(query, schema)

Returns a boolean indicating success or failure alongside the parsed ASTs for a given GraphQL query and schema after validating the query against the schema. The query and/or schema can be either GraphQL strings or AST objects from the other GraphQL builtin functions.

output := graphql.parse_query(query)

Returns an AST object for a GraphQL query.

output := graphql.parse_schema(schema)

Returns an AST object for a GraphQL schema.

output := graphql.schema_is_valid(schema)

Checks that the input is a valid GraphQL schema. The schema can be either a GraphQL string or an AST object from the other GraphQL builtin functions.

response := http.send(request)

Returns a HTTP response to the given HTTP request.

result := net.cidr_contains(cidr, cidr_or_ip)

Checks if a CIDR or IP is contained within another CIDR. output is true if cidr_or_ip (e.g. 127.0.0.64/26 or 127.0.0.1) is contained within cidr (e.g. 127.0.0.1/24) and false otherwise. Supports both IPv4 and IPv6 notations.

output := net.cidr_contains_matches(cidrs, cidrs_or_ips)

Checks if collections of cidrs or ips are contained within another collection of cidrs and returns matches. This function is similar to net.cidr_contains except it allows callers to pass collections of CIDRs or IPs as arguments and returns the matches (as opposed to a boolean result indicating a match between two CIDRs/IPs).

hosts := net.cidr_expand(cidr)

Expands CIDR to set of hosts (e.g., net.cidr_expand("192.168.0.0/30") generates 4 hosts: {"192.168.0.0", "192.168.0.1", "192.168.0.2", "192.168.0.3"}).

result := net.cidr_intersects(cidr1, cidr2)

Checks if a CIDR intersects with another CIDR (e.g. 192.168.0.0/16 overlaps with 192.168.1.0/24). Supports both IPv4 and IPv6 notations.

result := net.cidr_is_valid(cidr)

Parses an IPv4/IPv6 CIDR and returns a boolean indicating if the provided CIDR is valid.

output := net.cidr_merge(addrs)

Merges IP addresses and subnets into the smallest possible list of CIDRs (e.g., net.cidr_merge(["192.0.128.0/24", "192.0.129.0/24"]) generates {"192.0.128.0/23"}.This function merges adjacent subnets where possible, those contained within others and also removes any duplicates. Supports both IPv4 and IPv6 notations. IPv6 inputs need a prefix length (e.g. “/128”).

:= net.cidr_overlap(, )

addrs := net.lookup_ip_addr(name)

Returns the set of IP addresses (both v4 and v6) that the passed-in name resolves to using the standard name resolution mechanisms available.

output := uuid.rfc4122(k)

Returns a new UUIDv4.

result := semver.compare(a, b)

Compares valid SemVer formatted version strings.

result := semver.is_valid(vsn)

Validates that the input is a valid SemVer string.

chain := rego.metadata.chain()

Returns the chain of metadata for the active rule. Ordered starting at the active rule, going outward to the most distant node in its package ancestry. A chain entry is a JSON document with two members: “path”, an array representing the path of the node; and “annotations”, a JSON document containing the annotations declared for the node. The first entry in the chain always points to the active rule, even if it has no declared annotations (in which case the “annotations” member is not present).

output := rego.metadata.rule()

Returns annotations declared for the active rule and using the rule scope.

output := rego.parse_module(filename, rego)

Parses the input Rego string and returns an object representation of the AST.

output := opa.runtime()

Returns an object that describes the runtime environment where OPA is deployed.

result := trace(note)

Emits note as a Note event in the query explanation. Query explanations show the exact expressions evaluated by OPA during policy execution. For example, trace("Hello There!") includes Note "Hello There!" in the query explanation. To include variables in the message, use sprintf. For example, person := "Bob"; trace(sprintf("Hello There! %v", [person])) will emit Note "Hello There! Bob" inside of the explanation.