Skip to main content
OPA LogoOPA Logo

OPA is a policy engine that streamlines policy management across your stack for improved development, security and audit capability.

data.json
{}
input.json
{
"account": {
"state": "open"
},
"user": {
"risk_score": "low"
},
"transaction": {
"amount": 950
}
}
# Run your first Rego policy!
package payments

default allow := false

allow if {
input.account.state == "open"
input.user.risk_score in ["low", "medium"]
input.transaction.amount <= 1000
}

# Open in the Rego Playground to see the full example.
allstate logoallstate logo
atlassian logoatlassian logo
bankdata logobankdata logo
bloomberg logobloomberg logo
bny logobny logo
capital-one logocapital-one logo
cisco logocisco logo
goldman-sachs logogoldman-sachs logo
intuit logointuit logo
marsh-mclennan logomarsh-mclennan logo
pinterest logopinterest logo
sugarcrm logosugarcrm logo
t-mobile logot-mobile logo
tripadvisor logotripadvisor logo
vodafone logovodafone logo
zalando logozalando logo

Created by

styra_logo-blue

OPA is now maintained by Styra and a large community of contributors.

Productivity icon

Developer Productivity: OPA helps teams focus on delivering business value by decoupling policy from application logic. Security & platform teams centrally manage shared policies, while developer teams extend them as needed within the policy system.

Performance icon

Performance: Rego, our domain-specific policy language, is built for speed. By operating on pre-loaded, in-memory data, OPA acts as a fast policy decision point for your applications.

Audit icon

Audit & Compliance: OPA generates comprehensive audit trails for every policy decision. This detailed history supports auditing and compliance efforts and enables decisions to be replayed for analysis or debugging.

Interested to see more? Checkout the Maintainer Track Session from KubeCon.

Context-aware, Expressive, Fast, Portable

OPA is a general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that lets you specify policy for a wide range of use cases. You can use OPA to enforce policies in applications, proxies, Kubernetes, CI/CD pipelines, API gateways, and more.

Applications can directly integrate with OPA using our SDKs or REST API. This is great when your application needs to make domain specific runtime decisions.

policy.rego
package application.authz

# Only owner can update the pet's information. Ownership
# information is provided as part of the request data from
# the application.
default allow := false

allow if {
input.method == "PUT"
some petid
input.path = ["pets", petid]
input.user == input.owner
}
input.json
{
"role": "staff",
"owner": "bob@example.com",
"path": [
"pets",
"pet113-987"
],
"user": "alice@example.com"
}
data.json
{}
Rego Playground

Rego Playground

Write your first Rego Policy

Play with Rego
OPA Slack Community

OPA Slack Community

Talk to other users and maintainers

Join us on Slack
Contribute to OPA

Contribute to OPA

Get involved with our project

Get started