OpenFGA is a high-performance, flexible authorization/permission engine built for developers and inspired by Google Zanzibar. It combines Relationship-Based Access Control (ReBAC) and Attribute-Based Access Control (ABAC) with a domain-specific language that makes it easy to craft authorization solutions that grow and evolve to any use case, at any scale.

Originally developed by Auth0/Okta and donated to the Cloud Native Computing Foundation in September 2022, OpenFGA is currently at the Incubation level and maintained by Okta and Grafana employees.

Adopted by: Auth0 | Grafana Labs | Canonical | Docker | Agicap | Read.AI | Headspace | and more...

# Run OpenFGA locally with Docker
docker pull openfga/openfga
docker run -p 8080:8080 openfga/openfga run

Then explore the playground, read the documentation, or watch the OpenFGA Modeling Guide for tutorials.

OpenFGA is designed to solve authorization for everyone, regardless of scale or complexity. Fine-grained authorization is becoming critical for modern software:

• Agentic AI requires authorization. You can't expose your API to agents without proper authorization. You also need authorization for Retrieval-Augmented Generation (RAG) and restricting Agent access to APIs or MCP servers.

• Users expect collaboration features. From 'Share' buttons to 'Request Access' workflows—for documents, project boards, photo albums, and IoT devices—OpenFGA makes these easy to build and govern.

• Traditional RBAC doesn't scale. Fine-grained approaches like OpenFGA create authorization models that remain easy to understand and visualize, even for complex patterns.

• Security and compliance are mandatory. The top risk in the OWASP Top 10 is Broken Access Control. Authorization is a critical part of any security solution.

Centralizing authorization into a single, flexible service provides distinct advantages:

• Ship faster — Easily extensible to new requirements across all your products
• Simplify auditing — Explicit rules are easier to audit; built-in logs for all operations
• Lower operational costs — One authorization system is simpler to manage
• Improve developer experience — Same concepts and APIs regardless of team

OpenFGA provides high-quality developer tooling:

• AI Agent Skills — Skills for AI Agents
• SDKs — Go | JavaScript | .NET | Python | Java
• CLI — Operate servers, import/export models and tuples, run tests
• IDE Extensions — VS Code and JetBrains with syntax highlighting and validation
• Kubernetes — Helm Chart for easy deployment
• CI/CD — GitHub Actions for testing and deploying models
• Modular Models — Multi-team support for a single authorization system
• Infrastructure as Code — Terraform Provider

Ready to get started? Check out the documentation or join us on Slack.