Fine-Grained Authorization

Flexible? Fast? Scalable? Check. Check. Check.

Granular access control and fast authorization checks at scale. Build and deploy modern apps with a fully managed FGA solution.

Get started
Read the docs

One system. Millions of uses.

Define precise access controls that go beyond RBAC. Implement fine-grained permissions in a single, flexible system.

Future-proof your permissions model.

Say goodbye to refactoring permissions. WorkOS FGA enables you to accelerate development by decoupling permissions from your core application logic.

Without FGA
With FGA

if user.isAdmin() || user.isSuperUser() ||
(user.isEditor() && user.canAccess("dash:admin")) ||
user.IsMember("group:company-admins") {
    // do privileged business logic
    report.runAdminQuery()
}


if fga.check(user, "view-dashboard", "org:acme") {
    // do privileged business logic
    report.runAdminQuery()
}

Monoliths to microservices, FGA works everywhere.

A centralized, single source of truth for your permissions that scales with your growth.

Running globally at the speed of light.

Easily handle high traffic permissions checks with minimal latency. Guaranteed reliability backed by multi-region redundancy and elastic auto-scaling.

Add fine-grained authorization to any application.

Read the docs
Get your API key
Node.js
Python
Go
Kotlin
cURL

import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS('sk_example_123456789');

const checkResult = await workos.fga.check({
  checks: [
    {
      resource: {
        resourceType: 'report',
        resourceId: 'avk2837',
      },
      relation: 'viewer',
      subject: {
        resourceType: 'user',
        resourceId: '5djfs6',
      },
    },
  ],
});

if (checkResult.isAuthorized()) {
  console.log('User is authorized to view the report');
}



from workos import WorkOSClient
from workos.types.fga import WarrantCheckInput

workos_client = WorkOSClient( 
  api_key="sk_example_123456789", client_id="example_id" 
)

check: WarrantCheckInput = (
  {
    "subject": { 
      "resource_type": "user",
      "resource_id": "5djfs6",
    },
    "relation": "viewer",
    "resource_type": "report",
    "resource_id": "avk2837",
  },
)

check_result = workos_client.fga.check(checks=[check])

if check_result.authorized():
  print("User is authorized to view the report")



package main

import (
    "context"

    "github.com/workos/workos-go/v4/pkg/fga"
)

func main() {
    fga.SetAPIKey(
        "sk_example_123456789",
    )

    checkResult, err := fga.Check(
        context.Background(),
        fga.CheckOpts{
            Checks: []fga.WarrantCheck{
                {
                    ResourceType: "report",
                    ResourceId:   "avk2837",
                    Relation:     "viewer",
                    Subject: fga.Subject{
                        ResourceType: "user",
                        ResourceId:   "5djfs6",
                    },
                },
            },
        },
    )

    if checkResult.Authorized() {
        // User is authorized to view the report
    }
}


import com.workos.WorkOS;
import com.workos.fga.builders.CheckOptionsBuilder;
import com.workos.fga.models.CheckResponse;
import com.workos.fga.types.CheckOptions;

WorkOS workos = new WorkOS("sk_example_123456789");

List<WarrantCheckOptions> warrantCheckOptions = new ArrayList<WarrantCheckOptions>(
    new WarrantCheckOptions("report", "avk2837", "member", Subject("user", "5djfs6")), );
CheckOptions options = new CheckOptionsBuilder(warrantCheckOptions).build();
CheckResponse checkResult = workos.fga.check(options);















curl "https://api.workos.com/fga/v1/check" \
  -X POST \
  -H "Authorization: Bearer sk_example_123456789" \
  --data-raw \
  '{
    "checks": [
      {
        "resource_type": "report",
        "resource_id": "avk2837",
        "relation": "viewer",
        "subject": {
          "resource_type": "user",
          "resource_id": "5djfs6"
        }
      }
    ]
  }'

  • Decoupled authorization

    Replace complex, conditional authorization logic with simple REST APIs.

  • Authorization as schema

    Build any authorization model with a simple schema language.

  • Fast runtime APIs

    Performance-optimized check and query APIs to enable fast permissions checks.

Go beyond RBAC

Express any authorization model including RBAC, ReBAC, ABAC, organization hierarchies, and entitlements with a simple schema language.

RBAC
ReBAC
ABAC
Org Hierarchies
Entitlements
RBAC
ReBAC
ABAC
Org Hierarchies
Entitlements
RBAC
ReBAC
ABAC
Org Hierarchies
Entitlements
RBAC
ReBAC
ABAC
Org Hierarchies
Entitlements

Debug and audit everything

All system operations are automatically logged for easy, real-time permissions audits and debugging.

Secure, out of the box

We check all the boxes so you can focus on what you do best, 
building your app and serving your customers.

Get started today, for free

Add FGA to your application today.

The free tier includes 10M operations per month.

View pricing details
Fine-Grained Authorization Quick Start

Jump into the docs and start building in minutes.

View examples in the docs

Learn how to use FGA following examples with prebuilt schemas.

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.