Warden

Warden: Composable Authorization Engine

Warden is a Go library that unifies RBAC, ABAC, ReBAC, and PBAC authorization behind a single Check API.

Warden is a composable permissions and authorization engine for Go. It answers the fundamental question: "Is this subject allowed to perform this action on this resource?"

Warden combines four authorization models into a unified engine:

  • RBAC — Role-Based Access Control with hierarchical roles, permissions, and assignments
  • ABAC — Attribute-Based Access Control with policy conditions (IP ranges, time windows, custom attributes)
  • ReBAC — Relationship-Based Access Control (Zanzibar-style) with relation tuples and graph traversal
  • PBAC — Policy-Based Access Control with time-bound windows and named obligations (audit-log, require-mfa, …)

Key Features

  • Unified Check API — A single Check() call evaluates RBAC, ABAC, ReBAC, and PBAC together
  • Decision Priority — Explicit deny always wins over allow, which wins over default deny
  • Obligations — PBAC side-effect signals flow through CheckResult.Obligations and the PolicyObligationFired plugin hook
  • Type-Safe IDs — TypeID-based identifiers for all entities (wrol_, wprm_, wasn_, wpol_, wrel_)
  • Multi-Tenant + Namespaces — Every operation is scoped to a tenant; nested namespaces give cascading scope inheritance for org charts that aren't flat
  • Pluggable Stores — Memory, PostgreSQL, SQLite, and MongoDB backends
  • Plugin System — Lifecycle hooks for audit logging, metrics, and custom integrations
  • Declarative DSL.warden files for defining roles, permissions, policies, resource types, and relations as source-controlled config
  • First-Class Toolingwarden CLI (lint, apply, diff, fmt, export, lsp), language server, and VS Code extension
  • Forge Integration — First-class Forge extension with DI, middleware, and OpenAPI routes
  • Standalone Mode — Use without Forge as a plain Go library

Quick Example

eng, _ := warden.NewEngine(
    warden.WithStore(memoryStore),
)

result, _ := eng.Check(ctx, &warden.CheckRequest{
    Subject:      warden.Subject{Kind: "user", ID: "user-42"},
    Action:       "read",
    ResourceType: "document",
    ResourceID:   "doc-123",
})

if result.Allowed {
    // Access granted
}

Next Steps

Getting Started

Install Warden and run your first authorization check in under 5 minutes.

Architecture

Understand how the engine, evaluator, and graph walker work together.

Authorization Models

Learn about RBAC, ABAC, ReBAC, and PBAC and when to use each.

Namespaces

Nested scoping inside a tenant — cascading inheritance for org charts that aren't flat.

.warden Language Reference

Every block, field, expression, operator, and convention in the DSL.

DSL & Tooling

The CLI, language server, VS Code extension, and template variables.

Store Backends

Choose between memory, PostgreSQL, SQLite, and MongoDB stores.

Getting Started

Install Warden and run your first authorization check.

On this page

Key FeaturesQuick ExampleNext Steps