Permit.io has announced the launch of FoAz (short for frontend-only authorization), which enables frontend developers to easily add permissions to existing services that don’t already have an authorization layer in place, require better policy models (e.g. RBAC), or need enhanced access granularity.
“The frontend runs on the user’s browser which is inherently insecure,” said Or Weis, CEO and Co-Founder of Permit.io. “Until today, each time a frontend app requires access controls – say only paid users can send an invoice via Stripe or an SMS via Twilio – they have to bother a backend engineer to write the glue-code. FoAz offers backendless permissions that fulfills the promise of shift-left security, empowering frontend developers to deploy features autonomously without sacrificing the integrity of their security posture.”
As more things continue to shift left to the frontend, security must catch up. With FoAz, frontend developers can use sensitive APIs directly from the frontend, without requiring any backend code, while maintaining the highest level of security.
Key highlights of FoAz:
- No code / Low code policy interfaces: FoAz is powered by policy as code (with OPA and Cedar). Combined with Permit’s policy-editor UI, policy creation becomes simple yet powerful, generating policy as code from RBAC to ABAC, with as little effort as ticking a few boxes.
- An open standard: FoAz is an open internet standard (available at FoAz.io) enabling more companies to implement, integrate, and share the technology, as well as collaborate with Permit.io on its future development and security posture.
- Backend-as-a-Service: A FoAz proxy is a backend generic component that takes on the authorization burden from all services and empowers the frontend to utilize it directly. Permit.io provides a hosted FoAz offering so engineers can forget about the backend altogether.
- Zero-Trust and Secrets Management: FoAz securely manages secrets (storing them encrypted or in a secure vault) avoiding the need to expose them to the frontend.
FoAz is built on top of the open source project OPAL, which acts as the administration layer for the popular Open Policy Agent (OPA). OPAL brings open policy up to the speed needed by live applications: as an application state changes via APIs, databases, git, Amazon S3 and other 3rd-party SaaS services, OPAL makes sure in real-time every microservice is in sync with the policies and data required by the application.