Skip to Content
logo

Docs

  • Home
  • Quick start
    • FAQ
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • What is SCA?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Use the platform
        • Sign-up and login
        • Interface and sections
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • CVSS score adjustment
        • Examine the evidence of exploitability
        • Find reachable dependency vulnerabilities
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Vulnerability signature update
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Vulnerability reporting
        • Standard compliance
        • ZTNA logs
        • Recent downloads
        • Common analytics
        • Organization analytics
        • Group analytics
        • Portfolio analytics
        • Charts options
        • CI Gate configuration
        • CI Gate executions
        • Security gates
        • Vulnerability acceptance
        • Prioritization attributes
        • Explore the user menu
        • Enable and disable notifications
        • Subscribe to News
        • Leave a group
      • Manage repositories
      • See vulnerabilities
        • Fluid Attacks' scanners
        • OWASP Benchmark results
        • Your feedback
      • Use the scanners
        • Local run
        • CI/CD integration
        • Understanding outputs
        • Findings exclusion
      • Use a configuration file
        • SAST scanner
        • SCA scanner
        • DAST scanner
        • APK scanner
      • Automatic remediation
      • Custom remediation guides
      • Introduction to Sorts
      • Sorts user guide
      • Connection mechanisms
      • Cloud connection
      • Egress connection
      • Connector connection
      • Types of authentication
      • AWS CodeCommit
    • Service-level agreement
      • Availability SLA
      • Response SLA
      • Accuracy SLA
      • False negatives
      • False positives
      • Scope
    • Support information
      • Changelog
        • 2023
        • 2024
        • 2025
        • 2026
      • Roadmap
      • AI functions
      • Attack surfaces
      • Binaries
      • Browsers
      • CI/CD
      • Clouds
      • CVEs for reachability
      • Evidence formats
      • Frameworks
      • IDE functionalities
      • Languages
      • Languages for fixes
      • Package managers
      • Remediation
      • SCM systems
      • Secrets
      • Standards
      • Ticketing systems
      • Documentation sections
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • D3
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
    • Pentesting tools
  • Compliance
    • Authentication
      • Clients
      • Password policies
      • Staff
    • Authorization
      • Access revocation
      • Clients
      • Employee termination
      • Endpoints
      • Secret rotation
      • Sessions
      • Staff
    • Availability
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
    • Confidentiality
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
    • Integrity
      • Applicant evaluation
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Monitoring
      • Production data isolation
      • Secure emails
      • SLSA compliance
      • Standard timezone
      • Static website
      • Training plan
    • Non-repudiation
      • Everything as code
      • Extensive logs
    • Privacy
      • Data privacy policy
      • Data retention policy
      • Data use policy
      • Email obfuscation
      • Time tracking
      • Manual for the NDR
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Data transmission
      • Unsubscribe email
      • Use of cookies
    • Resilience
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
    • Transparency
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Backslash
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security (GHAS)
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype Lifecycle
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 
  • Home
  • Quick start
    • FAQ
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • What is SCA?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Use the platform
        • Sign-up and login
        • Interface and sections
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • CVSS score adjustment
        • Examine the evidence of exploitability
        • Find reachable dependency vulnerabilities
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Vulnerability signature update
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Vulnerability reporting
        • Standard compliance
        • ZTNA logs
        • Recent downloads
        • Common analytics
        • Organization analytics
        • Group analytics
        • Portfolio analytics
        • Charts options
        • CI Gate configuration
        • CI Gate executions
        • Security gates
        • Vulnerability acceptance
        • Prioritization attributes
        • Explore the user menu
        • Enable and disable notifications
        • Subscribe to News
        • Leave a group
      • Manage repositories
      • See vulnerabilities
        • Fluid Attacks' scanners
        • OWASP Benchmark results
        • Your feedback
      • Use the scanners
        • Local run
        • CI/CD integration
        • Understanding outputs
        • Findings exclusion
      • Use a configuration file
        • SAST scanner
        • SCA scanner
        • DAST scanner
        • APK scanner
      • Automatic remediation
      • Custom remediation guides
      • Introduction to Sorts
      • Sorts user guide
      • Connection mechanisms
      • Cloud connection
      • Egress connection
      • Connector connection
      • Types of authentication
      • AWS CodeCommit
    • Service-level agreement
      • Availability SLA
      • Response SLA
      • Accuracy SLA
      • False negatives
      • False positives
      • Scope
    • Support information
      • Changelog
        • 2023
        • 2024
        • 2025
        • 2026
      • Roadmap
      • AI functions
      • Attack surfaces
      • Binaries
      • Browsers
      • CI/CD
      • Clouds
      • CVEs for reachability
      • Evidence formats
      • Frameworks
      • IDE functionalities
      • Languages
      • Languages for fixes
      • Package managers
      • Remediation
      • SCM systems
      • Secrets
      • Standards
      • Ticketing systems
      • Documentation sections
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • D3
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
    • Pentesting tools
  • Compliance
    • Authentication
      • Clients
      • Password policies
      • Staff
    • Authorization
      • Access revocation
      • Clients
      • Employee termination
      • Endpoints
      • Secret rotation
      • Sessions
      • Staff
    • Availability
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
    • Confidentiality
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
    • Integrity
      • Applicant evaluation
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Monitoring
      • Production data isolation
      • Secure emails
      • SLSA compliance
      • Standard timezone
      • Static website
      • Training plan
    • Non-repudiation
      • Everything as code
      • Extensive logs
    • Privacy
      • Data privacy policy
      • Data retention policy
      • Data use policy
      • Email obfuscation
      • Time tracking
      • Manual for the NDR
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Data transmission
      • Unsubscribe email
      • Use of cookies
    • Resilience
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
    • Transparency
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Backslash
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security (GHAS)
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype Lifecycle
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 

On This Page

  • Rationale
  • Alternatives
  • Casbin
  • Permit.io
  • Okta FGA
  • Oso
  • Aserto
  • WorkOS
  • Usage
  • Other in-house dependencies
StackDependenciesPlatform authorization

Platform authorization (in-house)

Rationale

Authorization flows for Fluid Attacks’ platform  are performed by an in-house implementation . Such implementation currently supports:

  • Role permissions based on specific API resolvers.
  • Organization-level, group-level and user-level access for each role.

For example, if a user has the customer manager role for a given group, they can access these API resolvers  for such a group. Similarly, the user can also access these API resolvers  for organizations that are assigned to them.

The main reasons why we chose it over other alternatives are:

  • It allows us to keep a high access granularity thanks to its API revolver-based approach.
  • It has scaled well in terms of performance throughout the years.
  • It is legacy code inherited from the early days of the application.

Alternatives

As the application evolved, so did our interest in using a third-party authorization solution. Below are the ones we have reviewed, ordered from most to least interesting based on our specific needs.

Casbin

  • Casbin  provides a Python library  for authorization.
  • It does not provide any extra features outside of its main focus.
  • It is free as it is just a library, not a service.
  • SLA does not apply to it.
  • As it is just a library, authorization exists within the application backend, making authorization simpler and often faster. It inherits the scalability, security and redundancy of the application that hosts it.
  • As it is an open-source Python library, its engine is open source by inheritance.
  • It supports asynchronous environments .
  • As it is just a library, it does not need a Terraform provider.
  • It supports ACL, ABAC and RBAC , allowing us to handle even the most complex scenarios in our authorization model.
  • It uses the declarative PERM meta-model  for declaring authorization models.
  • As it exists within the backend, it allows writing declarative unit tests and versioning them as code, heavily improving testability.
  • It supports real-time conditions  for modeling complex scenarios like temporary access and quotas, among others.
  • It would force us to redefine our authorization model to fit its structure.
Casbin was last reviewed on Jan 23, 2025.

Permit.io

  • Permit.io  provides a SaaS authorization platform.
  • It also provides specialized authorization solutions for healthcare  and third-party APIs .
  • It has a pricing model  based on monthly active users (pay for what you use).
  • It does not seem to provide an availability SLA.
  • Although it supports a SaaS mode , they recommend handling infrastructure for production workloads.
  • Its authorization engine  is open source.
  • Its Python library  is open source and supports asynchronous environments .
  • It has a Terraform provider  in beta phase.
  • It supports ABAC  and ReBAC , allowing us to handle even the most complex scenarios in our authorization model.
  • Although its main focus is on allowing users to declare authorization models using a no-code approach, it also supports policies as code using Rego . Documentation on this matter could be improved.
  • It allows writing declarative unit tests  and versioning them as code, heavily improving testability.
  • It supports real-time conditions  for modeling complex scenarios like temporary access  and quotas, among others.
  • It would force us to redefine our authorization model to fit its structure.
Permit.io was last reviewed on Jan 23, 2025.

Okta FGA

  • Okta FGA  provides a SaaS authorization platform based on OpenFGA .
  • Okta also provides a full authentication suite called Auth0 .
  • Its pricing is not public.
  • It provides a >99% availability SLA .
  • It is a SaaS that automatically handles user databases, scaling, security, redundancy, and disaster recovery, among others.
  • In a sense, it is open source due to the fact that it implements OpenFGA over a SaaS model, but this could change over time.
  • Its Python library supports asynchronous environments .
  • It does not have a Terraform provider.
  • It supports ReBAC, allowing us to handle even the most complex scenarios in our authorization model.
  • It uses its own declarative configuration language .
  • It allows writing declarative unit tests and versioning them as code, heavily improving testability.
  • It supports real-time conditions for modeling complex scenarios like temporary access and quotas, among others.
  • It would force us to redefine our authorization model approach to fit its structure.
Okta FGA was last reviewed on Jan 23, 2025.

Oso

  • Oso  provides a SaaS authorization platform.
  • It does not provide any extra features outside of its main focus.
  • It has a pricing model  based on monthly active users (pay for what you use).
  • It provides a >99% availability SLA .
  • It is a SaaS service that automatically handles user databases, scaling, security, redundancy, and disaster recovery, among others.
  • Its authorization engine is currently not open source, but they are planning to release it .
  • Its Python library  is not open source and seemingly does not support asynchronous environments, making it unusable for us.
  • It does not have a Terraform provider.
  • It supports ABAC  and ReBAC , allowing us to handle even the most complex scenarios in our authorization model.
  • It uses its own declarative configuration language .
  • It allows writing declarative unit tests  and versioning them as code, heavily improving testability.
  • It supports real-time conditions for modeling complex scenarios like temporary access  and quotas , among others.
  • It would force us to redefine our authorization model to fit its structure.
Oso was last reviewed on Jan 23, 2025.

Aserto

  • Aserto  provides a SaaS authorization platform.
  • It does not provide any extra features outside of its main focus.
  • It has a pricing model  based on monthly active users (pay for what you use).
  • It does not seem to provide an availability SLA.
  • Most of its architecture  depends on external systems, forcing us to handle external user databases, scaling, and redundancy, among others.
  • Its authorization engine  is open source.
  • Its Python library is open source and supports asynchronous environments .
  • It does not have a Terraform provider.
  • It supports ABAC , ReBAC  and RBAC , allowing us to handle even the most complex scenarios in our authorization model.
  • It supports policies as code using Rego .
  • Although there is no documentation, it should allow writing declarative unit tests via Rego  and versioning them as code, heavily improving testability.
  • It does not support real-time conditions for modeling complex scenarios like temporary access and quotas, among others.
  • It would force us to redefine our authorization model to fit its structure.
Aserto was last reviewed on Jan 23, 2025.

WorkOS

  • WorkOS  provides SaaS solutions to requirements usually needed by enterprise applications.
  • Due to its broad focus, it provides services for user management , administrative portals , authentication , and authorization , among others.
  • Its pricing model  makes it free for the first 10 million operations, but they don’t tell how much extra operations cost.
  • It has a >99% availability SLA .
  • It is a SaaS service that automatically handles user databases, scaling, security, redundancy, and disaster recovery, among others.
  • Its authorization engine is not open source.
  • Its Python library supports asynchronous environments .
  • It does not have a Terraform provider.
  • It supports ABAC, ReBAC, and RBAC, allowing us to handle even the most complex scenarios in our authorization model.
  • It supports policies as code using its own proprietary syntax.
  • It does not support unit tests, highly affecting testability.
  • It does not support real-time conditions for modeling complex scenarios like temporary access and quotas, among others.
  • It would force us to redefine our authorization model to fit its structure.
WorkOS was last reviewed on Jan 23, 2025.

Usage

We use an in-house implementation for all authorization flows at Fluid Attacks’ platform .

Other in-house dependencies

  • Platform audit logs 
  • Platform authentication 
Last updated on February 24, 2026
Platform authenticationPydantic AI
Fluid Attacks 2026. All rights reserved.