Warrant

Overview

Warrant offers a specialized authorization as a service platform, enabling developers to incorporate fine-grained access control into their applications. The service is designed to manage and enforce authorization policies for SaaS products, particularly those requiring complex permissions across multiple tenants. It abstracts the underlying infrastructure needed for a scalable authorization system, allowing development teams to integrate access control without building it from scratch.

The platform supports various authorization models, including Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). RBAC assigns permissions based on roles (e.g., 'admin', 'editor', 'viewer'), simplifying permission management for common user types. ABAC, in contrast, allows for more granular control by evaluating attributes of the user, resource, and environment at the time of an access request. For example, a policy might dictate that a user can access a document if their department attribute matches the document's department attribute, and if the current time is within business hours.

Warrant is particularly suited for multi-tenant applications where isolation of data and features between different customer organizations is critical. It provides mechanisms to define tenant-specific policies and ensure that users within one tenant cannot access resources belonging to another. This capability is essential for SaaS providers to maintain security and compliance across their customer base.

Developers interact with Warrant through a set of APIs and SDKs available for languages such as JavaScript, Python, and Go. These tools facilitate defining authorization objects, relationships, and queries to determine user permissions. The service is built to handle high request volumes, addressing the scalability challenges often associated with custom-built authorization systems as an application grows. By offloading authorization logic to a dedicated service, applications can maintain performance and ensure consistent policy enforcement.

The platform also offers a Free Developer plan, allowing up to 10,000 requests per month, which enables teams to evaluate its capabilities and integrate it into smaller projects or development environments. For production deployments, paid plans scale with request volume and offer additional features. Warrant's approach aims to reduce the operational overhead of managing authorization, allowing engineering resources to be redirected towards core product development.

Key features

• Fine-Grained Authorization: Define and enforce precise access rules based on specific user actions, resources, and environmental conditions.
• Role-Based Access Control (RBAC): Assign permissions to roles, then assign roles to users, simplifying policy management for common access patterns.
• Attribute-Based Access Control (ABAC): Implement dynamic access decisions by evaluating attributes of users, resources, and the request context.
• Multi-Tenancy Authorization: Securely manage authorization policies across multiple customer organizations, ensuring data isolation and tenant-specific access rules.
• Scalable Authorization Service: Designed to handle high volumes of authorization requests with low latency, supporting growing applications.
• API and SDKs: Provides a RESTful API and client libraries in multiple programming languages (Go, Java, JavaScript, Node.js, Python, Ruby, PHP, C#) for integration.
• Policy Management: Tools for defining, updating, and querying authorization policies programmatically.
• Compliance: Adheres to SOC 2 Type II compliance standards, addressing security and availability requirements for sensitive data.

Pricing

Warrant offers a tiered pricing model, including a free developer plan and paid plans that scale with usage and features. As of May 2026, the pricing structure is as follows:

Additional requests beyond the included amounts are typically billed per 10,000 requests. For detailed pricing information and specific feature breakdowns, refer to the official Warrant pricing page.

Common integrations

• Application Frameworks: Integrates with common web frameworks like Node.js Express, Ruby on Rails, Django, and Spring Boot using their respective SDKs to enforce authorization logic within application routes and services.
• Identity Providers (IdP): Can be used alongside IdPs such as Auth0 or Okta to manage authentication (who a user is) separately from authorization (what a user can do).
• Database Systems: While not a direct database integration, authorization policies defined in Warrant can control access to data stored in databases like PostgreSQL, MongoDB, or MySQL by checking permissions before data retrieval or modification.
• API Gateways: Can be integrated with API gateways like Kong or AWS API Gateway to enforce authorization policies at the edge of an application, preventing unauthorized requests from reaching backend services. For example, Kong provides plugins for OAuth 2.0 authentication which can complement Warrant's authorization decisions.
• CI/CD Pipelines: Authorization policies can be managed and deployed as part of a continuous integration/continuous deployment pipeline, ensuring that policy changes are version-controlled and tested.

Alternatives

• Auth0 by Okta: A comprehensive identity platform offering authentication, authorization, and user management services. Auth0 provides a flexible API authorization solution that can be configured for various access control needs.
• Permit.io: A full-stack authorization service that helps developers embed access control into their applications, supporting RBAC and ABAC with a focus on policy as code.
• Cerbos: An open-source authorization layer that provides an API for making authorization decisions, allowing developers to define policies using a declarative language. Cerbos documentation details its Policy Decision Point approach.

Getting started

To begin using Warrant, you typically initialize the client with your API key, define an object and a subject, and then check an access permission. The following JavaScript example demonstrates how to check if a user can 'view' a specific 'document'.

// Install the Warrant Node.js SDK: npm install @warrantdev/warrant-node

const WarrantClient = require('@warrantdev/warrant-node');

const warrant = new WarrantClient({
    apiKey: 'YOUR_API_KEY' // Replace with your actual API Key
});

async function checkDocumentAccess(userId, documentId) {
    try {
        // Ensure the user exists as a subject in Warrant
        await warrant.create("user", userId, {"name": `User ${userId}`});

        // Ensure the document exists as an object in Warrant
        await warrant.create("document", documentId, {"name": `Document ${documentId}`});

        // Check if the user has the 'viewer' role for the document
        const hasAccess = await warrant.check({
            object: {
                objectType: "document",
                objectId: documentId
            },
            relation: "viewer",
            subject: {
                objectType: "user",
                objectId: userId
            }
        });

        if (hasAccess) {
            console.log(`User ${userId} has viewer access to document ${documentId}`);
            // Proceed with granting access
        } else {
            console.log(`User ${userId} does NOT have viewer access to document ${documentId}`);
            // Deny access or show an error
        }
    } catch (e) {
        console.error("Error checking access:", e.message);
    }
}

// Example usage:
checkDocumentAccess("user-123", "doc-abc");
checkDocumentAccess("user-456", "doc-abc");

This code snippet initializes the Warrant client with an API key. It then ensures that a 'user' and a 'document' object exist within Warrant's system. Finally, it calls the check method to determine if the specified user has the 'viewer' relation to the document. The result, a boolean value, indicates whether the access request is authorized. More complex policies involving attributes or tenant-specific rules can be defined through the Warrant API reference.