Start with Identity
Authorization

OpenFGA

Founded 2022Distributed (CNCF project, originated at Auth0/Okta)Open source (CNCF)Score 4.2/5Evaluated 2026-06-19Website ↗

Capability scores

Methodology →
Authentication
1.5
SSO & Federation
1.5
Authorization
4.7
Lifecycle & Provisioning
3.0
MFA & Passwordless
1.0
Governance & Audit
3.5
Developer Experience
4.3
Deployment Flexibility
4.5
Pricing Transparency
4.5
Support & Ecosystem
3.5

Scored 0–5 against a published rubric. Independent analysis, no vendor sponsorship.

Overview

OpenFGA is a CNCF-hosted, Apache 2.0 licensed authorization engine implementing Google's Zanzibar relationship-based model (ReBAC). It originated at Auth0/Okta and was donated to the CNCF, where it has become the de facto open-source choice for fine-grained, relationship-driven permissions. You define object types and the relations between them, write relationship tuples, and check access with low latency. It is the open community counterpart to AuthZed's SpiceDB, with which it shares the same Zanzibar lineage.

What it is good at

The relationship model is the strength. Hierarchical and shared-resource permissions (folders containing documents, teams owning projects, nested groups) that RBAC struggles with become natural to express. The DSL, visual playground, and SDKs across major languages make modeling approachable, and self-hosting is straightforward backed by Postgres or MySQL. As a CNCF project the licensing and governance are vendor-neutral, which matters for teams that want long-term independence. Pricing transparency is high because the core is simply free and open source.

Where it falls short

As a pure engine it deliberately does nothing on authentication, SSO, or MFA, so those scores are low by design. Governance tooling (audit, change management, collaboration) is thinner than a packaged commercial product unless you buy Okta FGA, the managed offering. Performance at very large tuple counts requires care around store design and caching, and ReBAC is over-engineering if your model is simple RBAC.

Pricing

Free and open source under Apache 2.0 for self-hosting; you own operations. Okta FGA provides a managed, paid version with support and SLAs. Model self-hosted versus managed costs with the TCO calculator.

Best for, and who should look elsewhere

Choose OpenFGA if you need Zanzibar-style ReBAC and are comfortable running infrastructure or paying for the managed version. Compare OpenFGA vs AuthZed for the other Zanzibar engine, OpenFGA vs Cerbos for ReBAC versus policy-as-code, and the three-way OpenFGA vs AuthZed vs Cerbos. See the authorization guide.

Bottom line

The de facto open-source, vendor-neutral choice for Zanzibar-style ReBAC, ideal for teams comfortable operating infrastructure or willing to pay for the managed Okta FGA edition.

By SWI Community Team · Last evaluated 2026-06-19

Independent, community-driven analysis. No vendor sponsorship. Compiled from public research and community input and verified on a best-effort basis, so details may be incomplete or out of date. Scores are opinions, not advice. Trademarks belong to their owners; mention does not imply affiliation or endorsement. See the full disclaimer, or send corrections to community@startwithidentity.com.