https://github.com/openfga/openfga
A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar
https://github.com/openfga/openfga
abac authorization entitlements fga fine-grained-access-control fine-grained-authorization go golang hacktoberfest openfga pbac permissions rbac rebac security zanzibar
Last synced: 1 day ago
JSON representation
A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar
- Host: GitHub
- URL: https://github.com/openfga/openfga
- Owner: openfga
- License: apache-2.0
- Created: 2022-06-08T18:47:15.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2025-10-01T20:17:37.000Z (3 days ago)
- Last Synced: 2025-10-01T21:20:42.859Z (3 days ago)
- Topics: abac, authorization, entitlements, fga, fine-grained-access-control, fine-grained-authorization, go, golang, hacktoberfest, openfga, pbac, permissions, rbac, rebac, security, zanzibar
- Language: Go
- Homepage: https://openfga.dev
- Size: 80 MB
- Stars: 4,183
- Watchers: 37
- Forks: 309
- Open Issues: 145
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: .github/SECURITY-INSIGHTS.yml
- Notice: NOTICE
Awesome Lists containing this project
- awesome-go-with-stars - openfga - Implementation of fine-grained authorization based on the "Zanzibar: Google's Consistent, Global Authorization System" paper. Backed by [CNCF](https://www.cncf.io/). (Authentication and Authorization)
- awesome-repositories - openfga/openfga - A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar (Go)
- awesome-go - openfga - Implementation of fine-grained authorization based on the "Zanzibar: Google's Consistent, Global Authorization System" paper. Backed by [CNCF](https://www.cncf.io/). Stars:`4.2K`. (Authentication and Authorization)
- awesome-go - openfga - Implementation of fine-grained authorization based on the "Zanzibar: Google's Consistent, Global Authorization System" paper. Backed by [CNCF](https://www.cncf.io/). (Authentication and Authorization)
- awesome-go-cn - openfga - grained authorization based on the "Zanzibar: Google's Consistent, Global Authorization System" paper. Backed by [CNCF](https://www.cncf.io/). [![近一周有更新][G]](https://github.com/openfga/openfga) [![godoc][D]](https://godoc.org/github.com/openfga/openfga) (身份验证和OAuth)
- awesome - openfga/openfga - A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar (Go)
- awesome-go-cn - openfga - grained authorization based on the "Zanzibar: Google's Consistent, Global Authorization System" paper. Backed by [CNCF](https://www.cncf.io/). [![近一周有更新][G]](https://github.com/openfga/openfga) [![godoc][D]](https://godoc.org/github.com/openfga/openfga) (Authentication and Authorization)
- awesome-go-plus - openfga - Implementation of fine-grained authorization based on the "Zanzibar: Google's Consistent, Global Authorization System" paper. Backed by [CNCF](https://www.cncf.io/).  (Authentication and OAuth)
- awesome-go-plus - openfga - Implementation of fine-grained authorization based on the "Zanzibar: Google's Consistent, Global Authorization System" paper. Backed by [CNCF](https://www.cncf.io/).  (Authentication and OAuth)
- awesome-go - openfga - Implementation of fine-grained authorization based on the "Zanzibar: Google's Consistent, Global Authorization System" paper. Backed by [CNCF](https://www.cncf.io/). (Authentication and Authorization)
- fucking-awesome-go - openfga - Implementation of fine-grained authorization based on the "Zanzibar: Google's Consistent, Global Authorization System" paper. Backed by 🌎 [CNCF](www.cncf.io/). (Authentication and Authorization)
- awesome-go - openfga/openfga
- awesome-go - openfga/openfga
README
# OpenFGA
[](https://openfga.dev/community)
[](https://deepwiki.com/openfga/openfga)
[](https://pkg.go.dev/github.com/openfga/openfga)
[](https://hub.docker.com/r/openfga/openfga/tags)
[](https://app.codecov.io/gh/openfga/openfga)
[](https://goreportcard.com/report/github.com/openfga/openfga)
[](https://bestpractices.coreinfrastructure.org/projects/6374)
[](https://app.fossa.com/projects/git%2Bgithub.com%2Fopenfga%2Fopenfga?ref=badge_shield)
[](https://artifacthub.io/packages/helm/openfga/openfga)
[](https://securityscorecards.dev/viewer/?uri=github.com/openfga/openfga)
[](https://slsa.dev)
---
**OpenFGA** is a high-performance, flexible authorization/permission engine inspired by [Google Zanzibar](https://research.google/pubs/pub48190/).
It helps developers easily model and enforce fine-grained access control in their applications.
## Highlights
- ⚡ High-performance, developer-friendly APIs (HTTP & gRPC)
- 🔌 Flexible storage backends (In-Memory, PostgreSQL, MySQL, SQLite beta)
- 🧰 SDKs for [Java](https://central.sonatype.com/artifact/dev.openfga/openfga-sdk), [Node.js](https://www.npmjs.com/package/@openfga/sdk), [Go](https://github.com/openfga/go-sdk), [Python](https://github.com/openfga/python-sdk), [.NET](https://www.nuget.org/packages/OpenFga.Sdk)
- 🌐 Several additional SDKs and tools [contributed by the community](https://github.com/openfga/community#community-projects)
- 🧪 [CLI](https://github.com/openfga/cli) for interacting with an OpenFGA server and [testing authorization models](https://openfga.dev/docs/modeling/testing)
- 🌿 [Terraform Provider](https://github.com/openfga/terraform-provider-openfga) for configuring OpenFGA servers as code
- 🎮 [Playground](https://openfga.dev/docs/getting-started/setup-openfga/playground) for modeling and testing
- 🛠 Can also be embedded as a [Go library](https://pkg.go.dev/github.com/openfga/openfga/pkg/server#example-NewServerWithOpts)
- 🤝 Adopted by [Auth0](https://fga.dev), [Grafana Labs](https://grafana.com/), [Canonical](https://canonical.com/), [Docker](https://docker.com), [Agicap](https://agicap.com), [Read.AI](https://read.ai) and [others](https://github.com/openfga/community/blob/main/ADOPTERS.md)
---
## Table of Contents
- [Quickstart](#quickstart)
- [Installation](#installation)
- [Docker](#docker)
- [Docker Compose](#docker-compose)
- [Homebrew](#homebrew)
- [Precompiled Binaries](#precompiled-binaries)
- [Build from Source](#build-from-source)
- [Verify Installation](#verify-installation)
- [Playground](#playground)
- [Next Steps](#next-steps)
- [Limitations](#limitations)
- [Production Readiness](#production-readiness)
- [Contributing & Community](#contributing--community)
---
## Quickstart
> [!IMPORTANT]
> The following steps are meant for quick local setup and evaluation.
> When using the default **in-memory storage engine**, data is ephemeral and will be discarded once the service stops.
>
> For [details on configuring](https://openfga.dev/docs/getting-started/setup-openfga/configure-openfga) storage
> backends, tuning performance, and deploying OpenFGA securely in production-ready environments, refer to the
> documentation: [Running in Production](https://openfga.dev/docs/getting-started/running-in-production).
Run OpenFGA with in-memory storage (⚠️ **not for production**):
```shell
docker run -p 8080:8080 -p 3000:3000 openfga/openfga run
```
Once running, create a store:
```shell
curl -X POST 'localhost:8080/stores' \
--header 'Content-Type: application/json' \
--data-raw '{"name": "openfga-demo"}'
```
## Installation
### Docker
OpenFGA is available on [Docker Hub](https://hub.docker.com/r/openfga/openfga), so you can quickly start it using the
in-memory datastore by running the following commands:
```shell
docker pull openfga/openfga
docker run -p 8080:8080 -p 3000:3000 openfga/openfga run
```
### Docker Compose
[`docker-compose.yaml`](./docker-compose.yaml) provides an example of how to launch OpenFGA with Postgres using `docker compose`.
```shell
curl -LO https://openfga.dev/docker-compose.yaml
docker compose up
```
### Homebrew
If you are a [Homebrew](https://brew.sh/) user, you can install [OpenFGA](https://formulae.brew.sh/formula/openfga) with the following command:
```shell
brew install openfga
```
### Precompiled Binaries
Download your platform's [latest release](https://github.com/openfga/openfga/releases/latest) and extract it.
Then run the binary with the command:
```shell
./openfga run
```
### Build from Source
> [!NOTE]
> Make sure you have the latest version of Go installed. See the [Go downloads](https://go.dev/dl/) page.
#### `go install`
```shell
export PATH=$PATH:$(go env GOBIN) # make sure $GOBIN is on your $PATH
go install github.com/openfga/openfga/cmd/openfga
openfga run
```
#### `go build`
```shell
git clone https://github.com/openfga/openfga.git && cd openfga
go build -o ./openfga ./cmd/openfga
./openfga run
```
### Verify Installation
Now that you have [installed](#installation) OpenFGA, you can test your installation by [creating an OpenFGA Store](https://openfga.dev/docs/getting-started/create-store).
```shell
curl -X POST 'localhost:8080/stores' \
--header 'Content-Type: application/json' \
--data-raw '{"name": "openfga-demo"}'
```
If everything is running correctly, you should get a response with information about the newly created store, for example:
```json
{
"id": "01G3EMTKQRKJ93PFVDA1SJHWD2",
"name": "openfga-demo",
"created_at": "2022-05-19T17:11:12.888680Z",
"updated_at": "2022-05-19T17:11:12.888680Z"
}
```
## Playground
The Playground lets you model, visualize, and test authorization setups.
By default, it’s available at: [http://localhost:3000/playground](http://localhost:3000/playground)
> [!NOTE]
> The Playground is intended for **local development only**.
> It can currently only be configured to connect to an OpenFGA server running on `localhost`.
Disable it with:
```shell
./openfga run --playground-enabled=false
```
Change port:
```shell
./openfga run --playground-enabled --playground-port 3001
```
> [!TIP]
> The `OPENFGA_HTTP_ADDR` environment variable can be used to configure the address at which the Playground expects the OpenFGA server to be.
>
> For example:
>
> ```shell
> docker run -e OPENFGA_PLAYGROUND_ENABLED=true \
> -e OPENFGA_HTTP_ADDR=0.0.0.0:4000 \
> -p 4000:4000 -p 3000:3000 openfga/openfga run
> ```
>
> This starts OpenFGA on port 4000 and configures the Playground accordingly.
## Next Steps
Take a look at examples of how to:
- [Write an Authorization Model](https://openfga.dev/api/service#/Authorization%20Models/WriteAuthorizationModel)
- [Write Relationship Tuples](https://openfga.dev/api/service#/Relationship%20Tuples/Write)
- [Perform Authorization Checks](https://openfga.dev/api/service#/Relationship%20Queries/Check)
- [Add Authentication to your OpenFGA server](https://openfga.dev/docs/getting-started/setup-openfga/docker#configuring-authentication)
📚 Explore the [Documentation](https://openfga.dev/) and [API Reference](https://openfga.dev/api/service).
## Limitations
### MySQL Storage engine
The MySQL storage engine has stricter length limits on tuple properties than other backends. See [docs](https://openfga.dev/docs/getting-started/setup-openfga/docker#configuring-data-storage).
💡 OpenFGA’s MySQL adapter was contributed by @twintag — thank you!
## Production Readiness
- ✅ Used in production by [Auth0 FGA](https://auth0.com/fine-grained-authorization) since December 2021
- ⚠️ Memory storage adapter is **for development only**
- 🗄 Supported storage: PostgreSQL 14+, MySQL 8, SQLite (beta)
- 📘 See [Running in Production](https://openfga.dev/docs/best-practices/running-in-production)
The OpenFGA team treats **production-impacting issues with highest priority**.
See organizations using OpenFGA in production: [ADOPTERS.md](https://github.com/openfga/community/blob/main/ADOPTERS.md).
If your organization is using OpenFGA, please consider adding it to the list.
## Contributing & Community
We welcome contributions and community participation.
- 🤝 See [CONTRIBUTING](https://github.com/openfga/.github/blob/main/CONTRIBUTING.md)
- 🗓 [Monthly Community Meetings](https://github.com/openfga/community/blob/main/community-meetings.md)
- 💬 Join us on [Slack](https://openfga.dev/docs/community)