OpenFGA Achieves CNCF Incubation Status

The CNCF Technical Oversight Committee (TOC) has voted to accept OpenFGA as a CNCF incubating project.

What is OpenFGA?

OpenFGA is an authorization engine designed to address the challenges of implementing complex access control at scale in modern software applications. Inspired by Google’s global access control system, Zanzibar, OpenFGA leverages Relationship-Based Access Control (ReBAC). This approach allows developers to define permissions based on relationships between users and objects (e.g., who can view which document).

By serving as an external service with an API and multiple SDKs, OpenFGA centralizes and abstracts authorization logic away from application code. This separation of concerns significantly improves developer velocity by simplifying security implementation and ensures that access rules are consistent, scalable, and easy to audit across all services, solving a critical complexity problem for developers building distributed systems.

OpenFGA’s History

OpenFGA was initially developed by a group of Okta employees and forms the foundation for the Auth0 FGA commercial offering. The project was accepted as a CNCF Sandbox project in September 2022. Since then, it has been deployed by hundreds of companies and has received significant contributions. Key milestones and updates include:

• Over 37 companies publicly acknowledge using OpenFGA in production.
• Engineers from Grafana Labs and GitPod have joined as official maintainers.
• OpenFGA was invited to present on the Maintainer’s track at Kubecon + CloudNativeCon Europe 2025.
• New storage adapters were contributed, including MySQL by TwinTag and SQLite by Grafana Labs.
• Monthly OpenFGA community meetings commenced in April 2023.
• Significant developer experience enhancements, such as new SDKs for Python and Java, IDE integrations with VS Code and IntelliJ, and a CLI with model testing support.
• A Terraform Provider was donated to the project.
• A new caching implementation and multiple performance improvements were shipped over the last year.
• Introduced the ListObjects endpoint to retrieve all resources a user has a specific relation with, and the ListUsers endpoint to retrieve all users that have a specific relation with a resource.

Furthermore, OpenFGA integrates seamlessly with multiple CNCF projects:

• OpenTelemetry for tracing and telemetry
• Helm for deployment
• Grafana dashboards for monitoring
• Prometheus for metrics collection
• ArtifactHub for Helm chart distribution

Perspective from Maintainers and the TOC

Maintainers highlight OpenFGA's viability as an authorization solution, noting that successful production deployments demonstrate its strength. They believe CNCF Incubation will enhance credibility and visibility, attracting a wider range of contributors and ensuring long-term sustainability. This phase is expected to foster the collective development of a definitive, centralized fine-grained authorization service trusted by the cloud-native ecosystem.

Another maintainer commented on the welcoming community experience when Grafana adopted OpenFGA, expressing enthusiasm for continued collaboration on platform enhancements within the CNCF framework.

CNCF TOC representatives acknowledge authorization as a critical challenge in distributed systems, praising OpenFGA's clean, scalable, and adoptable solution. Its ReBAC model and API-first approach simplify access control, reducing custom application logic. They were particularly impressed by the project's momentum, community growth, diverse maintainers, and real-world production deployments, positioning OpenFGA as a foundational component for secure, cloud-native applications.

A TOC sponsor, who worked closely with the maintainers, commended their deep technical rigor and commitment. They noted that OpenFGA's externalized authorization, delivered through a developer-friendly API, enables teams to scale security efficiently. The maintainers' responsiveness and precision throughout the incubation process underscored the project's maturity and readiness for broader adoption, with strong anticipation for its continued expansion.

Main Components

Key components of the OpenFGA project include:

• The OpenFGA server, designed to answer authorization requests quickly and at scale.
• SDKs for Go, .NET, JS, Java, and Python.
• A CLI to interact with the OpenFGA server and test authorization models.
• Helm Charts for Kubernetes deployments.
• Integrations with VS Code and Jetbrains IDEs.

Notable Milestones

The project has achieved significant milestones, including:

• 4,300+ GitHub Stars
• 2246 Pull Requests
• 459 Issues
• 96 Contributors (652 across repositories)
• 89 Releases

Looking Ahead

As a database, OpenFGA's roadmap includes continuous performance improvements for various query types. Future goals also encompass simplifying SDK contributions for maintainers, launching new SDKs for Ruby, Rust, and PHP, adding support for the AuthZen standard, introducing new visualization options and open-sourcing the OpenFGA playground tool, enhancing observability, adding streaming API endpoints for better performance, and including more robust error handling with new write-conflict options.

Learn more about OpenFGA.

As a CNCF-hosted project, OpenFGA is part of a neutral foundation aligned with its technical interests, as well as the larger Linux Foundation, which provides governance, marketing support, and community outreach. OpenFGA joins an impressive list of incubating technologies, including Backstage, Buildpacks, cert-manager, Chaos Mesh, CloudEvents, Container Network Interface (CNI), Contour, Cortex, CubeFS, Dapr, Dragonfly, Emissary-Ingress, Falco, gRPC, in-toto, Keptn, Keycloak, Knative, KubeEdge, Kubeflow, KubeVela, KubeVirt, Kyverno, Litmus, Longhorn, NATS, Notary, OpenFeature, OpenKruise, OpenMetrics, OpenTelemetry, Operator Framework, Thanos, and Volcano. For more information on maturity requirements for each level, please refer to the CNCF Graduation Criteria.