# Install openfga with Homebrew, Nix, scoop

High performance and flexible authorization/permission engine. Version 1.18.1 via Homebrew; verified 2026-06-29.

## Install

```sh
sudo av install brew:openfga
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install openfga
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#openfga
```

  Evidence: nixpkgs package indexes: pkgs/by-name/op/openfga/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

### Windows

- Scoop (92%):

```sh
scoop install main/openfga
```

  Evidence: Scoop official bucket manifest trees: bucket/openfga.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:openfga
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/openfga>
- **Version:** 1.18.1
- **Source summary:** High performance and flexible authorization/permission engine
- **Homepage:** <https://openfga.dev/>
- **Repository:** <https://github.com/openfga/openfga>
- **Upstream docs:** <https://github.com/openfga/openfga#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/openfga/openfga/archive/refs/tags/v1.18.1.tar.gz>
- **Last updated:** 2026-06-29T21:18:42Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- openfga (cli)
- openfga (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.18.1
- Package-manager updated: 2026-06-29
- Local data: ok
- Upstream repository: https://github.com/openfga/openfga
- Upstream latest detected: v1.18.1 (current)
## Project history and usage

OpenFGA is an open-source, Zanzibar-inspired fine-grained authorization service for modeling and checking relationships between users, objects, and permissions. It packages relationship-based access control behind HTTP APIs, SDKs, a CLI, a playground, and deployable server artifacts, giving application teams a shared authorization engine instead of embedding access-control rules separately in each service.

### Project history

Auth0 announced OpenFGA on June 17, 2022 as the open-source engine powering Auth0 Fine Grained Authorization. The project was designed, built, and sponsored by Okta/Auth0, and its model follows the ideas in Google's Zanzibar paper while exposing a developer-facing modeling language and APIs for authorization checks.

The project moved quickly from initial release to a cloud-native operational shape. OpenFGA v1.0 was announced on April 14, 2023 for launch at KubeCon + CloudNativeCon Europe, with improvements such as a more readable authorization model language, ListObjects, OpenTelemetry tracing, Prometheus metrics, profiling, Helm-chart deployment, a PostgreSQL storage-adapter performance push, and expanded SDK support.

OpenFGA entered CNCF Sandbox status in September 2022 and was accepted as a CNCF Incubating project in November 2025. The CNCF incubation announcement describes the project as the foundation for Auth0 FGA and notes growing maintainer participation from companies beyond Okta/Auth0.

### Adoption history

OpenFGA's adoption story is tied to the cloud-native search for externalized authorization. Its own site lists adopters including Auth0, Canonical, Docker, Grafana, Headspace, OpenObserve, Read AI, Sourcegraph, and Zuplo, while the CNCF incubation announcement reports public production acknowledgements from 37 companies and broader use by hundreds of companies.

The ecosystem expanded beyond the server itself through SDKs, storage adapters, tooling, and integrations. By the v1.0 announcement, community work included a MySQL storage adapter, SDKs for additional languages, and integrations with projects such as Open Policy Agent, Keycloak, Kratos, and SCIM; the later CNCF announcement also highlights SQLite, Terraform, VS Code, and IntelliJ ecosystem work.

### How it is used

Developers use OpenFGA by writing an authorization model and then storing relationship tuples that bind users, relations, objects, and optional conditions. The Check API answers whether a user has a relation to an object, while ListObjects and related APIs help ask reverse questions such as which resources a user may access.

The modeling language can be authored as JSON or as a DSL that compiles to JSON before reaching the API. This makes the same authorization graph usable through direct API calls, SDKs, the CLI, the playground, and IDE extensions, while keeping the stored model close to Zanzibar's tuple-to-userset concepts.

### Why package nerds care

For package nerds, OpenFGA is notable because it turns a research lineage from Google's Zanzibar into a package-manager-installable service with operational batteries: binaries, containers, Helm charts, SDKs, adapters, and migration-managed storage backends.

Its metadata also captures a broader trend: authorization is moving from application libraries toward standalone infrastructure, sitting near identity providers, service meshes, policy engines, and databases in the developer toolbox.

### Timeline

- June 2022: Auth0 announced OpenFGA as the open-source engine behind Auth0 Fine Grained Authorization.
- September 2022: OpenFGA was accepted as a CNCF Sandbox project.
- April 2023: OpenFGA v1.0 was announced for launch at KubeCon + CloudNativeCon Europe.
- November 2025: CNCF accepted OpenFGA as an Incubating project.

### Related projects

- OpenFGA is directly related to Google's Zanzibar paper and to the commercial Auth0 FGA service. In the wider authorization ecosystem it sits near Open Policy Agent, Keycloak, Kratos, SCIM integrations, and other ReBAC/RBAC/ABAC tooling.

### Sources

- <https://auth0.com/blog/auth0s-openfga-open-source-fine-grained-authorization-system/>
- <https://auth0.com/blog/openfga-v10-a-new-milestone-in-cloud-native-authorization-systems/>
- <https://github.com/openfga/openfga>
- <https://openfga.dev/>
- <https://openfga.dev/docs/concepts>
- <https://openfga.dev/docs/configuration-language>
- <https://raw.githubusercontent.com/openfga/openfga/main/RELEASES.md>
- <https://www.cncf.io/blog/2025/11/11/openfga-becomes-a-cncf-incubating-project/>


## Security Notes

No matching local secret-handling manifest was found for openfga. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: /etc/openfga/config.yaml, ~/.openfga/config.yaml, ./config.yaml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** openfga
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - openfga: normalized package name match | nixpkgs package indexes: pkgs/by-name/op/openfga/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Scoop - main/openfga: normalized package name match | Scoop official bucket manifest trees: bucket/openfga.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Homebrew utility packages](https://www.automicvault.com/pkg/brew-utility-packages/) - Matched Homebrew package provider.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [permify](https://www.automicvault.com/pkg/brew/permify/) - Shares av.db curated category or tags: authorization, cli, rbac, rebac, security.
- [spicedb](https://www.automicvault.com/pkg/brew/spicedb/) - Shares av.db curated category or tags: access-control, authorization, cli, security, zanzibar.
- [authz0](https://www.automicvault.com/pkg/brew/authz0/) - Shares av.db curated category or tags: authorization, cli, security.
- [fwknop](https://www.automicvault.com/pkg/brew/fwknop/) - Shares av.db curated category or tags: access-control, cli, security.
- [knock](https://www.automicvault.com/pkg/brew/knock/) - Shares av.db curated category or tags: access-control, cli, security.
- [libselinux](https://www.automicvault.com/pkg/brew/libselinux/) - Shares av.db curated category or tags: access-control, cli, security.
- [opa](https://www.automicvault.com/pkg/brew/opa/) - Shares av.db curated category or tags: authorization, cli, security.
- [pomerium](https://www.automicvault.com/pkg/brew/pomerium/) - Shares av.db curated category or tags: access-control, cli, security.

## Combined YAML source

View the package source record on GitHub. [combined/openfga.yml](https://github.com/automic-vault/db/blob/main/combined/openfga.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
