{"id":5350,"library":"openfga-sdk","title":"OpenFGA Python SDK","description":"The OpenFGA Python SDK provides a high-performance and flexible authorization/permission engine client, inspired by Google Zanzibar. It allows developers to integrate OpenFGA for fine-grained access control in their Python applications. The library is actively developed with frequent releases, typically every few weeks.","status":"active","version":"0.10.0","language":"en","source_language":"en","source_url":"https://github.com/openfga/python-sdk","tags":["authorization","permissions","access control","FGA","Zanzibar","security"],"install":[{"cmd":"pip install openfga-sdk","lang":"bash","label":"Install OpenFGA Python SDK"}],"dependencies":[{"reason":"Used as the underlying asynchronous HTTP client for API communication.","package":"httpx","optional":false},{"reason":"Used for data validation and serialization/deserialization of API models.","package":"pydantic","optional":false}],"imports":[{"note":"The primary client class was moved from `openfga_sdk.client` to the top-level `openfga_sdk` package in version 0.8.0 for simpler imports.","wrong":"from openfga_sdk.client import OpenFgaClient","symbol":"OpenFgaClient","correct":"from openfga_sdk import OpenFgaClient"},{"note":"Authentication credentials are provided via the Credentials class, imported directly from the top-level package.","symbol":"Credentials","correct":"from openfga_sdk import Credentials"},{"note":"API model classes (e.g., `WriteRequest`, `User`, `Object`) were moved from `openfga_sdk.client` to `openfga_sdk.models` in version 0.7.0. They should be imported individually or as needed from the `models` submodule.","wrong":"from openfga_sdk.client import Models","symbol":"Models","correct":"from openfga_sdk.models import WriteRequest, TupleKey, User, Relation, Object, CheckRequest"}],"quickstart":{"code":"import os\nfrom openfga_sdk import OpenFgaClient, Credentials\nfrom openfga_sdk.models import WriteRequest, TupleKey, User, Relation, Object, CheckRequest\n\n# Configure OpenFGA client using environment variables for sensitive data.\n# Required: FGA_API_URL, FGA_STORE_ID\n# Optional (for auth): FGA_API_TOKEN or FGA_CLIENT_ID/FGA_CLIENT_SECRET/FGA_TOKEN_URL/FGA_AUDIENCE\n\nfga_api_url = os.environ.get(\"FGA_API_URL\", \"http://localhost:8080\")\nfga_store_id = os.environ.get(\"FGA_STORE_ID\", \"01H4F8G5K4S8K7J2G8R1T0V9M0\") # Replace with your actual Store ID\n\ncredentials = None\napi_token = os.environ.get(\"FGA_API_TOKEN\")\nif api_token:\n    credentials = Credentials(api_token=api_token)\nelif os.environ.get(\"FGA_CLIENT_ID\") and os.environ.get(\"FGA_CLIENT_SECRET\"):\n    # Example for Client Credentials flow with OAuth2 (replace with your IdP details)\n    credentials = Credentials(\n        client_id=os.environ.get(\"FGA_CLIENT_ID\", \"\"),\n        client_secret=os.environ.get(\"FGA_CLIENT_SECRET\", \"\"),\n        token_url=os.environ.get(\"FGA_TOKEN_URL\", \"https://auth.fga.example.com/oauth/token\"),\n        audience=os.environ.get(\"FGA_AUDIENCE\", fga_api_url) # Audience often matches API URL\n    )\n\nif not fga_store_id:\n    raise ValueError(\"FGA_STORE_ID environment variable is required.\")\n\nclient = OpenFgaClient(\n    api_url=fga_api_url,\n    store_id=fga_store_id,\n    credentials=credentials,\n)\n\ntry:\n    # 1. Write a relationship: \"user:anne can view document:roadmap\"\n    write_response = client.write(\n        body=WriteRequest(\n            writes=[\n                TupleKey(\n                    user=User(id=\"anne\"),\n                    relation=\"viewer\",\n                    object=Object(type=\"document\", id=\"roadmap\")\n                )\n            ]\n        )\n    )\n    print(f\"Wrote relationship: user:anne is viewer of document:roadmap\")\n\n    # 2. Check if \"user:anne can view document:roadmap\"\n    check_response = client.check(\n        body=CheckRequest(\n            user=User(id=\"anne\"),\n            relation=\"viewer\",\n            object=Object(type=\"document\", id=\"roadmap\")\n        )\n    )\n    print(f\"Check result (anne can view roadmap): {check_response.allowed}\") # Expected: True\n\n    # 3. Check if \"user:bob can view document:roadmap\" (assuming bob has no relation)\n    check_response_bob = client.check(\n        body=CheckRequest(\n            user=User(id=\"bob\"),\n            relation=\"viewer\",\n            object=Object(type=\"document\", id=\"roadmap\")\n        )\n    )\n    print(f\"Check result (bob can view roadmap): {check_response_bob.allowed}\") # Expected: False\n\nexcept Exception as e:\n    print(f\"An error occurred: {e}\")\n\n# The client uses an httpx.Client which is typically managed internally.\n# No explicit close() is necessary for OpenFgaClient as of v0.10.0 in most cases.","lang":"python","description":"Initialize the OpenFGA client, write an authorization model tuple, and perform a check. This example demonstrates basic 'Write' and 'Check' operations. Ensure `FGA_API_URL` and `FGA_STORE_ID` (and authentication variables like `FGA_API_TOKEN`) are set in your environment. The provided `fga_store_id` is an example and must be replaced with a real one from your OpenFGA setup."},"warnings":[{"fix":"Update your imports from `from openfga_sdk.client import OpenFgaClient` to `from openfga_sdk import OpenFgaClient`.","message":"The `OpenFgaClient` class was moved from `openfga_sdk.client.OpenFgaClient` to `openfga_sdk.OpenFgaClient` for direct import.","severity":"breaking","affected_versions":">=0.8.0"},{"fix":"Update your imports to fetch models from `from openfga_sdk.models import ...` instead of `from openfga_sdk.client import ...`.","message":"All API model classes (e.g., `WriteRequest`, `User`, `Object`) were moved from `openfga_sdk.client` to the `openfga_sdk.models` submodule.","severity":"breaking","affected_versions":">=0.7.0"},{"fix":"Ensure you have provisioned an OpenFGA store and are passing a valid `store_id` to the `OpenFgaClient` constructor or via the `FGA_STORE_ID` environment variable.","message":"All OpenFGA operations require a `store_id`. This ID represents a tenant or distinct authorization store and must be created in your OpenFGA service instance (e.g., via the OpenFGA dashboard or API) before use.","severity":"gotcha","affected_versions":"All"},{"fix":"Refer to the OpenFGA documentation for your specific authentication setup. For client credentials, double-check `FGA_CLIENT_ID`, `FGA_CLIENT_SECRET`, `FGA_TOKEN_URL`, and `FGA_AUDIENCE` environment variables.","message":"Correctly configuring authentication credentials (API Token vs. OAuth2 Client Credentials) is critical. For OAuth2, ensure `token_url` and `audience` are correctly specified in `Credentials`.","severity":"gotcha","affected_versions":"All"}],"env_vars":null,"last_verified":"2026-04-13T00:00:00.000Z","next_check":"2026-07-12T00:00:00.000Z"}