Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/inferadb/rust

InferaDB Rust SDK — type-safe, ergonomic access to distributed ReBAC authorization APIs, designed for low-latency permission checks in modern SaaS and AI workloads.
https://github.com/inferadb/rust

access-control async authorization client-library derive-macro fine-grained-access-control grpc inferadb permissions rebac rust sdk tokio tonic zanzibar

Last synced: 3 months ago
JSON representation

InferaDB Rust SDK — type-safe, ergonomic access to distributed ReBAC authorization APIs, designed for low-latency permission checks in modern SaaS and AI workloads.

Awesome Lists containing this project

README 

          


    


    
InferaDB Rust SDK


    


        Discord

        Crates.io

        Docs.rs

        Code Coverage

        License

    


    
Type-safe Rust client for InferaDB





> [!IMPORTANT]

> Under active development. Not production-ready.



[InferaDB](https://inferadb.com/) is a [Zanzibar](https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/)-inspired authorization engine. Define permissions as policy-as-code; integrate in a few lines.



- **Async-first:** Built on [Tokio](https://crates.io/crates/tokio) and [Tracing](https://crates.io/crates/tracing)

- **Compile-time safety:** Catch permission model mistakes before production

- **Standards-based:** [AuthZEN](https://openid.net/wg/authzen/) compliant with multi-tenant isolation



## Quick Start



1. Sign up for an account at [InferaDB](https://inferadb.com/) and create a new organization and vault.



2. Run the following Cargo command in your project directory:



   ```shell

   cargo add inferadb

   ```



3. In your project, create and configure a client instance:



   ```rust

   use inferadb::prelude::*;



   #[tokio::main]

   async fn main() -> Result<(), Error> {

       let client = Client::builder()

           .url("https://api.inferadb.com")

           .credentials(ClientCredentialsConfig {

               client_id: "my_service".into(),

               private_key: Ed25519PrivateKey::from_pem_file("private-key.pem")?,

           })

           .build()

           .await?;



       let vault = client.organization("org_...").vault("vlt_...");



       let allowed = vault.check("user:alice", "view", "document:readme").await?;

       println!("Allowed: {allowed}");



       Ok(())

   }

   ```



## In Action



### "Can this user do this?"



The most common authorization question. One line:



```rust

if vault.check("user:alice", "edit", "document:readme").await? {

    // allow the edit

}

```



### "Who can access this?"



Building a share dialog or audit view? List all subjects with access:



```rust

let viewers = vault.subjects()

    .with_permission("view")

    .on_resource("document:readme")

    .collect()

    .await?;

// ["user:alice", "user:bob", "team:engineering"]

```



### "What can this user see?"



Filter a dashboard or search results by accessible resources:



```rust

let docs = vault.resources()

    .accessible_by("user:alice")

    .with_permission("view")

    .of_type("document")

    .collect()

    .await?;

```



### "Grant access to a team"



When Alice shares a folder with her team, all team members gain access:



```rust

vault.relationships()

    .write(Relationship::new("folder:designs", "viewer", "team:engineering"))

    .await?;

```



### "Inherit permissions from a parent"



Documents inherit their parent folder's permissions:



```rust

vault.relationships()

    .write(Relationship::new("document:spec", "parent", "folder:designs"))

    .await?;



// Now anyone who can view the folder can view the document

```



### "Check multiple permissions at once"



Rendering edit, delete, and share buttons? Check all permissions in one call:



```rust

let [can_edit, can_delete, can_share] = vault.batch_check(&[

    ("user:alice", "edit", "document:readme"),

    ("user:alice", "delete", "document:readme"),

    ("user:alice", "share", "document:readme"),

]).await?[..] else { unreachable!() };

```



## Usage



### Authorization API



```rust

let vault = client.organization("org_...").vault("vlt_...");

```



#### Permission Checks



```rust

let allowed = vault.check("user:alice", "view", "doc:1").await?;

```



#### Relationships



```rust

vault.relationships()

    .write(Relationship::new("document:readme", "viewer", "user:alice"))

    .await?;

```



#### Lookups



```rust

let docs = vault.resources()

    .accessible_by("user:alice")

    .with_permission("view")

    .collect()

    .await?;

```



See the [Authorization API Guide](docs/guides/authorization-api.md) for ABAC context, batch checks, explain, simulate, and watch.



### Management API



```rust

let org = client.organization("org_...");

```



#### Vaults



```rust

let vault = org.vaults()

    .create(CreateVaultRequest::new("production"))

    .await?;

```



#### Schemas



```rust

vault.schemas().push(r#"

type user {}



type document {

    relation viewer: user

    permission view = viewer

}

"#).await?;

```



#### Members & Teams



```rust

org.members()

    .invite(InviteMemberRequest::new("alice@example.com", OrgRole::Admin))

    .await?;



org.teams()

    .create(CreateTeamRequest::new("Engineering"))

    .await?;

```



#### Audit Logs



```rust

let events = org.audit().list().collect().await?;

```



See the [Management API Guide](docs/guides/management-api.md) for organizations, API clients, schema versioning, and more.



## Local Development



[Deploy InferaDB locally](https://github.com/inferadb/deploy/), then configure your client:



```rust

let client = Client::builder()

    .url("http://localhost:8080")

    .insecure()  // Disables TLS verification for local development

    .credentials(BearerCredentialsConfig {

        token: "dev-token".into(),

    })

    .build()

    .await?;

```



## Testing



Use `MockClient` for unit tests:



```rust

use inferadb::testing::{AuthorizationClient, MockClient};



#[tokio::test]

async fn test_authorization() {

    let mock = MockClient::builder()

        .check("user:alice", "view", "document:readme", true)

        .check("user:bob", "delete", "document:readme", false)

        .build();



    assert!(mock

        .check("user:alice", "view", "document:readme")

        .await

        .unwrap());

}

```



See the [Testing Guide](docs/guides/testing.md) for `InMemoryClient` (full policy evaluation) and integration testing patterns.



## Documentation



- [API Reference](https://docs.rs/inferadb) - Full rustdoc documentation



### Guides



| Topic                                                       | Description                                       |

| ----------------------------------------------------------- | ------------------------------------------------- |

| [Installation](docs/guides/installation.md)                 | Feature flags, optimized builds, TLS, MSRV        |

| [Authentication](docs/guides/authentication.md)             | Client credentials, bearer tokens, key management |

| [Authorization API](docs/guides/authorization-api.md)       | Permission checks, relationships, lookups, watch  |

| [Integration Patterns](docs/guides/integration-patterns.md) | Axum, Actix-web, GraphQL, gRPC middleware         |

| [Error Handling](docs/guides/errors.md)                     | Error types, retries, graceful degradation        |

| [Testing](docs/guides/testing.md)                           | MockClient, InMemoryClient, TestVault             |

| [Schema Design](docs/guides/schema-design.md)               | ReBAC patterns, role hierarchy, anti-patterns     |

| [Production Checklist](docs/guides/production-checklist.md) | Deployment readiness                              |

| [Troubleshooting](docs/troubleshooting.md)                  | Common issues and solutions                       |



See [docs/README.md](docs/README.md) for the complete documentation index.



## Examples



```bash

cargo run -p inferadb-examples --bin basic_check

cargo run -p inferadb-examples --bin batch_operations

cargo run -p inferadb-examples --bin axum_middleware

```



## Development



```bash

# Setup (one-time)

mise trust && mise install

rustup component add rustfmt clippy

rustup toolchain install nightly --component rustfmt



# Build

cargo build --workspace --all-features



# Run tests

cargo test --lib



# Format and lint

cargo +nightly fmt --all

cargo clippy --workspace --all-targets -- -D warnings



# Generate documentation

cargo doc --workspace --no-deps --open



# Code coverage

cargo llvm-cov --lib --ignore-filename-regex 'proto|inferadb\.authorization\.v1'

```



## Contributing



See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.



## Community



Join us on [Discord](https://discord.gg/inferadb) for questions, discussions, and contributions.



## License



Dual-licensed under [MIT](LICENSE-MIT) or [Apache 2.0](LICENSE-APACHE).