Auth0 FGA vs OpenFGA - what’s the difference?
Auth0 FGA is based on OpenFGA, an open-source authorization system owned by the Cloud Native Computing Foundation, of which Auth0/Okta is a key maintainer.
OpenFGA is free to use and has the same core functionality as Auth0 FGA. However, running an authorization service at scale can be challenging, and doing is part of the value provided by Auth0 FGA.
Below is a list of the differences between the products:
| Features | Auth0 Fine-Grained Authorization (FGA) | OpenFGA |
|---|---|---|
| Availability | Deployed in two cloud regions per locality (US/Australia/Europe) and uses a database configured with Active-Active replication, so it can survive a regional AWS failure. | Customers are responsible for availability. OpenFGA currently supports Postgres and MySQL, which must be failed over another replica in a data emergency. |
| Scalability | Auth0 FGA has been tested with 1M RPS and 100 billion relationship tuples. | Customers must run their own performance and load testing. |
| Cloud Security | Auth0 secures the cloud perimeter. | Customer is responsible for securing the cloud perimeter. |
| Database Migrations | Auth0 runs database migrations with no downtime. | Customers must run their own database migrations, which can lead to downtime. |
| Backups | Auth0 FGA database supports point-in-time recovery and is backed up frequently . | Customers must run their own database backups. |
| Security Patches | Auth0 updates OpenFGA with the latest security patches. | Customers must update their OpenFGA version. |
| Monitoring | Auth0 monitors uptime and latency and is responsible for resolving production issues with the product. | Customers must monitor the uptime/latency and handle production issues. |
| Status Page | Auth0 provides a status page to monitor availability. | Customers must manage their own OpenFGA communications. |
| Support | Auth0 provides enterprise support with Technical Account Managers, 24x7 pager support, Premier support options, and SLAs, in accordance with the customer's support level. | No support is provided. |
| Dashboard | Auth0 offers an SSO-enabled dashboard, where multiple users can collaborate on FGA stores and models and where admins/developers can manage API keys. | No dashboard available. |
| Cloud Infrastructure Provisioning | Auth0 provisions and manages the cloud services required to run Auth0 FGA. | The customer manages the cloud infrastructure. |
| Autoscaling | Auth0 configures services and databases to auto-scale. | Customers configure their own auto scaling policies. |
| Disaster Recovery | Auth0 has disaster recovery processes in place for Auth0 FGA. | Customers must implement their own disaster recovery processes. |
| Data Residency | Auth0 ensures compliance with each country’s data residency laws, including our own services and those of our sub-processors. | Customers ensure compliance with data residency laws. |
| Platform | Run in the same platform used by all Auth0's products. Learn more about it here and here. | Customers need to build their own platform to manage zero-downtime upgrades. |
| Logging API | Includes a built-in Logging API with 7-day retention for auditing, troubleshooting, and compliance use cases. Learn more about it here. | Customers must build and operate their own logging, storage, and retention pipelines. |
| Permissions Index | The FGA Permissions Index is a managed feature that continuously precomputes authorization results and stores/streams "flattened" permission changes. | Customers must build and operate their own materialized view, updating whenever a permission change occurs. |