// the find
warrant-dev/warrant
Warrant is a highly scalable, centralized authorization service based on Google Zanzibar. Use it to define, enforce, query, and audit application authorization and access control.
Warrant is a self-hostable authorization service that implements the Google Zanzibar model — relationship tuples stored in a database, checked at runtime via HTTP. It handles RBAC, ABAC, and ReBAC in a single service, which makes it useful for SaaS products that need tenant-level permission management without building it themselves. It has since been acquired by WorkOS and the hosted version is now WorkOS FGA.
The data model is well thought out: object types, warrants (relationship tuples), and policies are cleanly separated, and the migration history across MySQL/Postgres/SQLite shows real cross-database discipline. The wookie/warrant-token implementation for consistency (Zanzibar's 'zookies') is present and tested, which most Zanzibar clones skip entirely. SDK coverage is wide — Node, Go, Python, Ruby, PHP, Java, plus React/Angular/Vue — so integration isn't purely DIY. The query engine supports both point checks and bulk queries ('list all documents user X can edit'), which is where naive RBAC implementations fall apart.
The README itself admits the open-source version tops out at low-to-moderate throughput — no built-in caching layer, no read replicas, no distributed check path. At real scale you're pushed to WorkOS FGA, which means the self-hosted path is essentially a trial tier. Development has stalled since the WorkOS acquisition; last meaningful commit activity is thin and the repo feels in maintenance mode rather than active development. The ABAC policy support uses a custom expression language (not CEL, not OPA Rego) that you'll need to learn and debug with no external tooling. Test suite is JSON-driven API scenarios with no unit tests for the core check logic, so contributing or auditing the authorization engine itself is harder than it should be.