MCPcopy
hub / github.com/openfga/openfga

github.com/openfga/openfga @v1.18.1 sqlite

repository ↗ · DeepWiki ↗ · release v1.18.1 ↗
4,414 symbols 30,268 edges 462 files 1,887 documented · 43%
README

OpenFGA Logo

OpenFGA

Join our community DeepWiki Go Reference GitHub release (latest SemVer) Docker Pulls Codecov Go Report CII Best Practices FOSSA Status Artifact HUB OpenSSF Scorecard SLSA 3


OpenFGA is a high-performance, flexible authorization/permission engine inspired by Google Zanzibar. It helps developers easily model and enforce fine-grained access control in their applications.

Highlights


Table of Contents


Quickstart

[!IMPORTANT]
The following steps are meant for quick local setup and evaluation.
When using the default in-memory storage engine, data is ephemeral and will be discarded once the service stops.

For details on configuring storage backends, tuning performance, and deploying OpenFGA securely in production-ready environments, refer to the documentation: Running in Production.

Run OpenFGA with in-memory storage (⚠️ not for production):

docker run -p 8080:8080 -p 3000:3000 openfga/openfga run

Once running, create a store:

curl -X POST 'localhost:8080/stores' \
  --header 'Content-Type: application/json' \
  --data-raw '{"name": "openfga-demo"}'

Installation

Docker

OpenFGA is available on Docker Hub, so you can quickly start it using the in-memory datastore by running the following commands:

docker pull openfga/openfga
docker run -p 8080:8080 -p 3000:3000 openfga/openfga run

[!NOTE] When the HTTP server is enabled, it will attempt to establish an internal client connection to the gRPC server via unix domain socket. When it is not possible to establish a UDS, the client connection automatically falls back to using a TCP socket.

If running the Docker image using the --read-only option, the --tmpfs option must also be set in order to enabled use of the unix domain socket. For example --tmpfs /tmp

Docker Compose

docker-compose.yaml provides an example of how to launch OpenFGA with Postgres using docker compose.

curl -LO https://openfga.dev/docker-compose.yaml
docker compose up

Homebrew

If you are a Homebrew user, you can install OpenFGA with the following command:

brew install openfga

Precompiled Binaries

Download your platform's latest release and extract it. Then run the binary with the command:

./openfga run

Build from Source

[!NOTE]
Make sure you have the latest version of Go installed. See the Go downloads page.

go install

export PATH=$PATH:$(go env GOBIN) # make sure $GOBIN is on your $PATH
go install github.com/openfga/openfga/cmd/openfga
openfga run

go build

git clone https://github.com/openfga/openfga.git && cd openfga
go build -o ./openfga ./cmd/openfga
./openfga run

Verify Installation

Now that you have installed OpenFGA, you can test your installation by creating an OpenFGA Store.

curl -X POST 'localhost:8080/stores' \
  --header 'Content-Type: application/json' \
  --data-raw '{"name": "openfga-demo"}'

If everything is running correctly, you should get a response with information about the newly created store, for example:

{
  "id": "01G3EMTKQRKJ93PFVDA1SJHWD2",
  "name": "openfga-demo",
  "created_at": "2022-05-19T17:11:12.888680Z",
  "updated_at": "2022-05-19T17:11:12.888680Z"
}

Playground

The Playground lets you model, visualize, and test authorization setups. By default, it’s available at: http://localhost:3000/playground

[!NOTE]
The Playground is intended for local development only.
It can currently only be configured to connect to an OpenFGA server running on localhost.

Disable it with:

./openfga run --playground-enabled=false

Change port:

./openfga run --playground-enabled --playground-port 3001

[!TIP] The OPENFGA_HTTP_ADDR environment variable can be used to configure the address at which the Playground expects the OpenFGA server to be.

For example:

shell docker run -e OPENFGA_PLAYGROUND_ENABLED=true \ -e OPENFGA_HTTP_ADDR=0.0.0.0:4000 \ -p 4000:4000 -p 3000:3000 openfga/openfga run

This starts OpenFGA on port 4000 and configures the Playground accordingly.

Next Steps

Take a look at examples of how to:

📚 Explore the Documentation and API Reference.

Limitations

MySQL Storage engine

The MySQL storage engine has stricter length limits on tuple properties than other backends. See docs.

💡 OpenFGA’s MySQL adapter was contributed by @twintag — thank you!

Production Readiness

  • ✅ Used in production by Auth0 FGA since December 2021
  • ⚠️ Memory storage adapter is for development only
  • 🗄 Supported storage: PostgreSQL 14+, MySQL 8, SQLite (beta)
  • 📘 See Running in Production

The OpenFGA team treats production-impacting issues with highest priority.

See organizations using OpenFGA in production: ADOPTERS.md. If your organization is using OpenFGA, please consider adding it to the list.

Contributing & Community

We welcome contributions and community participation.

Extension points exported contracts — how you extend this code

RelationshipTupleReader (Interface)
RelationshipTupleReader is an interface that defines the set of methods required to read relationship tuples from a data [14 …
pkg/storage/storage.go
Checker (Interface)
Checker runs a single authorization check. [25 implementers]
pkg/server/commands/check.go
ObjectStore (Interface)
ObjectStore reads relationship tuples from storage. [21 implementers]
internal/listobjects/pipeline/pipeline.go
TestClientBootstrapper (Interface)
TestClientBootstrapper defines a client interface definition that can be used by tests to bootstrap OpenFGA resources (s [7 …
tests/tests.go
Encoder (Interface)
Encoder is an interface that defines methods for decoding and encoding data. [5 implementers]
pkg/encoder/encoder.go
DatastoreTestContainer (Interface)
DatastoreTestContainer represents a runnable container for testing specific datastore engines. [4 implementers]
pkg/testfixtures/storage/storage.go
Transport (Interface)
Transport is the interface to work with the transport layer. [4 implementers]
pkg/gateway/transport.go
Selector (Interface)
Selector defines the interface for managing strategy selection and stats for a single key. [3 implementers]
internal/planner/interface.go

Core symbols most depended-on inside this repo

Run
called by 2089
cmd/run/run.go
NewTupleKey
called by 1870
pkg/tuple/tuple.go
Equal
called by 1699
internal/condition/types/ipaddress.go
String
called by 705
pkg/tuple/tuple.go
Cleanup
called by 674
internal/listobjects/pipeline/internal/worker/core.go
String
called by 655
pkg/server/commands/reverseexpand/reverse_expand.go
Error
called by 639
pkg/logger/logger.go
NewStaticTupleIterator
called by 390
pkg/storage/tuple_iterators.go

Shape

Function 2,207
Method 1,549
Struct 487
Interface 70
FuncType 60
TypeAlias 41

Languages

Go100%

Modules by API surface

internal/mocks/mock_storage.go144 symbols
pkg/storage/cache/keys/xtypes_test.go87 symbols
pkg/server/server.go84 symbols
pkg/storage/cache/keys/build_test.go68 symbols
pkg/storage/sqlcommon/sqlcommon.go64 symbols
pkg/typesystem/typesystem.go63 symbols
pkg/tuple/tuple.go60 symbols
pkg/storage/storage.go57 symbols
internal/listobjects/pipeline/internal/worker/worker_test.go50 symbols
pkg/server/server_test.go49 symbols
pkg/storage/tuple_iterators.go48 symbols
pkg/storage/postgres/postgres.go47 symbols

Used by 2 indexed graphs manifest dependencies, hub-wide

Dependencies from manifests, versioned

cel.dev/exprv0.25.1 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
filippo.io/edwards25519v1.2.0 · 1×
github.com/IBM/pgxpoolprometheusv1.1.3 · 1×
github.com/MicahParks/keyfunc/v2v2.1.0 · 1×
github.com/Microsoft/go-winiov0.6.2 · 1×
github.com/Yiling-J/theine-gov0.6.2 · 1×
github.com/antlr4-go/antlr/v4v4.13.1 · 1×
github.com/beorn7/perksv1.0.1 · 1×

Datastores touched

postgresDatabase · 1 repos
(mysql)Database · 1 repos
datastoreDatabase · 1 repos
dbnameDatabase · 1 repos

For agents

$ claude mcp add openfga \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact