Learn how to setup your local development environment with FGA using the FGA Dev Docker image for isolated testing and schema development.
When developing with FGA, you can either connect to a managed WorkOS FGA instance or run a local FGA instance using the fga-dev Docker image. Each option has its own advantages depending on your workflow. This guide will help you choose the best approach and walk you through setting up a local instance if that fits your needs.
Best for testing against production-like infrastructure and when you need persistent, shared data.
| Pros | Cons |
|---|---|
| Data persists and is accessible by multiple clients | Data is shared (multiple consumers can overwrite each other’s data) |
| Uses production infrastructure for performance and reliability | Consumes operation credits |
Best for isolated development and testing especially when you want to avoid using operation credits or need a clean environment for each run (such as in CI).
| Pros | Cons |
|---|---|
| Isolated test environment | You must manage setup and teardown of data |
| Does not use operation credits | Uses local resources and is not scalable |
The fga-dev Docker image provides a fully self-contained FGA environment using SQLite and local caching. This setup is not intended for production but is fine for local development, CI, and integration testing. It is less scalable than the managed instance because it cannot handle high concurrency, complex models, or large datasets.
This guide will show you how to use the fga-dev Docker image to spin up an isolated FGA instance on your machine.
To start this guide, you’ll need:
Create a docker-compose.yaml:
version: '3.8' services: fga-dev: image: public.ecr.aws/workos/fga-dev:latest-arm64 user: root # Run as root to avoid permission issues with mounted volumes (non-production only) volumes: - fga-dev-volume:/data:rw,cached # Persist data between runs ports: - '8001:8001' environment: FGA_DEV_PORT: 8001 FGA_DEV_AUTH_API_KEY: <your_workos_api_key> # Your staging WorkOS API key to authenticate the dev image FGA_DEV_TEST_API_KEY: test_key # A mock API key to authenticate FGA requests from your application volumes: fga-dev-volume:
Start the server:
docker compose up -d
Configure your app:
Point your application’s WorkOS SDK or CLI to the proper host.
Use test_key as the API key for FGA requests from your app.
| Environment | API Host |
|---|---|
| Local machine | http://localhost:8001 |
| Separate Docker container | http://host.docker.internal:8001 |
| Same Docker Compose network | http://fga-dev:8001 |
If you’re using the WorkOS SDK, you can set the API Hostname option to point to your local FGA instance. Since each SDK instance supports only one API Host, you may need to create a separate SDK instance specifically for FGA when testing against the local service.
Develop:
Apply schemas, create warrants, and test locally. All data persists in the Docker volume.
See Schema Management for how to apply a schema to your local instance and test authorization checks.
Shut down:
docker compose down
Clear all data (optional):
docker volume rm fga-dev-volume
Tip: Add a secondary Docker Compose service to seed your local instance with test data on startup.
You can also run the fga-dev image directly using docker run if you prefer not to use Docker Compose.
docker run -d \ --name fga-dev \ -p 8001:8001 \ -e FGA_DEV_PORT=8001 \ -e FGA_DEV_AUTH_API_KEY=<your_workos_api_key> \ -e FGA_DEV_TEST_API_KEY=test_key \ -v fga-dev-volume:/data:rw \ --user root \ public.ecr.aws/workos/fga-dev:latest-arm64
To stop and remove the container:
docker stop fga-dev && docker rm fga-dev
To remove the volume and reset all data:
docker volume rm fga-dev-volume
Consider the following best practices to ensure a smooth local development experience with FGA: