Stop Hand-Rolling Permission Checks. Deploy a Sub-Millisecond Authorization Engine.
A production-ready Go microservice that answers "Can this user do this action on this object?" for every service in your platform. Powered by a DB provider with role bindings, direct grants, object-edge inheritance, and CEL conditions — exposed via ConnectRPC, gRPC, and native MCP server.
The Problem: Authorization Logic Is Scattered Everywhere
Every service re-implements its own `if user.role == "admin"` guards. When your org model gains teams, clinics, or nested companies, those guards silently break. Changing a business rule means touching ten microservices. There is no single answer to "who can currently access this resource?" — and your audit team knows it.
The Solution: One Authoritative Permission Oracle
The Launch Rail Authz service is a standalone authorization engine. Every service in your platform calls CheckPermission once and gets a deterministic allow/deny with a reason code and the provider that evaluated it. Roles, conditions, and object graphs live in one place — update them without touching your services.
Core Architectural Capabilities
Built for deterministic, low-latency authorization at multi-tenant scale.
Native Multi-Tenancy
Tenant isolation is enforced at the service, repository, and wire layers. X-Company-ID is the authenticated boundary — every policy read and runtime check is scoped to the exact tenant, preventing any cross-tenant data leak.
CEL Condition Evaluation
Attach fine-grained conditions to roles or direct grants using Common Expression Language (CEL). Evaluate request metadata, user roles, IP ranges, custom attributes, and session context inline — without a database round-trip.
Object-Edge Inheritance
Model your object hierarchy once using typed edges (e.g. team → company, appointment → clinic). Permission checks automatically traverse the graph, so a company-level binding propagates to every nested child without duplicating grants.
Read-Your-Write Consistency
Every policy mutation returns a consistency token. Pass it back into CheckPermission, BatchCheckPermissions, ListAllowedObjects, or ListSubjects to guarantee the runtime evaluates against the latest version of your policy.
Built for High Throughput
A clean, stateless architecture that scales horizontally. Decoupled inputs and outputs ensure zero-downtime operations.
REST / gRPC
ConnectRPC Gateway
MCP Server
AI Agent Interface
Service Logic
Domain Engine
PostgreSQL
ACID Compliant Storage
NATS / CloudEvents
Async Broadcasting
Security-First Operations
Every layer of Authz is designed around the principle of deny-by-default and cryptographic caller trust.
HMAC-Signed Caller Envelopes
Every request must carry a gateway-signed caller envelope: X-Authz-Caller, X-Authz-Timestamp, and X-Authz-Signature. Authz rejects unsigned traffic and enforces clock-skew limits, giving you cryptographic proof of every calling service.
Streaming Policy Sync
SyncPolicy is a client-streaming RPC. Mirror your entire org hierarchy from identity or HR systems in transactional chunks. Replace mode guarantees the tenant matches the snapshot exactly — stale bindings are automatically pruned.
Real-Time Policy Watch
WatchPolicy streams revision-ordered change events to policy caches, sidecar indexers, and downstream materialized views. Resume from any revision token and replay backlog in order — no polling, no missed updates.
Implementation Examples
Developer-first by design. Access full-featured gRPC, REST, and MCP endpoints out of the box. Our services use ConnectRPC for lightweight, production-grade communication.
The Launch Rail Ecosystem Advantage
The Authz service works as a standalone drop-in for any existing architecture, but its real power is unlocked when combined with the full Launch Rail platform.
Pre-Integrated by Default: When you purchase the complete Launch Rail ecosystem, Authz is already wired into Identity for user and team sync, into the Audit Log service for every permission decision, and into the Entitlements service for plan-gated feature checks — without a line of glue code.
Manage your infrastructure from the Terminal.
One-command provisioning
Create users, tenants, and roles without touching the UI.
Secure Key Management
Easily rotate API keys and manage workspace secrets.
Environment Sync
Synchronize permissions across staging and production.
AI Agents Talk to Authz Natively
Every Launch Rail service ships with a built-in MCP server. Your AI agents can discover tools, read resources, and execute actions—no wrappers, no custom integrations.
MCP Tools
Actions agents can execute
check_permissionAsk whether a subject can perform an action on an object for a given tenant
batch_check_permissionsEvaluate multiple permission checks in a single round-trip
list_allowed_objectsReturn all objects of a type that a subject has a specific permission for
list_subjectsReturn all subjects who have a specific permission on a given object
MCP Resources
Data agents can read
authz://tenants/{id}/rolesAll roles defined for a tenant with their action sets
authz://tenants/{id}/bindingsAll active role bindings including scope, subject, and conditions
authz://tenants/{id}/edgesObject hierarchy graph for a tenant
In Practice
What this looks like
“Who currently has write access to appointment apt_1 in tenant org_acme?”
Calls list_subjects with action='appointment.write' and object='appointment:apt_1' → returns 2 user subjects and 1 group subject with their binding sources and expiry dates.
Build vs. Buy Launch Rail
Why spend 4 months building table structures and plumbing when you can start shipping features tomorrow?
Build it Yourself
The "Not Invented Here" approach
Diving into low-level plumbing means your engineers aren't building your core product features. You risk security vulnerabilities and maintenance debt.
Buy Launch Rail
The "Speed of Light" approach
Get the source code, deploy it in minutes, and focus on what makes your business unique. Zero technical debt, enterprise-ready from day one.
| Feature Comparison | Self-Built | Launch Rail |
|---|---|---|
| Deny-by-Default Evaluation | ||
| Object-Edge Graph Traversal | ||
| CEL Inline Conditions | ||
| Read-Your-Write Consistency | ||
| Streaming Policy Sync | ||
| HMAC-Signed Caller Auth | ||
| Native MCP Support |
Real-World Value: Authz in Action
See how teams across industries use Authz to ship faster, reduce costs, and deliver enterprise-grade experiences from day one.
Clinician & Room Access Control
A clinician inherits read access to appointments through a clinic edge, while an admin binding at the company level propagates to all child objects. Temporal grants let you express on-call coverage with starts_at and expires_at — no background cleanup jobs.
Delegated Approver Workflows
Temporary direct grants with CEL conditions like `request.attributes.ticket_state == 'approved'` let compliance officers grant scoped approver access for a specific period. The consistency token ensures the next check sees the grant immediately.
Tenant-Isolated Permission Layers
Each B2B customer gets their own isolated policy namespace. Admins manage roles and bindings inside their tenant without ever touching another tenant's data. SyncPolicy lets you mirror org changes from your identity provider in one streaming call.
Service-to-Service Authorization
Replace every hand-rolled `isAdmin` flag in your microservice mesh with a single CheckPermission call. The shared authzclient SDK handles HMAC signing, clock skew, and request context — so every service gets consistent, auditable authorization from day one.
Why Buy the License? (The ROI)
Building a correct, multi-tenant authorization engine with role inheritance, CEL evaluation, object graphs, and read-your-write consistency is a months-long project for a specialized team — and a correctness-critical one.
Buy the Launch Rail Authz module today and get the complete, production-ready Go source code.
Zero SaaS Fees
No per-check pricing. Run as many authorization calls as you need.
Complete Ownership
Full source code. Deploy to your own infra. No vendor lock-in.
Docker Ready
Provided Docker images, migrations, and compose files for instant deployment.
Ready to centralize authorization?
Common Questions & Answers
Everything you need to know about integrating and hosting this Launch Rail service.