OpenFGA is a high-performance, flexible authorization/permission engine built for developers and inspired by Google Zanzibar. It combines Relationship-Based Access Control (ReBAC) and Attribute-Based Access Control (ABAC) with a domain-specific language that makes it easy to craft authorization solutions that grow and evolve to any use case, at any scale.
Originally developed by Auth0/Okta and donated to the Cloud Native Computing Foundation in September 2022, OpenFGA is currently at the Incubation level and maintained by Okta and Grafana employees.
Adopted by: Auth0 | Grafana Labs | Canonical | Docker | Agicap | Read.AI | Headspace | and more...
# Run OpenFGA locally with Docker
docker pull openfga/openfga
docker run -p 8080:8080 openfga/openfga runThen explore the playground, read the documentation, or watch the OpenFGA Modeling Guide for tutorials.
OpenFGA is designed to solve authorization for everyone, regardless of scale or complexity. Fine-grained authorization is becoming critical for modern software:
-
Agentic AI requires authorization. You can't expose your API to agents without proper authorization. You also need authorization for Retrieval-Augmented Generation (RAG) and restricting Agent access to APIs or MCP servers.
-
Users expect collaboration features. From 'Share' buttons to 'Request Access' workflows—for documents, project boards, photo albums, and IoT devices—OpenFGA makes these easy to build and govern.
-
Traditional RBAC doesn't scale. Fine-grained approaches like OpenFGA create authorization models that remain easy to understand and visualize, even for complex patterns.
-
Security and compliance are mandatory. The top risk in the OWASP Top 10 is Broken Access Control. Authorization is a critical part of any security solution.
Centralizing authorization into a single, flexible service provides distinct advantages:
- Ship faster — Easily extensible to new requirements across all your products
- Simplify auditing — Explicit rules are easier to audit; built-in logs for all operations
- Lower operational costs — One authorization system is simpler to manage
- Improve developer experience — Same concepts and APIs regardless of team
OpenFGA provides high-quality developer tooling:
- AI Agent Skills — Skills for AI Agents
- SDKs — Go | JavaScript | .NET | Python | Java
- CLI — Operate servers, import/export models and tuples, run tests
- IDE Extensions — VS Code and JetBrains with syntax highlighting and validation
- Kubernetes — Helm Chart for easy deployment
- CI/CD — GitHub Actions for testing and deploying models
- Modular Models — Multi-team support for a single authorization system
- Infrastructure as Code — Terraform Provider
| Resource | Description |
|---|---|
| Documentation | Guides, tutorials, and API reference |
| Community | Join us on CNCF Slack or GitHub Discussions |
| Contributing | How to contribute code, docs, and more |
| Adopters | Companies using OpenFGA in production |
| Community Projects | Integrations and tools built by the community |
Ready to get started? Check out the documentation or join us on Slack.