diff --git a/src/backend/src/routers/auth/grant-dev-app.js b/src/backend/src/routers/auth/grant-dev-app.js
index 79f82789..df4aef77 100644
--- a/src/backend/src/routers/auth/grant-dev-app.js
+++ b/src/backend/src/routers/auth/grant-dev-app.js
@@ -20,6 +20,7 @@ const APIError = require('../../api/APIError');
 const eggspress = require('../../api/eggspress');
 const { UserActorType } = require('../../services/auth/Actor');
 const { Context } = require('../../util/context');
+const { validate_fields } = require('../../util/validutil');
 
 module.exports = eggspress('/auth/grant-dev-app', {
     subdomain: 'api',
@@ -40,15 +41,12 @@ module.exports = eggspress('/auth/grant-dev-app', {
         req.body.app_uid = await svc_auth.app_uid_from_origin(req.body.origin);
     }
 
-    if ( ! req.body.app_uid ) {
-        throw APIError.create('field_missing', null, { key: 'app_uid' });
-    }
-
-    if ( ! req.body.permission ) {
-        throw APIError.create('field_missing', null, {
-            key: 'permission',
-        });
-    }
+    validate_fields({
+        app_uid: { type: 'string', optional: false },
+        permission: { type: 'string', optional: false },
+        extra: { type: 'object', optional: true },
+        meta: { type: 'object', optional: true },
+    }, req.body);
 
     await svc_permission.grant_dev_app_permission(actor, req.body.app_uid, req.body.permission, req.body.extra || {}, req.body.meta || {});
 
diff --git a/src/backend/src/routers/auth/grant-user-app.js b/src/backend/src/routers/auth/grant-user-app.js
index 643e1cfc..dd78561f 100644
--- a/src/backend/src/routers/auth/grant-user-app.js
+++ b/src/backend/src/routers/auth/grant-user-app.js
@@ -20,6 +20,7 @@ const APIError = require('../../api/APIError');
 const eggspress = require('../../api/eggspress');
 const { UserActorType } = require('../../services/auth/Actor');
 const { Context } = require('../../util/context');
+const { validate_fields } = require('../../util/validutil');
 
 module.exports = eggspress('/auth/grant-user-app', {
     subdomain: 'api',
@@ -40,15 +41,12 @@ module.exports = eggspress('/auth/grant-user-app', {
         req.body.app_uid = await svc_auth.app_uid_from_origin(req.body.origin);
     }
 
-    if ( ! req.body.app_uid ) {
-        throw APIError.create('field_missing', null, { key: 'app_uid' });
-    }
-
-    if ( ! req.body.permission ) {
-        throw APIError.create('field_missing', null, {
-            key: 'permission',
-        });
-    }
+    validate_fields({
+        app_uid: { type: 'string', optional: false },
+        permission: { type: 'string', optional: false },
+        extra: { type: 'object', optional: true },
+        meta: { type: 'object', optional: true },
+    }, req.body);
 
     await svc_permission.grant_user_app_permission(actor, req.body.app_uid, req.body.permission, req.body.extra || {}, req.body.meta || {});
 
diff --git a/src/backend/src/routers/auth/grant-user-group.js b/src/backend/src/routers/auth/grant-user-group.js
index 4b006550..66218bb4 100644
--- a/src/backend/src/routers/auth/grant-user-group.js
+++ b/src/backend/src/routers/auth/grant-user-group.js
@@ -20,6 +20,7 @@ const APIError = require('../../api/APIError');
 const eggspress = require('../../api/eggspress');
 const { UserActorType } = require('../../services/auth/Actor');
 const { Context } = require('../../util/context');
+const { validate_fields } = require('../../util/validutil');
 
 module.exports = eggspress('/auth/grant-user-group', {
     subdomain: 'api',
@@ -35,17 +36,12 @@ module.exports = eggspress('/auth/grant-user-group', {
         throw APIError.create('forbidden');
     }
 
-    if ( ! req.body.group_uid ) {
-        throw APIError.create('field_missing', null, {
-            key: 'group_uid',
-        });
-    }
-
-    if ( ! req.body.permission ) {
-        throw APIError.create('field_missing', null, {
-            key: 'permission',
-        });
-    }
+    validate_fields({
+        group_uid: { type: 'string', optional: false },
+        permission: { type: 'string', optional: false },
+        extra: { type: 'object', optional: true },
+        meta: { type: 'object', optional: true },
+    }, req.body);
 
     await svc_permission.grant_user_group_permission(actor, req.body.group_uid, req.body.permission, req.body.extra || {}, req.body.meta || {});
 
diff --git a/src/backend/src/routers/auth/grant-user-user.js b/src/backend/src/routers/auth/grant-user-user.js
index 037bee63..90a9151c 100644
--- a/src/backend/src/routers/auth/grant-user-user.js
+++ b/src/backend/src/routers/auth/grant-user-user.js
@@ -20,6 +20,7 @@ const APIError = require('../../api/APIError');
 const eggspress = require('../../api/eggspress');
 const { UserActorType } = require('../../services/auth/Actor');
 const { Context } = require('../../util/context');
+const { validate_fields } = require('../../util/validutil');
 
 module.exports = eggspress('/auth/grant-user-user', {
     subdomain: 'api',
@@ -35,15 +36,12 @@ module.exports = eggspress('/auth/grant-user-user', {
         throw APIError.create('forbidden');
     }
 
-    if ( ! req.body.target_username ) {
-        throw APIError.create('field_missing', null, { key: 'target_username' });
-    }
-
-    if ( ! req.body.permission ) {
-        throw APIError.create('field_missing', null, {
-            key: 'permission',
-        });
-    }
+    validate_fields({
+        target_username: { type: 'string', optional: false },
+        permission: { type: 'string', optional: false },
+        extra: { type: 'object', optional: true },
+        meta: { type: 'object', optional: true },
+    }, req.body);
 
     await svc_permission.grant_user_user_permission(actor, req.body.target_username, req.body.permission, req.body.extra || {}, req.body.meta || {});