OpenFGA is a high-performance, flexible authorization/permission engine built for developers and inspired byGoogle Zanzibar. It combinesRelationship-Based Access Control (ReBAC) andAttribute-Based Access Control (ABAC) with a domain-specific language that makes it easy to craft authorization solutions that grow and evolve to any use case, at any scale.

Originally developed by Auth0/Okta anddonated to the Cloud Native Computing Foundation in September 2022, OpenFGA is currently at the Incubation level and maintained byOkta and Grafana employees.

Adopted by:Auth0 |Grafana Labs |Canonical |Docker |Agicap |Read.AI |Headspace |and more...

# Run OpenFGA locally with Dockerdocker pull openfga/openfgadocker run -p 8080:8080 openfga/openfga run

Then explore theplayground, read thedocumentation, or watch theOpenFGA Modeling Guide for tutorials.

OpenFGA is designed to solve authorization for everyone, regardless of scale or complexity. Fine-grained authorization is becoming critical for modern software:

• Agentic AI requires authorization. You can't expose your API to agents without proper authorization. You also need authorization for Retrieval-Augmented Generation (RAG) and restricting Agent access to APIs or MCP servers.

• Users expect collaboration features. From 'Share' buttons to 'Request Access' workflows—for documents, project boards, photo albums, and IoT devices—OpenFGA makes these easy to build and govern.

• Traditional RBAC doesn't scale. Fine-grained approaches like OpenFGA create authorization models that remain easy to understand and visualize, even for complex patterns.

• Security and compliance are mandatory. The top risk in theOWASP Top 10 isBroken Access Control. Authorization is a critical part of any security solution.

Centralizing authorization into a single, flexible service provides distinct advantages:

• Ship faster — Easily extensible to new requirements across all your products
• Simplify auditing — Explicit rules are easier to audit; built-in logs for all operations
• Lower operational costs — One authorization system is simpler to manage
• Improve developer experience — Same concepts and APIs regardless of team

OpenFGA provides high-quality developer tooling:

• AI Agent Skills —Skills for AI Agents
• SDKs —Go |JavaScript |.NET |Python |Java
• CLI —Operate servers, import/export models and tuples, run tests
• IDE Extensions —VS Code andJetBrains with syntax highlighting and validation
• Kubernetes —Helm Chart for easy deployment
• CI/CD — GitHub Actions fortesting anddeploying models
• Modular Models —Multi-team support for a single authorization system
• Infrastructure as Code —Terraform Provider

Ready to get started? Check out thedocumentation or join us onSlack.

Repositories

Most used topics