
OpenFGA is a high-performance, flexible authorization/permission engine inspired by Google Zanzibar. It helps developers easily model and enforce fine-grained access control in their applications.
[!IMPORTANT]
The following steps are meant for quick local setup and evaluation.
When using the default in-memory storage engine, data is ephemeral and will be discarded once the service stops.For details on configuring storage backends, tuning performance, and deploying OpenFGA securely in production-ready environments, refer to the documentation: Running in Production.
Run OpenFGA with in-memory storage (⚠️ not for production):
docker run -p 8080:8080 -p 3000:3000 openfga/openfga run
Once running, create a store:
curl -X POST 'localhost:8080/stores' \
--header 'Content-Type: application/json' \
--data-raw '{"name": "openfga-demo"}'
OpenFGA is available on Docker Hub, so you can quickly start it using the in-memory datastore by running the following commands:
docker pull openfga/openfga
docker run -p 8080:8080 -p 3000:3000 openfga/openfga run
[!NOTE] When the HTTP server is enabled, it will attempt to establish an internal client connection to the gRPC server via unix domain socket. When it is not possible to establish a UDS, the client connection automatically falls back to using a TCP socket.
If running the Docker image using the
--read-onlyoption, the--tmpfsoption must also be set in order to enabled use of the unix domain socket. For example--tmpfs /tmp
docker-compose.yaml provides an example of how to launch OpenFGA with Postgres using docker compose.
curl -LO https://openfga.dev/docker-compose.yaml
docker compose up
If you are a Homebrew user, you can install OpenFGA with the following command:
brew install openfga
Download your platform's latest release and extract it. Then run the binary with the command:
./openfga run
[!NOTE]
Make sure you have the latest version of Go installed. See the Go downloads page.
go installexport PATH=$PATH:$(go env GOBIN) # make sure $GOBIN is on your $PATH
go install github.com/openfga/openfga/cmd/openfga
openfga run
go buildgit clone https://github.com/openfga/openfga.git && cd openfga
go build -o ./openfga ./cmd/openfga
./openfga run
Now that you have installed OpenFGA, you can test your installation by creating an OpenFGA Store.
curl -X POST 'localhost:8080/stores' \
--header 'Content-Type: application/json' \
--data-raw '{"name": "openfga-demo"}'
If everything is running correctly, you should get a response with information about the newly created store, for example:
{
"id": "01G3EMTKQRKJ93PFVDA1SJHWD2",
"name": "openfga-demo",
"created_at": "2022-05-19T17:11:12.888680Z",
"updated_at": "2022-05-19T17:11:12.888680Z"
}
The Playground lets you model, visualize, and test authorization setups. By default, it’s available at: http://localhost:3000/playground
[!NOTE]
The Playground is intended for local development only.
It can currently only be configured to connect to an OpenFGA server running onlocalhost.
Disable it with:
./openfga run --playground-enabled=false
Change port:
./openfga run --playground-enabled --playground-port 3001
[!TIP] The
OPENFGA_HTTP_ADDRenvironment variable can be used to configure the address at which the Playground expects the OpenFGA server to be.For example:
shell docker run -e OPENFGA_PLAYGROUND_ENABLED=true \ -e OPENFGA_HTTP_ADDR=0.0.0.0:4000 \ -p 4000:4000 -p 3000:3000 openfga/openfga runThis starts OpenFGA on port 4000 and configures the Playground accordingly.
Take a look at examples of how to:
📚 Explore the Documentation and API Reference.
The MySQL storage engine has stricter length limits on tuple properties than other backends. See docs.
💡 OpenFGA’s MySQL adapter was contributed by @twintag — thank you!
The OpenFGA team treats production-impacting issues with highest priority.
See organizations using OpenFGA in production: ADOPTERS.md. If your organization is using OpenFGA, please consider adding it to the list.
We welcome contributions and community participation.
$ claude mcp add openfga \
-- python -m otcore.mcp_server <graph>