aicoolies logo
OpenFGA logo

OpenFGA

Fine-grained authorization engine by Okta

Share
open-sourceOpen Source
Visit Website →

OpenFGA is an open-source authorization engine inspired by Google Zanzibar, built and maintained by Okta (Auth0). It provides relationship-based access control with a flexible modeling language, sub-millisecond permission checks, and SDKs for major languages. OpenFGA is used by companies including Grafana Labs, Canonical, and Docker for fine-grained access control in multi-tenant applications.

OpenFGA brings Google Zanzibar's relationship-based access control model to every developer through an open-source engine backed by Okta's Auth0 team. The system models authorization as a graph of relationships between users and objects, evaluating permission queries by traversing these relationships according to rules defined in an authorization model. This approach scales naturally from simple role-based access to complex scenarios involving shared folders, team hierarchies, and cross-organizational permissions.

The authorization modeling language uses a DSL that defines types, their relations, and how permissions compose. Developers write tuples that represent relationships — like 'user:anne is viewer of document:readme' — and the engine resolves whether a user has a specific permission by following the relationship graph. OpenFGA supports conditional relationships based on context, enabling time-based or attribute-based access decisions. The query engine is optimized for sub-millisecond latency even with millions of stored relationship tuples.

With over 5,000 GitHub stars and CNCF sandbox status, OpenFGA has established itself alongside SpiceDB as a leading open-source Zanzibar implementation. Okta provides official SDKs for JavaScript, Python, Go, Java, .NET, and Ruby, along with a visual playground for testing authorization models. The engine runs as a standalone service with PostgreSQL or MySQL backends and integrates with existing identity providers. Production users include Grafana Labs for dashboard permissions, Canonical for Ubuntu Pro access, and Docker for container registry authorization.

Pricing

Free and open source under Apache-2.0 license

Platforms

Docker — SDKs for JS, Python, Go, Java, .NET, Ruby

Categories

Tags

Use Cases

Alternatives

Related Tools

KubeAI

Kubernetes operator for serving AI inference workloads

KubeAI is an Apache-2.0 Kubernetes operator for deploying and scaling AI inference workloads, including LLMs, embeddings, reranking, and speech-to-text. It gives platform teams OpenAI-compatible endpoints, model proxy/controller primitives, model caching, scale-from-zero behavior, and cluster-native resource management for self-hosted inference on Kubernetes.

open-sourceOpen Source
Agent Governance Toolkit logo

Agent Governance Toolkit

Microsoft’s public-preview runtime governance toolkit for policy, identity, sandboxing, audit, and MCP security around AI agents.

Agent Governance Toolkit is Microsoft’s MIT-licensed public-preview toolkit for governing AI agent runtimes. It adds policy enforcement, zero-trust identity, execution sandboxing, audit, reliability, and MCP security-gateway patterns around tool calls and autonomous actions, helping platform teams move beyond prompt-only guardrails while preserving architecture review requirements.

open-sourceOpen SourceTelemetry
Baz logo

Baz

Telemetry-aware AI code reviewer that checks how pull requests may affect real services.

Baz is an AI code-review platform focused on production-aware pull requests. Instead of only reading the diff, Baz connects code changes to application telemetry so reviewers can understand what endpoints, services, and runtime behavior may be affected. That makes it a useful complement to existing AI PR bots when the question is not just whether a change looks correct, but whether it could break a live system.

freemiumTelemetry
rampart

Rampart

Microsoft’s pytest-native red teaming framework for turning AI agent safety findings into CI tests.

RAMPART is an open-source Microsoft framework for safety and security testing of agentic AI applications. It brings red-team findings into a pytest-native workflow so teams can turn prompt injection, unsafe tool use, and behavioral boundary failures into repeatable regression tests. The strongest aicoolies angle is developer workflow: RAMPART makes agent safety part of CI/CD instead of a one-off security review.

open-sourceOpen Source
Statewright logo

Statewright

State-machine guardrails for controlling which tools AI coding agents can use at each phase.

Statewright is a guardrail layer for AI coding agents that uses explicit state machines to control what an agent can do at each stage of a workflow. Instead of relying only on prompt instructions, teams can model phases such as plan, implement, test, and review, then constrain tool access for clients like Claude Code, Codex, Cursor, opencode, and related MCP workflows.

open-sourceOpen Source
Freestyle logo

Freestyle

Sandboxes for coding agents — Linux VMs, Git, and deploys in one box

Freestyle is YC-backed sandbox infrastructure built for AI coding agents, shipping secure Linux VMs with nested virtualization, Git servers, and one-click web deploys. It lets agents run real workloads, branch repos, and deploy apps under short-lived identities while billing only for active compute. Used in production by vly.ai, Rork, and Vibeflow.

freemium

Comparisons