OpenFGA Authorization Policy

This policy will authorize requests using OpenFGA. If the request is not authorized, a 403 response will be returned.


This policy is in beta. You can use it today, but it may change in non-backward compatible ways before the final release.


The configuration shows how to configure the policy in the 'policies.json' document.

{ "name": "my-openfga-authz-inbound-policy", "policyType": "openfga-authz-inbound", "handler": { "export": "OpenFGAAuthZInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "apiUrl": "https://api.us1.fga.dev", "authorizationModelId": "$env(FGA_MODEL_ID)", "credentials": { "method": "client-credentials", "clientId": "$env(FGA_CLIENT_ID)", "clientSecret": "$env(FGA_CLIENT_SECRET)", "apiAudience": "https://api.us1.fga.dev/", "oauthTokenEndpointUrl": "https://fga.us.auth0.com/oauth/token" }, "storeId": "$env(FGA_STORE_ID)" } } }

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • apiUrl <string> (Required) -
    The URL of the OpenFGA service.
  • storeId <string> (Required) -
    The ID of the store.
  • authorizationModelId <string> (Required) -
    The ID of the authorization model.
  • allowUnauthorizedRequests <boolean> -
    Indicates whether the request should continue if authorization fails. Default is false which means unauthorized users will automatically receive a 403 response.
    Defaults to false.
  • credentials <object | object | object | object> (Required) -

Using the Policy

Read more about how policies work

Okta FGA Authorization