# OpenFGA — Fine-Grained Authorization at Scale > Model and evaluate complex permission policies with a relationship-based authorization system. Inspired by Google Zanzibar and backed by the CNCF. ## Install Save in your project root: # OpenFGA — Fine-Grained Authorization at Scale ## Quick Use ```bash docker pull openfga/openfga docker run -p 8080:8080 -p 3000:3000 openfga/openfga run # Create a store and authorization model via the REST API: curl -X POST http://localhost:8080/stores -d '{"name":"my-store"}' ``` ## Introduction OpenFGA is a CNCF sandbox project that implements a relationship-based access control (ReBAC) engine inspired by Google's Zanzibar paper. It lets developers define authorization models as type-relation graphs and evaluate permission checks in sub-millisecond latency at scale. ## What OpenFGA Does - Evaluates fine-grained authorization checks based on object-relation-user tuples - Models complex permission hierarchies like folders, teams, roles, and sharing - Provides SDKs for Go, Node.js, Python, Java, and .NET - Supports contextual tuples for request-time conditions like IP range or time of day - Runs as a standalone server or embedded library ## Architecture Overview OpenFGA stores authorization data as relationship tuples (user, relation, object) in a backend datastore, either PostgreSQL or MySQL. Authorization models are written in a DSL that defines types, relations, and how permissions are derived through union, intersection, and exclusion operators. The Check API resolves whether a user has a relation to an object by traversing the tuple graph, using caching and concurrency to keep latency low. ## Self-Hosting & Configuration - Run via Docker, the official Helm chart, or prebuilt binaries for Linux and macOS - Configure PostgreSQL or MySQL as the persistent tuple store - Write authorization models in the OpenFGA DSL or JSON format - Use the FGA CLI to test models locally before deploying them - Deploy behind a reverse proxy with mTLS for production security ## Key Features - Zanzibar-inspired ReBAC engine for modeling any permission pattern - Sub-millisecond check latency with built-in caching and graph traversal optimization - Authorization model language with visual playground for rapid prototyping - Contextual tuples for dynamic, request-time access decisions - CNCF sandbox project with production use at Auth0, Okta, and Twitch ## Comparison with Similar Tools - **OPA (Open Policy Agent)** — General-purpose policy engine using Rego; OpenFGA specializes in relationship-based access control with a purpose-built graph engine - **Casbin** — Embeddable ACL/RBAC library; OpenFGA offers a dedicated server with tuple storage and Zanzibar-scale graph evaluation - **SpiceDB** — Also Zanzibar-inspired; OpenFGA is CNCF-backed with broader SDK support and Auth0 production lineage - **Keycloak** — Identity provider with basic role mapping; OpenFGA handles fine-grained object-level permissions beyond RBAC ## FAQ **Q: What is a relationship tuple?** A: A tuple is a triple (user, relation, object) such as (user:alice, editor, document:readme). OpenFGA stores and queries these tuples to evaluate permissions. **Q: Can OpenFGA replace RBAC?** A: Yes. RBAC is a subset of ReBAC. You can model roles as relations and add finer-grained object-level permissions on top. **Q: How does it scale?** A: OpenFGA is stateless and horizontally scalable. Multiple instances share the same database, and caching reduces repeated graph traversals. **Q: Is there a hosted version?** A: Auth0 offers a managed FGA service. The open-source server is fully functional for self-hosted deployments. ## Sources - https://github.com/openfga/openfga - https://openfga.dev/docs --- Source: https://tokrepo.com/en/workflows/f8c97401-3974-11f1-9bc6-00163e2b0d79 Author: AI Open Source