Skip to main content

Best Practices of Managing Tuples and Invoking APIs

Fine Grained Authorization (FGA) is the early-stage product we are building at Okta to solve fine-grained authorization at scale. Sign up for the Developer Community Preview to try it out, and join our Discord community if you are interested in learning more about our plans.

Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Okta FGA during the Developer Community Preview can be found here.

The following list outlines some guidelines and best practices for using Okta FGA:

  • Do not store Personal Identifiable Information in tuples
  • Always specify authorization model ID whenever possible

Do Not Store Personal Identifiable Information in Tuples

You can use any string for user and object identifiers, however you should not input or assign identifiers that include Personal Data or any other sensitive data, such as data that may be restricted under regulatory requirements.


The documentation and samples uses first names and simple ids to illustrate easy-to-follow examples.

Always Specify Authorization Model ID Whenever Possible

It is strongly recommended that authorization model ID be specified in your Relationship Queries (such as Check and ListObjects) and Relationship Commands (such as Write).

Specifying authorization model ID in API calls have the following advantages:

  1. Better performance as Okta FGA will not need to perform a database query to get the latest authorization model ID.
  2. Allows consistent behavior in your production system until until you are ready to switch to the new model.
Migrating Relations

Learn how to migrate relations in a production environment

Migrating Schema 1.1

Learn how to migrate to model schema 1.1

Have Feedback?

Join us on the Discord community if you have any questions or suggestions.