OpenFGA Java SDK Overview

Relevant source files

• .openapi-generator/FILES
• CHANGELOG.md
• README.md
• build.gradle
• docs/OpenFgaApi.md
• publish.gradle
• src/main/java/dev/openfga/sdk/api/OpenFgaApi.java
• src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java
• src/test-integration/java/dev/openfga/sdk/api/OpenFgaApiIntegrationTest.java
• src/test-integration/java/dev/openfga/sdk/api/client/OpenFgaClientIntegrationTest.java
• src/test/java/dev/openfga/sdk/api/OpenFgaApiTest.java
• src/test/java/dev/openfga/sdk/api/client/OpenFgaClientTest.java

Purpose and Scope

This page provides a high-level overview of the OpenFGA Java SDK, including its architecture, core components, and key capabilities. This SDK is an autogenerated wrapper around the OpenFGA API that provides both high-level and low-level interfaces for interacting with OpenFGA authorization servers.

For installation and initial setup instructions, see Installation and Setup. For detailed API operation references, see Client APIs. For production-ready features like error handling and telemetry, see Advanced Features.

Sources: README.md1-124 build.gradle21-22

What is OpenFGA

OpenFGA is an open source Fine-Grained Authorization solution inspired by Google's Zanzibar paper. It provides a high-performance and flexible authorization/permission engine designed for application builders to model permission layers and integrate fine-grained authorization into their applications. The SDK communicates with OpenFGA API servers to manage authorization models, relationship tuples, and perform authorization queries.

Sources: README.md59-64

SDK Information

Property	Value
Current Version	0.9.5
Group ID	dev.openfga
Artifact ID	openfga-sdk
Minimum Java Version	Java 17
Repository	Maven Central
License	Apache-2.0

Sources: build.gradle21-34 publish.gradle7-9 README.md77-121

SDK Architecture Overview

The SDK is organized into three primary architectural layers, each serving distinct purposes and exposing different levels of abstraction.

Architectural Layers Diagram

Sources: src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java23-36 src/main/java/dev/openfga/sdk/api/OpenFgaApi.java68-99 src/main/java/dev/openfga/sdk/api/client/ApiClient.java README.md124-153

Layer Descriptions

Client Layer (High-Level Interface):

• OpenFgaClient provides typed, developer-friendly methods for all OpenFGA operations with automatic configuration management, retry handling, and error translation
• ApiExecutor offers an escape hatch for making custom HTTP requests to arbitrary OpenFGA endpoints
• ClientConfiguration extends base Configuration with OpenFGA-specific settings like storeId and authorizationModelId

API Layer (Low-Level Interface):

• OpenFgaApi implements direct mappings to OpenFGA REST API endpoints with minimal abstraction
• Generated model classes in dev.openfga.sdk.api.model package represent API request/response structures
• BaseStreamingApi handles Server-Sent Events for streaming operations

Infrastructure Layer:

• ApiClient wraps Java's HttpClient and manages request lifecycle
• HttpRequestAttempt implements RFC 9110-compliant retry logic with exponential backoff
• OAuth2Client handles OAuth2 client credentials flow with token caching and proactive refresh
• Configuration provides base settings for timeouts, retries, and telemetry

Sources: src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java1-80 src/main/java/dev/openfga/sdk/api/OpenFgaApi.java63-99

Core Components

Component Interaction Diagram

Sources: src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java28-80 src/main/java/dev/openfga/sdk/api/OpenFgaApi.java68-155

Key Component Descriptions

Component	File Location	Purpose
OpenFgaClient	src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java23-1426	Primary user-facing interface providing typed methods for stores, models, tuples, and authorization queries
OpenFgaApi	src/main/java/dev/openfga/sdk/api/OpenFgaApi.java68	Low-level API providing direct access to REST endpoints with minimal abstraction
ApiExecutor	src/main/java/dev/openfga/sdk/api/client/ApiExecutor.java	Enables custom HTTP requests to arbitrary OpenFGA endpoints with automatic auth and retry handling
ClientConfiguration	src/main/java/dev/openfga/sdk/api/configuration/ClientConfiguration.java	Extends Configuration with storeId and authorizationModelId for client-level defaults
Configuration	src/main/java/dev/openfga/sdk/api/configuration/Configuration.java	Base configuration with API URL, credentials, timeouts, retry settings, and telemetry options
OAuth2Client	src/main/java/dev/openfga/sdk/api/auth/OAuth2Client.java	Manages OAuth2 token lifecycle with caching and proactive refresh (5-10 min before expiry)
HttpRequestAttempt	src/main/java/dev/openfga/sdk/api/client/HttpRequestAttempt.java	Executes HTTP requests with automatic retries for 429 and 5xx errors (except 501)
FgaConstants	src/main/java/dev/openfga/sdk/constants/FgaConstants.java	SDK-wide constants including default timeouts, retry limits, batch sizes, and API URLs

Sources: src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java23-80 src/main/java/dev/openfga/sdk/api/OpenFgaApi.java68-99 README.md42-67

Key Features

Authentication Methods

The SDK supports three authentication approaches:

1. No Authentication - For local development or public endpoints
2. API Token - Static bearer token passed in Authorization header
3. OAuth2 Client Credentials - Automatic token acquisition and refresh with caching

OAuth2 tokens are proactively refreshed 5-10 minutes before expiry (with jitter) to prevent authentication failures and distribute token requests over time.

Sources: README.md134-239 src/main/java/dev/openfga/sdk/api/auth/OAuth2Client.java

Retry and Error Handling

• Automatic Retries: Default 3 retries (configurable up to 15 maximum) for rate limits (429) and server errors (5xx except 501)
• RFC 9110 Compliant: Respects Retry-After headers when provided, falls back to exponential backoff with jitter
• Typed Errors: Specific exception classes (FgaApiValidationError, FgaApiRateLimitError, FgaApiAuthenticationError, etc.) for different failure modes
• Request/Response Context: All errors include full HTTP request and response details for debugging

Sources: README.md132 CHANGELOG.md56-74 src/main/java/dev/openfga/sdk/api/client/HttpRequestAttempt.java

Transactional and Non-Transactional Writes

The write() method supports two modes:

• Transactional Mode (default): All writes/deletes succeed or fail atomically
• Non-Transactional Mode: Tuples processed in chunks with independent success/failure status per tuple, useful for bulk operations where partial success is acceptable

Sources: README.md576-643 src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java369-532

OpenTelemetry Integration

Built-in OpenTelemetry support for observability:

• Metrics: fga-client.request.duration, fga-client.query.duration, fga-client.credentials.request
• Attributes: HTTP method, response status, store ID, model ID, user agent
• Configuration: Both manual SDK configuration and Java agent-based instrumentation supported

Sources: README.md1095-1113 CHANGELOG.md142

Streaming API Support

The streamedListObjects() method uses Server-Sent Events (SSE) to efficiently stream large result sets, reducing memory consumption for operations returning many objects.

Sources: README.md1002-1085 CHANGELOG.md10

Conflict Handling for Writes

OpenFGA v1.10.0+ supports conflict resolution options:

• onDuplicate: Controls behavior when creating existing tuples (ERROR or IGNORE)
• onMissing: Controls behavior when deleting non-existent tuples (ERROR or IGNORE)

Sources: README.md645-713 CHANGELOG.md36-38

API Operation Categories

The SDK provides comprehensive coverage of OpenFGA API operations organized into categories:

Category	Operations	Description
Stores	createStore, getStore, listStores, deleteStore	Manage OpenFGA stores
Authorization Models	writeAuthorizationModel, readAuthorizationModel, readAuthorizationModels, readLatestAuthorizationModel	Define and retrieve permission models
Relationship Tuples	write, read, readChanges, writeTuples, deleteTuples	Manage relationship data
Authorization Queries	check, expand, listObjects, listRelations, listUsers, streamedListObjects	Query permissions and relationships
Batch Operations	batchCheck, clientBatchCheck	Perform multiple checks efficiently
Assertions	writeAssertions, readAssertions	Test authorization models

For detailed operation documentation, see API Operations Reference.

Sources: README.md24-52 src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java83-1426

Build System and Publishing

The SDK is built using Gradle with the following characteristics:

• Build Tool: Gradle 7+ with Kotlin and Groovy DSL support
• Code Generation: Models auto-generated from OpenAPI specification
• Code Quality: Spotless formatter (Palantir Java Format), JaCoCo coverage
• Testing: JUnit 5 with unit tests and integration tests (TestContainers with OpenFGA v1.10.2)
• Publishing: Dual-published to Maven Central (via Sonatype Nexus) and GitHub Packages
• Signing: GPG-signed artifacts for security
• CI/CD: GitHub Actions workflows for testing, publishing, and security scanning

Sources: build.gradle1-177 publish.gradle1-61 .github/workflows/

SDK Initialization Pattern

The recommended pattern for SDK usage:

1. Initialize OpenFgaClient once per application lifecycle
2. Reuse the same instance across all requests
3. Set storeId and authorizationModelId at client level or override per request
4. Use configuration overrides for per-request customization (headers, timeouts, model IDs)

This pattern optimizes connection pooling, reduces authentication overhead (especially for OAuth2 client credentials), and improves overall performance.

Sources: README.md126-130 src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java28-80

Next Steps

• For installation instructions, see Installation and Setup
• For a quick example, see Quick Start Guide
• For detailed API usage, see Client APIs
• For production features, see Advanced Features
• For example applications, see Example Applications

Sources: README.md15-57