Skip to main content

Overview

Grantex supports Open Policy Agent (OPA) as a pluggable policy backend. When configured, authorization decisions are delegated to your OPA server instead of the built-in policy engine.

Configuration

Set the following environment variables on your auth service:

How It Works

  1. When a POST /v1/authorize request arrives, the auth service sends the evaluation context to OPA
  2. OPA evaluates the request against your Rego policies
  3. The result is mapped: allow: true → auto-approve, allow: false → deny
  4. If OPA is unavailable and fallback is enabled, the built-in policy engine is used

OPA Policy Structure

Create a Rego policy at grantex/authz:

Policy Input

The auth service sends the following input to OPA:

Timeout and Fallback

OPA requests have a 5-second timeout. If OPA is unreachable or returns an error:
  • With OPA_FALLBACK_TO_BUILTIN=true (default): falls back to the built-in policy engine
  • With OPA_FALLBACK_TO_BUILTIN=false: returns null (no policy match, goes to consent flow)
Last modified on March 2, 2026