Keymate Logo

OpenFGA as a Managed Backend, Fully Integrated with Keymate

Keymate ships with an officially supported OpenFGA deployment—running as a dedicated backend service, managed by the platform, and integrated across Keycloak, Admin Console, and observability tools. Powerful ReBAC, no separate setup.

OpenFGA as a Managed Backend, Fully Integrated with Keymate

Run, Govern, and Observe OpenFGA—The Keymate Way

Keymate deploys and manages OpenFGA as a core part of its platform using the official container image. This gives DevOps and platform teams: Out-of-the-box OpenFGA backend provisioning. Real-time integration with Keymate Access Gateway, GateLink, SDKs, and plugins. DSL-to-ReBAC translation for seamless policy execution. Schema and tuple management directly from the Admin Console. Multi-tenant schema isolation and versioning. Session-aware checks enriched from Keycloak session notes. Full OpenTelemetry support for logs, metrics, and traces sent to Signoz. Looking to design ReBAC policies with this backend? See Access Built on Relationships.

Managed OpenFGA Integration

Managed OpenFGA deployment with full integration across Keymate platform components, providing powerful ReBAC capabilities without separate setup.

Example: Official OpenFGA container managed by Keymate platform

Key Components:

Official Container Image
Keycloak Integration
Admin Console Management
Multi-Tenant Isolation
OpenTelemetry Observability

What Makes It Unique

Official Container-Based OpenFGA

Runs as an isolated service using the official image, managed by Keymate

Fully Integrated with Keycloak

Supports session-note based context injection for enriched authorization

DSL-to-FGA Compilation

Keymate DSL compiles into check/list/expand API calls

Admin Console Integration

Manage schemas, relations, and tuples visually

Schema Versioning & Diff Support

Evolve models over time with safety and auditability

Multi-Tenant Graph Isolation

Each tenant has a private OpenFGA schema and relation graph

Full Observability via OpenTelemetry

Metrics and traces piped to Keymate's observability layer via Signoz

Frequently Asked Questions

No manual setup needed. It's provisioned automatically by the platform using the official image.
No—it runs as a separate container, but is fully managed, integrated, and observable from within Keymate.
Yes. The Admin Console provides full UI support for FGA modeling and data population.
Absolutely. Each tenant is isolated by design—both schema and relation data are kept separate.

How to Use This Feature

Follow these steps to leverage the managed OpenFGA backend.

Implementation Steps

1

Define your authorization model in the Admin Console

2

Sync tuples via API, Kafka, or form-based UI

3

Write policies in DSL (compiled to OpenFGA check/list/expand calls)

4

Enforce via Gateway plugins, SDKs, or Envoy filters

5

Observe all evaluations in Signoz via OpenTelemetry metrics and traces

6

Evolve models safely using schema versioning and environment isolation

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.