DEV Community

Alex Spinov
Alex Spinov

Posted on

OpenFGA Has a Free API That Handles Google-Level Authorization

#openfga #authorization #security #api

OpenFGA is the open-source fine-grained authorization engine created by Auth0/Okta. It implements Google Zanzibar — the same system that powers Google Drive, YouTube, and Gmail permissions.

What Is OpenFGA?

OpenFGA lets you model and check complex permissions like who can view a document, who can edit a folder, who can admin an organization — at scale, in milliseconds.

Core Concept: Relationship Tuples 

user:alice is editor of document:budget-2026
user:bob is viewer of folder:finance
folder:finance is parent of document:budget-2026
Enter fullscreen mode Exit fullscreen mode

Define Authorization Model 

{
  "schema_version": "1.1",
  "type_definitions": [
    {
      "type": "document",
      "relations": {
        "owner": { "this": {} },
        "editor": { "this": {} },
        "viewer": {
          "union": {
            "child": [
              { "this": {} },
              { "computedUserset": { "relation": "editor" } },
              { "tupleToUserset": { "tupleset": { "relation": "parent" }, "computedUserset": { "relation": "viewer" } } }
            ]
          }
        },
        "parent": { "this": {} }
      }
    },
    {
      "type": "folder",
      "relations": {
        "owner": { "this": {} },
        "viewer": { "this": {} }
      }
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

This model says: You can view a document if you are explicitly a viewer, OR you are an editor (editors can view), OR you can view the parent folder.

REST API 

export FGA_URL="http://localhost:8080"
export FGA_STORE="store-id"

# Write relationship tuples
curl -s -X POST "$FGA_URL/stores/$FGA_STORE/write" \
  -H 'Content-Type: application/json' \
  -d '{
    "writes": {
      "tuple_keys": [
        {"user": "user:alice", "relation": "editor", "object": "document:budget-2026"},
        {"user": "user:bob", "relation": "viewer", "object": "folder:finance"},
        {"user": "folder:finance", "relation": "parent", "object": "document:budget-2026"}
      ]
    }
  }'

# Check permission
curl -s -X POST "$FGA_URL/stores/$FGA_STORE/check" \
  -H 'Content-Type: application/json' \
  -d '{"tuple_key": {"user": "user:bob", "relation": "viewer", "object": "document:budget-2026"}}'
# Result: {"allowed": true} — Bob can view because he can view the parent folder

# List objects user can access
curl -s -X POST "$FGA_URL/stores/$FGA_STORE/list-objects" \
  -H 'Content-Type: application/json' \
  -d '{"user": "user:alice", "relation": "editor", "type": "document"}'
Enter fullscreen mode Exit fullscreen mode

TypeScript SDK 

import { OpenFgaClient } from '@openfga/sdk'

const fga = new OpenFgaClient({
  apiUrl: process.env.FGA_API_URL!,
  storeId: process.env.FGA_STORE_ID!,
})

// Check permission
const { allowed } = await fga.check({
  user: `user:${userId}`,
  relation: 'editor',
  object: `document:${docId}`,
})

if (!allowed) throw new Error('Forbidden')

// Write tuple (grant access)
await fga.write({
  writes: [{
    user: `user:${newMemberId}`,
    relation: 'viewer',
    object: `folder:${folderId}`,
  }],
})

// List all documents user can edit
const { objects } = await fga.listObjects({
  user: `user:${userId}`,
  relation: 'editor',
  type: 'document',
})
Enter fullscreen mode Exit fullscreen mode

Real-World Patterns

  • Google Drive: folders contain documents, sharing cascades
  • GitHub: org > team > repo, with different permission levels
  • Slack: workspace > channel > message, with admin hierarchy
  • Multi-tenant SaaS: tenant > project > resource isolation

Getting Started 

# Docker
docker run -p 8080:8080 openfga/openfga run

# Or use Okta FGA (managed service with free tier)
Enter fullscreen mode Exit fullscreen mode

Building multi-tenant scraping with fine-grained access? Scrapfly + OpenFGA = secure data access at scale. Email spinov001@gmail.com for enterprise solutions.

Top comments (0)