Overview
Grantex supports Open Policy Agent (OPA) as a pluggable policy backend. When configured, authorization decisions are delegated to your OPA server instead of the built-in policy engine.
Configuration
Set the following environment variables on your auth service:
How It Works
- When a
POST /v1/authorize request arrives, the auth service sends the evaluation context to OPA
- OPA evaluates the request against your Rego policies
- The result is mapped:
allow: true → auto-approve, allow: false → deny
- If OPA is unavailable and fallback is enabled, the built-in policy engine is used
OPA Policy Structure
Create a Rego policy at grantex/authz:
The auth service sends the following input to OPA:
Timeout and Fallback
OPA requests have a 5-second timeout. If OPA is unreachable or returns an error:
- With
OPA_FALLBACK_TO_BUILTIN=true (default): falls back to the built-in policy engine
- With
OPA_FALLBACK_TO_BUILTIN=false: returns null (no policy match, goes to consent flow)
Last modified on March 2, 2026