A delayed response, but hopefully it is still relevant:
Resgate is more about resources than streaming. You control access to resources, not events by themselves.
When a client subscribes to a resource (eg. account.balance), the server will grant or deny get access using the access.account.balance topic (access request). If access is granted, the client will have access to the resource and all events sent on that resource.
So, how to make it more granular?
In your case, you should not have a single account.balance resource; you should have multiple resources, eg. account.{accountId}.balance (or perhaps user.{userId}.account.balance).
Instead of sending events on account.balance, you would send it to eg. account.42.balance.
Access is controlled with the access request:
Example using node.js and raw NATS client.
// Access listener
nats.subscribe('access.account.*.balance', (request, reply, subject) => {
let r = JSON.parse(request);
// Assume we have set userId in the token
let userId = r.token && r.token.userId;
// Get just the wildcard (accountId) part of the subject
let accountId = subject.slice(15, -8);
// Validate access in some smart way
let getAccess = validateUserOwnsAccount(userId, accountId);
// Reply with get access set to true or false depending on if access is granted
nats.publish(reply, JSON.stringify({ result: { get: getAccess }}));
});
If you are uncertain on how to set the access token (where we get the userId from in above code example), I can help with that too 
.
Best regards,
Samuel
. Glad it made sense.