// the find
aserto-dev/topaz
Cloud-native authorization for modern applications and APIs
Topaz is a self-hosted authorization service that combines OPA (for policy evaluation) with a Zanzibar-inspired directory (for storing objects and relationships). You run it as a sidecar or standalone service, define your domain model in a manifest, write Rego policies, and call it over gRPC or REST to answer 'can user X do Y to resource Z?'. It's aimed at teams who want to pull authorization logic out of application code and into a dedicated, auditable service.
The combination of OPA's policy engine with a built-in relationship graph is genuinely useful — most OPA setups require you to figure out data loading yourself, and Topaz handles that. The embedded BoltDB-backed directory means authorization decisions don't require a network hop to a separate data store, which keeps latency predictable. The CLI is well thought out: templates give you a working local environment in minutes, and the console UI lets you inspect the model and test decisions without writing code. Active maintenance (pushed yesterday) and a proper CI pipeline with golangci-lint.
The star count (1.3k) is low for something positioning itself as infrastructure — this is a company-backed project from Aserto, so the open-source community is thin and you're betting on their continued commercial interest. The embedded database is fine for a sidecar but becomes a liability at scale: there's no built-in replication, so horizontal scaling requires you to figure out data sync yourself. Rego is a real learning curve; if your team hasn't used OPA before, you're adopting two unfamiliar things at once. The hosted Aserto cloud is clearly the intended monetization path, which means the self-hosted path may get less love over time.