macOS
brew install openfgalocal Homebrew formula metadata
brew
High performance and flexible authorization/permission engine. Version 1.18.1 via Homebrew; verified 2026-06-29.
install
brew install openfgalocal Homebrew formula metadata
nix profile install nixpkgs#openfganixpkgs package indexes · pkgs/by-name/op/openfga/package.nix · source: api.github.com
scoop install main/openfgaScoop official bucket manifest trees · bucket/openfga.json · source: api.github.com
overview
High performance and flexible authorization/permission engine
history
OpenFGA is an open-source, Zanzibar-inspired fine-grained authorization service for modeling and checking relationships between users, objects, and permissions. It packages relationship-based access control behind HTTP APIs, SDKs, a CLI, a playground, and deployable server artifacts, giving application teams a shared authorization engine instead of embedding access-control rules separately in each service.
Auth0 announced OpenFGA on June 17, 2022 as the open-source engine powering Auth0 Fine Grained Authorization. The project was designed, built, and sponsored by Okta/Auth0, and its model follows the ideas in Google's Zanzibar paper while exposing a developer-facing modeling language and APIs for authorization checks.
The project moved quickly from initial release to a cloud-native operational shape. OpenFGA v1.0 was announced on April 14, 2023 for launch at KubeCon + CloudNativeCon Europe, with improvements such as a more readable authorization model language, ListObjects, OpenTelemetry tracing, Prometheus metrics, profiling, Helm-chart deployment, a PostgreSQL storage-adapter performance push, and expanded SDK support.
OpenFGA entered CNCF Sandbox status in September 2022 and was accepted as a CNCF Incubating project in November 2025. The CNCF incubation announcement describes the project as the foundation for Auth0 FGA and notes growing maintainer participation from companies beyond Okta/Auth0.
OpenFGA's adoption story is tied to the cloud-native search for externalized authorization. Its own site lists adopters including Auth0, Canonical, Docker, Grafana, Headspace, OpenObserve, Read AI, Sourcegraph, and Zuplo, while the CNCF incubation announcement reports public production acknowledgements from 37 companies and broader use by hundreds of companies.
The ecosystem expanded beyond the server itself through SDKs, storage adapters, tooling, and integrations. By the v1.0 announcement, community work included a MySQL storage adapter, SDKs for additional languages, and integrations with projects such as Open Policy Agent, Keycloak, Kratos, and SCIM; the later CNCF announcement also highlights SQLite, Terraform, VS Code, and IntelliJ ecosystem work.
Developers use OpenFGA by writing an authorization model and then storing relationship tuples that bind users, relations, objects, and optional conditions. The Check API answers whether a user has a relation to an object, while ListObjects and related APIs help ask reverse questions such as which resources a user may access.
The modeling language can be authored as JSON or as a DSL that compiles to JSON before reaching the API. This makes the same authorization graph usable through direct API calls, SDKs, the CLI, the playground, and IDE extensions, while keeping the stored model close to Zanzibar's tuple-to-userset concepts.
For package nerds, OpenFGA is notable because it turns a research lineage from Google's Zanzibar into a package-manager-installable service with operational batteries: binaries, containers, Helm charts, SDKs, adapters, and migration-managed storage backends.
Its metadata also captures a broader trend: authorization is moving from application libraries toward standalone infrastructure, sitting near identity providers, service meshes, policy engines, and databases in the developer toolbox.
security posture
No matching local secret-handling manifest was found for openfga. Nucleus package metadata is still published here so future coverage has a stable package URL.
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
/etc/openfga/config.yaml~/.openfga/config.yaml./config.yamlexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
openfga | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/openfga/openfga
install metadata
| Package key | brew:openfga |
|---|---|
| Version | 1.18.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/openfga |
| Homepage | https://openfga.dev/ |
| Repository | https://github.com/openfga/openfga |
| Upstream docs | https://github.com/openfga/openfga#readme |
| License | Apache-2.0 |
| Source archive | https://github.com/openfga/openfga/archive/refs/tags/v1.18.1.tar.gz |
| Last updated | 2026-06-29T21:18:42Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | openfga |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
openfga
nix profile install nixpkgs#openfgamain/openfga
scoop install main/openfgasource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.