OpenFGA brings Google Zanzibar's relationship-based access control model to every developer through an open-source engine backed by Okta's Auth0 team. The system models authorization as a graph of relationships between users and objects, evaluating permission queries by traversing these relationships according to rules defined in an authorization model. This approach scales naturally from simple role-based access to complex scenarios involving shared folders, team hierarchies, and cross-organizational permissions.
The authorization modeling language uses a DSL that defines types, their relations, and how permissions compose. Developers write tuples that represent relationships — like 'user:anne is viewer of document:readme' — and the engine resolves whether a user has a specific permission by following the relationship graph. OpenFGA supports conditional relationships based on context, enabling time-based or attribute-based access decisions. The query engine is optimized for sub-millisecond latency even with millions of stored relationship tuples.
With over 5,000 GitHub stars and CNCF sandbox status, OpenFGA has established itself alongside SpiceDB as a leading open-source Zanzibar implementation. Okta provides official SDKs for JavaScript, Python, Go, Java, .NET, and Ruby, along with a visual playground for testing authorization models. The engine runs as a standalone service with PostgreSQL or MySQL backends and integrates with existing identity providers. Production users include Grafana Labs for dashboard permissions, Canonical for Ubuntu Pro access, and Docker for container registry authorization.