{"id":13509073,"url":"https://github.com/aserto-dev/topaz","last_synced_at":"2026-01-30T15:02:44.643Z","repository":{"id":61989249,"uuid":"556329104","full_name":"aserto-dev/topaz","owner":"aserto-dev","description":"Cloud-native authorization for modern applications and APIs","archived":false,"fork":false,"pushed_at":"2026-01-16T10:55:39.000Z","size":19735,"stargazers_count":1296,"open_issues_count":7,"forks_count":42,"subscribers_count":12,"default_branch":"main","last_synced_at":"2026-01-16T20:11:30.660Z","etag":null,"topics":["abac","access-control","api","authorization","cloud-native","golang","opa","rbac","rebac","security","zanzibar"],"latest_commit_sha":null,"homepage":"https://www.topaz.sh","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aserto-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-10-23T15:54:10.000Z","updated_at":"2026-01-16T10:55:58.000Z","dependencies_parsed_at":"2023-10-03T18:44:54.847Z","dependency_job_id":"3a9451ba-9715-4453-92af-85f4e573e8df","html_url":"https://github.com/aserto-dev/topaz","commit_stats":{"total_commits":247,"total_committers":15,"mean_commits":"16.466666666666665","dds":0.4858299595141701,"last_synced_commit":"2c320243d7ae613e9f75230d34048efc75e1d6d6"},"previous_names":[],"tags_count":200,"template":false,"template_full_name":null,"purl":"pkg:github/aserto-dev/topaz","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Ftopaz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Ftopaz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Ftopaz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Ftopaz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aserto-dev","download_url":"https://codeload.github.com/aserto-dev/topaz/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Ftopaz/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28914895,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T12:13:43.263Z","status":"ssl_error","status_checked_at":"2026-01-30T12:13:22.389Z","response_time":66,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abac","access-control","api","authorization","cloud-native","golang","opa","rbac","rebac","security","zanzibar"],"created_at":"2024-08-01T02:01:02.617Z","updated_at":"2026-01-30T15:02:44.612Z","avatar_url":"https://github.com/aserto-dev.png","language":"Go","funding_links":[],"categories":["Go","Security \u0026 Compliance","Tooling— Authentication and Authorization","Tools and Utilities","api","Zanzibar Softwares and Services","Authorization","\u003ca name=\"Go\"\u003e\u003c/a\u003eGo","Policy Engines \u0026 Frameworks"],"sub_categories":["Testing Blogs and Articles","ReBAC frameworks","Zanzibar-Based"],"readme":"\u003cimg src=\"assets/logo.svg\" alt=\"topaz logo\"\u003e\n\n# Topaz - cloud-native authorization for modern applications and APIs\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/aserto-dev/topaz)](https://goreportcard.com/report/github.com/aserto-dev/topaz)\n[![ci](https://github.com/aserto-dev/topaz/actions/workflows/ci.yaml/badge.svg)](https://github.com/aserto-dev/topaz/actions/workflows/ci.yaml)\n![Apache 2.0](https://img.shields.io/github/license/aserto-dev/topaz)\n![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/aserto-dev/topaz)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6652/badge)](https://bestpractices.coreinfrastructure.org/projects/6652)\n[\u003cimg src=\"https://img.shields.io/badge/slack-@asertocommunity-yellow.svg?logo=slack\"\u003e](https://www.aserto.com/slack)\n[\u003cimg src=\"https://img.shields.io/badge/docs-%F0%9F%95%B6-blue\"\u003e](https://www.topaz.sh/docs/intro)\n\u003ca href=\"https://twitter.com/intent/follow?screen_name=aserto_com\"\u003e\u003cimg src=\"https://img.shields.io/badge/Follow-aserto__com-blue?style=flat\u0026logo=twitter\"\u003e\u003c/a\u003e\n\n\nTopaz is an open-source authorization service providing fine-grained, real-time, policy-based access control for applications and APIs.\n\nIt uses the [Open Policy Agent](https://www.openpolicyagent.org/) (OPA) as its decision engine, and provides a built-in directory that is inspired by the Google [Zanzibar](https://research.google/pubs/pub48190/) data model.\n\nAuthorization policies can leverage user attributes, group membership, application resources, and relationships between them. All data used for authorization is modeled and stored locally in an embedded database, so authorization decisions can be evaluated quickly and efficiently.\n\n\u003cimg src=\"assets/topaz_model_viz.gif\" alt=\"topaz model visualization\"\u003e\n\n## Documentation and support\n\nRead more at [topaz.sh](https://www.topaz.sh) and the [docs](https://www.topaz.sh/docs/intro).\n\nJoin the community [Slack channel](https://www.aserto.com/slack) for questions and help!\n\n## Benefits\n\n* **Authorization in one place**: a single authorization service, instead of spreading authorization logic everywhere.\n* **Fine-grained**: following the Principle of Least Privilege, assign the smallest set of fine-grained permissions to each user or group.\n* **Policy-based**: convert authorization \"spaghetti code\" into a policy expressed in its own domain-specific language, managed as code, and built into an immutable, signed artifact.\n* **Real-time**: gate each protected resource with an authorization call that ensures the user has the right permission.\n* **Blazing fast**: deploy the authorizer as a sidecar or microservice, right next to your app, for low latency and high availability.\n* **Comprehensive decision logging**: log every decision to facilitate audit trails, compliance, and forensics.\n* **Flexible authorization model**: Start simple, and grow from multi-tenant RBAC to ABAC or ReBAC, or a combination.\n* **Capture your domain model**: Create object types and relationships that reflect your domain model.\n* **Separation of concerns**: application developers can own the app logic, and security engineers can own the authorization policy.\n\n## Table of Contents\n- [Getting Topaz](#getting-topaz)\n    - [Installation](#installation)\n    - [Building from source](#building-from-source)\n    - [Running with Docker](#running-with-docker)\n- [Quickstart](#quickstart)\n    - [Install container image](#install-topaz-authorizer-container-image)\n    - [Install Todo template](#install-the-todo-template)\n    - [Issue an API call](#issue-an-api-call)\n    - [Issue authorization request](#issue-an-authorization-request)\n    - [Run the sample application](#run-the-sample-application)\n- [Command Line](#command-line-options)\n- [gRPC Endpoints](#grpc-endpoints)\n- [Demo video](#demo)\n- [Credits](#credits)\n- [Contribution Guidelines](#contribution-guidelines)\n\n## Getting Topaz\n\n### Installation\n\n`topaz` is available on Linux, macOS and Windows platforms.\n\n* Binaries for Linux, Windows and Mac are available as tarballs in the [release](https://github.com/aserto-dev/topaz/releases) page.\n\n* Via Homebrew for macOS or LinuxBrew for Linux\n\n   ```shell\n  brew tap aserto-dev/tap \u0026\u0026 brew install aserto-dev/tap/topaz\n   ```\n\n* Via a GO install\n\n  ```shell\n  go install github.com/aserto-dev/topaz/topaz@latest\n  ```\n\n### Building from source\n\n `topaz` is currently using golang v1.22.* to compile, `go.mod` files are pinned to 1.21 or lower. In order to build `topaz` from source you must:\n\n 1. Clone the repo\n 2. Build and run the executable\n\n      ```shell\n      make build \u0026\u0026 ./dist/build_linux_amd64/topaz\n      ```\n\n### Running with Docker\n\n  You can run as a Docker container:\n\n  ```shell\n  docker run -it --rm ghcr.io/aserto-dev/topaz:latest --help\n  ```\n\n## Quickstart\n\nThese instructions help you get Topaz up and running as the authorizer for a sample Todo app.\n\n### Install Topaz authorizer container image\n\nThe Topaz authorizer is packaged as a Docker container. You can get the latest image using the following command:\n\n```shell\ntopaz install\n```\n\n**NOTE:** If you get the following errors/warnings from Topaz commands:\n\n`Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?`\n\nBe sure to allow the default Docker socket to be used in your Docker Desktop Advanced settings.\n\n### Install the todo template\n\nTopaz has a set of pre-built templates that contain three types of artifacts:\n* an authorization policy\n* a domain model (in the form of a manifest file)\n* sample data (users, groups, objects, relationships)\n\nYou can use the CLI to install the todo template:\n\n```shell\ntopaz templates install todo\n```\n\n#### Artifacts\n\nThis command will install the following artifacts in `$HOME/.config/topaz/`:\n\n```shell\ntree $HOME/.config/topaz\n/Users/ogazitt/.config/topaz\n├── cfg\n│   └── todo.yaml\n├── todo\n│   ├── data\n│   │   ├── citadel_objects.json\n│   │   ├── citadel_relations.json\n│   │   ├── todo_objects.json\n│   │   └── todo_relations.json\n│   └── model\n│       └── manifest.yaml\n└── topaz.json\n```\n* `cfg/todo.yaml` contains a Topaz configuration file which references the sample Todo **policy image**. A policy image is an OCI image that contains an OPA policy. For the Todo template, this is the public GHCR image `ghcr.io/aserto-policies/policy-todo:latest`. The source code for the policy image can be found [here](https://github.com/aserto-templates/policy-todo/tree/main/content/src/policies).\n* `todo/data/` contains the objects and relations for the Todo template - in this case, a set of 5 users and 4 groups that are based on the \"Rick \u0026 Morty\" cartoon.\n* `todo/model/manifest.yaml` contains the manifest file which describes the domain model.\n\n```shell\ntree ~/.local/share/topaz\n/Users/ogazitt/.local/share/topaz\n├── certs\n│   ├── gateway-ca.crt\n│   ├── gateway.crt\n│   ├── gateway.key\n│   ├── grpc-ca.crt\n│   ├── grpc.crt\n│   └── grpc.key\n├── db\n│   └── todo.db\n└── tmpl\n    └── todo\n        ├── data\n        │   ├── citadel_objects.json\n        │   ├── citadel_relations.json\n        │   ├── todo_objects.json\n        │   └── todo_relations.json\n        └── model\n            └── manifest.yaml\n```\n\n* `certs/` contains a set of generated self-signed certificates for Topaz.\n* `db/todo.db` contains the embedded database which houses the model and data.\n* `tmpl/todo` contains the template artifacts.\n\nFor a deeper overview of the `cfg/config.yaml` file, see [topaz configuration](https://github.com/aserto-dev/topaz/blob/main/docs/config.md).\n\n#### What just happened?\n\nBesides laying down the artifacts mentioned, installing the Todo template did the following things:\n\n* started Topaz in daemon (background) mode (see `topaz start --help`).\n* set the manifest found in `model/manifest.yaml` (see `topaz manifest set --help`).\n* imported the objects and relations found in `data/` (see `topaz directory import --help`).\n* opened a browser window to the Topaz [console](https://localhost:8080/ui/directory) (see `topaz console --help`).\n\nFeel free to play around with the Topaz console! Or follow the next few steps to interact with the Topaz policy and authorization endpoints.\n\n### Issue an API call\n\nTo verify that Topaz is running with the right policy image, you can issue a `curl` call to interact with the REST API.\n\nThis API call retrieves the set of policies that Topaz has loaded:\n\n```shell\ncurl -k https://localhost:8383/api/v2/policies\n```\n\n### Issue an authorization request\n\nIssue an authorization request using the `is` REST API to verify that the user Rick is allowed to GET the list of todos:\n\n```shell\ncurl -k -X POST 'https://localhost:8383/api/v2/authz/is' \\\n-H 'Content-Type: application/json' \\\n-d '{\n     \"identity_context\": {\n          \"type\": \"IDENTITY_TYPE_SUB\",\n          \"identity\": \"rick@the-citadel.com\"\n     },\n     \"policy_context\": {\n          \"path\": \"todoApp.GET.todos\",\n          \"decisions\": [\"allowed\"]\n     }\n}'\n```\n\n### Run the sample application\n\nTo run the sample Todo backend in the language of your choice, and see how Topaz is used to authorize requests, refer to the [docs](https://www.topaz.sh/docs/getting-started/samples).\n\nTo start an interactive session with the Topaz endpoints over gRPC, see the [gRPC endpoints](#grpc-endpoints) section.\n\n## Command line options\n\n```shell\ntopaz --help\nUsage: topaz \u003ccommand\u003e [flags]\n\nTopaz CLI\n\nCommands:\n  run                run topaz in console mode\n  start              start topaz in daemon mode\n  stop               stop topaz instance\n  restart            restart topaz instance\n  status             status of topaz daemon process\n  manifest           manifest commands\n  templates          template commands\n  console            open console in the browser\n  directory (ds)     directory commands\n  authorizer (az)    authorizer commands\n  config             configure topaz service\n  certs              cert commands\n  install            install topaz container\n  uninstall          uninstall topaz container\n  update             update topaz container version\n  version            version information\n\nFlags:\n  -h, --help        Show context-sensitive help.\n  -N, --no-check    disable local container status check ($TOPAZ_NO_CHECK)\n  -L, --log         log level\n\nRun \"topaz \u003ccommand\u003e --help\" for more information on a command.\n```\n\n## gRPC Endpoints\n\nTo interact with the authorizer endpoint, install [grpcui](https://github.com/fullstorydev/grpcui) or [grpcurl](https://github.com/fullstorydev/grpcurl) and point them to `localhost:8282`:\n\n```shell\ngrpcui --insecure localhost:8282\n```\n\nTo interact with the directory endpoint, use `localhost:9292`:\n\n```shell\ngrpcui --insecure localhost:9292\n```\n\nFor more information on APIs, see the [docs](https://www.topaz.sh/docs/intro).\n\n## Demo\n![demo](./assets/topaz.gif)\n\n## Credits\n\nTopaz uses a lot of great and amazing open source projects and libraries.\n\nA big thank you to all of them!\n\n## Contribution Guidelines\n\nTopaz is a work in progress - if something is broken or there's a feature that you want, please file an issue and if so inclined submit a PR!\n\nWe welcome contributions from the community! Here are some general guidelines:\n\n* File an issue first prior to submitting a PR!\n* Ensure all exported items are properly commented\n* If applicable, submit a test suite against your PR\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faserto-dev%2Ftopaz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faserto-dev%2Ftopaz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faserto-dev%2Ftopaz/lists"}