Automic VaultAutomic Vault

brew

Install openfga with Homebrew, Nix, scoop

High performance and flexible authorization/permission engine. Version 1.18.1 via Homebrew; verified 2026-06-29.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install openfga

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#openfga

nixpkgs package indexes · pkgs/by-name/op/openfga/package.nix · source: api.github.com

Windows

Scoopverified · 92%
scoop install main/openfga

Scoop official bucket manifest trees · bucket/openfga.json · source: api.github.com

overview

Package summary

High performance and flexible authorization/permission engine

Commands and aliases

  • openfga

history

Project history and usage

OpenFGA is an open-source, Zanzibar-inspired fine-grained authorization service for modeling and checking relationships between users, objects, and permissions. It packages relationship-based access control behind HTTP APIs, SDKs, a CLI, a playground, and deployable server artifacts, giving application teams a shared authorization engine instead of embedding access-control rules separately in each service.

Project history

Auth0 announced OpenFGA on June 17, 2022 as the open-source engine powering Auth0 Fine Grained Authorization. The project was designed, built, and sponsored by Okta/Auth0, and its model follows the ideas in Google's Zanzibar paper while exposing a developer-facing modeling language and APIs for authorization checks.

The project moved quickly from initial release to a cloud-native operational shape. OpenFGA v1.0 was announced on April 14, 2023 for launch at KubeCon + CloudNativeCon Europe, with improvements such as a more readable authorization model language, ListObjects, OpenTelemetry tracing, Prometheus metrics, profiling, Helm-chart deployment, a PostgreSQL storage-adapter performance push, and expanded SDK support.

OpenFGA entered CNCF Sandbox status in September 2022 and was accepted as a CNCF Incubating project in November 2025. The CNCF incubation announcement describes the project as the foundation for Auth0 FGA and notes growing maintainer participation from companies beyond Okta/Auth0.

Adoption history

OpenFGA's adoption story is tied to the cloud-native search for externalized authorization. Its own site lists adopters including Auth0, Canonical, Docker, Grafana, Headspace, OpenObserve, Read AI, Sourcegraph, and Zuplo, while the CNCF incubation announcement reports public production acknowledgements from 37 companies and broader use by hundreds of companies.

The ecosystem expanded beyond the server itself through SDKs, storage adapters, tooling, and integrations. By the v1.0 announcement, community work included a MySQL storage adapter, SDKs for additional languages, and integrations with projects such as Open Policy Agent, Keycloak, Kratos, and SCIM; the later CNCF announcement also highlights SQLite, Terraform, VS Code, and IntelliJ ecosystem work.

How it is used

Developers use OpenFGA by writing an authorization model and then storing relationship tuples that bind users, relations, objects, and optional conditions. The Check API answers whether a user has a relation to an object, while ListObjects and related APIs help ask reverse questions such as which resources a user may access.

The modeling language can be authored as JSON or as a DSL that compiles to JSON before reaching the API. This makes the same authorization graph usable through direct API calls, SDKs, the CLI, the playground, and IDE extensions, while keeping the stored model close to Zanzibar's tuple-to-userset concepts.

Why package nerds care

For package nerds, OpenFGA is notable because it turns a research lineage from Google's Zanzibar into a package-manager-installable service with operational batteries: binaries, containers, Helm charts, SDKs, adapters, and migration-managed storage backends.

Its metadata also captures a broader trend: authorization is moving from application libraries toward standalone infrastructure, sitting near identity providers, service meshes, policy engines, and databases in the developer toolbox.

Timeline

  • June 2022: Auth0 announced OpenFGA as the open-source engine behind Auth0 Fine Grained Authorization.
  • September 2022: OpenFGA was accepted as a CNCF Sandbox project.
  • April 2023: OpenFGA v1.0 was announced for launch at KubeCon + CloudNativeCon Europe.
  • November 2025: CNCF accepted OpenFGA as an Incubating project.

Related projects

  • OpenFGA is directly related to Google's Zanzibar paper and to the commercial Auth0 FGA service. In the wider authorization ecosystem it sits near Open Policy Agent, Keycloak, Kratos, SCIM integrations, and other ReBAC/RBAC/ABAC tooling.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for openfga. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
/etc/openfga/config.yaml~/.openfga/config.yaml./config.yaml

executables

Installed executables

CommandKindExposureNote
openfgacliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.18.1
manager updated2026-06-29
local dataok
upstreamcurrent
latest detectedv1.18.1

https://github.com/openfga/openfga

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:openfga
Version1.18.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/openfga
Homepagehttps://openfga.dev/
Repositoryhttps://github.com/openfga/openfga
Upstream docshttps://github.com/openfga/openfga#readme
LicenseApache-2.0
Source archivehttps://github.com/openfga/openfga/archive/refs/tags/v1.18.1.tar.gz
Last updated2026-06-29T21:18:42Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameopenfga
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

openfga

nix profile install nixpkgs#openfga
  • normalized package name match
  • Matched by: Openfga
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/op/openfga/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
Scoop95%

main/openfga

scoop install main/openfga
  • normalized package name match
  • Matched by: Openfga
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/openfga.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment