// the find
ory/keto
The most scalable and customizable permission server on the market. Fix your slow or broken permission system with Google's proven "Zanzibar" approach. Supports ACL, RBAC, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
Ory Keto is an open-source implementation of Google's Zanzibar authorization model, built for teams that have outgrown simple role checks and need relationship-based access control at scale. It runs as a standalone gRPC/HTTP service you call from your app, keeping authorization logic out of your application code. The target is teams building multi-tenant SaaS or platforms with complex, hierarchical permission models — not apps where a middleware check suffices.
The Zanzibar model is the right foundation for fine-grained permissions: relation tuples like 'Document:secret#read@tom' are expressive, composable, and auditable in ways that RBAC tables are not. The Ory Permission Language (OPL) compiles to relation tuples and gives you a TypeScript-like DSL for defining your permission model without hand-crafting raw tuple schemas. Production adoption list includes OpenAI, Klarna, and Cisco, which means the consistency guarantees have been stress-tested at real scale. The binary is small (~10MB), stateless, and horizontally scalable with any SQL-compatible backend (Postgres, MySQL, CockroachDB).
The migration from simple RBAC to relation tuples is a serious mental shift — most teams underestimate how long it takes to model their domain correctly, and a wrong tuple schema is painful to migrate later. The open-source version is increasingly being positioned as a trial tier; CVE patches and enterprise features now require an Ory Enterprise License, which is a meaningful support risk for production self-hosters. The OPL documentation is thin compared to the raw API docs, so designing non-trivial permission models involves a lot of reading GitHub issues. Keto is also purely a policy decision point — it has no built-in policy enforcement, so you still need to wire every enforcement point in your application yourself.