OpenFGA
v1.13.0SecurityOpenFGA v1.13.0 ships AuthZen v1.0 support, separates Check v1/v2 caches, and hardens the resolver pipeline against panics.
enhancementEvaluate AuthZen v1.0 for cross-system authorization interop
AuthZen v1.0 is the emerging standard for authorization API interoperability across CNCF and broader ecosystem tools. If you're integrating OpenFGA with other policy engines or building a multi-system authz layer, test the new AuthZen endpoint now. Early adoption means your integration patterns align with where the ecosystem is heading rather than needing a retrofit later.
breakingSeparate Check v1/v2 caches may change cache hit behavior — review your cache sizing
Previously, Check v1 and v2 shared a single cache, which could lead to cross-contamination but also inadvertent cache hits. Now they're isolated. If you're running both API versions concurrently, your effective cache hit rate may drop and memory usage could shift. Revisit your cache capacity configuration after upgrading and monitor cache hit ratios in your observability stack.
securityUpgrade to stop resolver panics from taking down the server
Unhandled panics in the pipeline base resolver previously had the potential to crash the OpenFGA process entirely. The fix converts these to returned errors, keeping the server running. If you've seen unexpected OpenFGA restarts under complex authorization graph evaluations, this is likely why. Upgrade promptly — this is a reliability fix with meaningful availability implications.
Key changes (4)
- AuthZen v1.0 standard implemented — OpenFGA now speaks the CNCF authorization interoperability spec
- Separate cache layers for Check v1 and Check v2 APIs, preventing cross-version cache pollution
- Panics in the pipeline's base resolver are now caught and returned as errors instead of crashing the process
- List-objects span aggregation improved — message stats per sender now roll up into a single trace span for cleaner observability