OpenFGA Has a Free API: The Authorization Engine Inspired by Google Zanzibar for Relationship-Based Access Control

Google built Zanzibar to handle authorization for YouTube, Drive, and Cloud. OpenFGA brings the same approach to your app — define who can access what based on relationships, and check permissions in milliseconds.

What Is OpenFGA?

OpenFGA is an open-source authorization engine built on the Google Zanzibar paper. It uses relationship-based access control (ReBAC) where permissions are derived from relationships between objects. Instead of hardcoding roles, you define a model of how objects relate to each other.

The Free Tool

OpenFGA is completely free and open source:

• ReBAC: Google Zanzibar-style relationship-based auth
• Authorization model DSL: Define your auth model declaratively
• REST + gRPC APIs: Check permissions programmatically
• SDKs: JavaScript, Python, Go, Java, .NET
• Playground: Visual model editor and tester
• Sub-millisecond checks: Optimized for high-throughput

Quick Start

Run OpenFGA:

docker run -d -p 8080:8080 -p 3000:3000 openfga/openfga run

Define your authorization model:

{
  "schema_version": "1.1",
  "type_definitions": [
    {
      "type": "user"
    },
    {
      "type": "document",
      "relations": {
        "owner": {"this": {}},
        "editor": {"union": {"child": [{"this": {}}, {"computedUserset": {"relation": "owner"}}]}},
        "viewer": {"union": {"child": [{"this": {}}, {"computedUserset": {"relation": "editor"}}]}}
      },
      "metadata": {
        "relations": {
          "owner": {"directly_related_user_types": [{"type": "user"}]},
          "editor": {"directly_related_user_types": [{"type": "user"}]},
          "viewer": {"directly_related_user_types": [{"type": "user"}]}
        }
      }
    },
    {
      "type": "folder",
      "relations": {
        "owner": {"this": {}},
        "viewer": {"union": {"child": [{"this": {}}, {"computedUserset": {"relation": "owner"}}]}}
      }
    }
  ]
}

Write relationships and check permissions:

import { OpenFgaClient } from '@openfga/sdk';

const fga = new OpenFgaClient({
  apiUrl: 'http://localhost:8080',
  storeId: 'your-store-id',
  authorizationModelId: 'model-id',
});

// Write a relationship: user:anne is owner of document:readme
await fga.write({
  writes: [{
    user: 'user:anne',
    relation: 'owner',
    object: 'document:readme',
  }],
});

// Check: can anne view readme? (yes — owner implies editor implies viewer)
const { allowed } = await fga.check({
  user: 'user:anne',
  relation: 'viewer',
  object: 'document:readme',
});
console.log(allowed); // true

Why Teams Choose OpenFGA

A document collaboration startup had grown from simple RBAC (admin, editor, viewer) to needing folder-level permissions, shared links, and team-based access. Their if-else authorization code became 2,000 lines of unmaintainable logic. After switching to OpenFGA, they modeled all permissions as relationships and reduced their auth code to 50 lines of SDK calls.

Who Is This For?

• Teams building Google Drive-like sharing models
• SaaS platforms needing fine-grained object-level permissions
• Developers who outgrew simple RBAC
• Anyone interested in the Zanzibar approach to authorization

Start Building

OpenFGA brings Google-scale authorization to your app. Model permissions as relationships, check them in milliseconds.

Need help with authorization architecture? I build custom auth solutions — reach out to discuss your project.

---

Found this useful? I publish daily deep-dives into developer tools and APIs. Follow for more.