Authorizer Core
Authorizer is developed using Golang. Authorizer core comes with:
- GraphQL API, REST API, and gRPC API
- Fine-grained authorization (FGA) — relationship-based access control
- MCP server for AI agents
- Email and Password login
- OAuth login
- Forgot password
- Update profile API
- Web application with a login page, sign up page, and forgot-password page. These can save hundreds of hours.
- Secure session management with HTTP cookie
APIs
Authorizer exposes the same service over multiple transports, all backed by one schema:
| API | Use it for | Reference |
|---|---|---|
GraphQL (/graphql) | The complete, canonical surface — all auth flows, admin operations, and FGA. | GraphQL API |
REST (/v1) | Simple JSON-over-HTTP for scripts and server-to-server calls. | REST API |
gRPC (:9091) | Strongly-typed, high-performance binary RPC. | gRPC API |
| MCP (stdio) | Letting an LLM agent check permissions on a user's behalf. | MCP Server |
For authorization, see the Authorization (FGA) model and the FGA Guide cookbook.
How Authorizer is secure?
One can authorize users in two ways:
- Using HTTP Only cookie
- Using JWT bearer token as part of
Authorizationheader
On successful login, Authorizers server sends HTTP cookie to the browser. Client applications can use credentials: include option in fetch for further authorization. Users don't need to save this cookie in localStorage or sessionStorage. This helps us prevent XSS or CSRF attack.
Client applications can also save access_token received on successful login in memory and use it as JWT bearer token as Authorization header.
Why Golang?
- High performant
- Uses gin web framework, with best benchmarks
Why GraphQL API?
- Isomorphic schema
- Client applications can request the data that is only required
- In the future, we can stitch with other schema and offer schema-based permissions and user graph
For relationship-based, schema-driven permissions today, see Authorization (FGA).
Note: You can always use GraphQL API as a rest API with the appropriate request body