Topaz is an open-source authorization service providing fine-grained, real-time, policy-based access control for applications and APIs.
It uses the Open Policy Agent (OPA) as its decision engine, and provides a built-in directory that is inspired by the Google Zanzibar data model.
Authorization policies can leverage user attributes, group membership, application resources, and relationships between them. All data used for authorization is modeled and stored locally in an embedded database, so authorization decisions can be evaluated quickly and efficiently.

Read more at topaz.sh and the docs.
Join the community Slack channel for questions and help!
topaz is available on Linux, macOS and Windows platforms.
Binaries for Linux, Windows and Mac are available as tarballs in the release page.
Via Homebrew for macOS or LinuxBrew for Linux
shell
brew tap aserto-dev/tap && brew install aserto-dev/tap/topaz
shell
go install github.com/topaz/cmd/topaz@latest
topaz is currently using go v1.17 or above. In order to build topaz from source you must:
Build and run the executable
shell
mage build && ./dist/build_linux_amd64/topaz
You can run as a Docker container:
shell
docker run -it --rm ghcr.io/aserto-dev/topaz:latest --help
These instructions help you get Topaz up and running as the authorizer for a sample Todo app.
The Topaz authorizer is packaged as a Docker container. You can get the latest image using the following command:
topaz install
This command creates a configuration file for the sample Todo policy image. A policy image is an OCI image that contains an OPA policy. The source code for the ghcr.io/aserto-policies/policy-todo-rebac:latest policy image can be found here.
topaz configure -d -s -r ghcr.io/aserto-policies/policy-todo-rebac:latest -n todo
The configuration file is generated in $(HOME)/.config/topaz/cfg.
* the config instructs Topaz to create a local directory instance (-d)
* when started, Topaz will seed the directory with default object types (-s)
* the config references an authorization policy for a sample "Todo" app, retrieved from the Open Policy Registry as a container image
* the config is named "todo"
If you have a policy image in the local OCI store of your policy CLI that you want to use with topaz you can create a configuration to use that image from the local store.
topaz configure -d -s -l ghcr.io/default:latest
The configuration file is generated in $(HOME)/.config/topaz/cfg.
* the config instructs Topaz to create a local directory instance (-d)
* when started, Topaz will seed the directory with default object types (-s)
* the config uses the opa local_bundles configuration to retrieve the policy image from the local policy CLI OCI store
topaz run
Retrieve the "Citadel" json files, placing them in the current directory:
curl https://raw.githubusercontent.com/aserto-dev/topaz/main/assets/citadel/citadel_objects.json >./citadel_objects.json
curl https://raw.githubusercontent.com/aserto-dev/topaz/main/assets/citadel/citadel_relations.json >./citadel_relations.json
Import the contents of the file into Topaz directory. This creates the sample users (Rick, Morty, and friends); groups; and relations.
topaz import -i -d .
topaz console
To verify that Topaz is running with the right policy image, you can issue a curl call to interact with the REST API.
This API call retrieves the set of policies that Topaz has loaded:
curl -k https://localhost:8383/api/v2/policies
Issue a query using the is REST API to verify that the user Rick is allowed to GET the list of todos:
curl -k -X POST 'https://localhost:8383/api/v2/authz/is' \
-H 'Content-Type: application/json' \
-d '{
"identity_context": {
"type": "IDENTITY_TYPE_SUB",
"identity": "rick@the-citadel.com"
},
"policy_context": {
"path": "todoApp.GET.todos",
"decisions": ["allowed"]
}
}'
To run the sample Todo app in the language of your choice, and see how Topaz is used to authorize requests, refer to the docs.
To start an interactive session with the Topaz endpoints, see the gRPC endpoints section.
$ topaz --help
Usage: topaz <command>
Topaz CLI
Commands:
start start topaz in daemon mode
stop stop topaz instance
status status of topaz daemon process
run run topaz in console mode
manifest get get manifest
manifest set set manifest
manifest delete delete manifest
load load manifest from file
save save manifest to file
import import directory objects
export export directory objects
backup backup directory data
restore restore directory data
test exec execute assertions
test template output assertions template
install install topaz container
configure configure topaz service
update update topaz container version
uninstall uninstall topaz container
version version information
console opens the console in the browser
Flags:
-h, --help Show context-sensitive help.
--no-check disable local container status check ($TOPAZ_NO_CHECK)
Run "topaz <command> --help" for more information on a command.
To interact with the authorizer endpoint, install grpcui or grpcurl and point them to localhost:8282:
grpcui --insecure localhost:8282
To interact with the directory endpoint, use localhost:9292:
grpcui --insecure localhost:9292
For more information on APIs, see the docs.

Topaz uses a lot of great and amazing open source projects and libraries.
A big thank you to all of them!
Topaz is a work in progress - if something is broken or there's a feature that you want, please file an issue and if so inclined submit a PR!
We welcome contributions from the community! Here are some general guidelines:
$ claude mcp add topaz \
-- python -m otcore.mcp_server <graph>