Oso

Oso is a comprehensive Authorization as a Service platform designed to unburden engineering teams from the complexities of building and maintaining their own permissions systems. It provides the infrastructure and tools to answer critical authorization questions like “can this user access that resource?” across applications, services, and even AI models. Oso is built for developers who need to implement robust, scalable, and flexible access control, allowing them to focus on shipping core product features instead of reinventing the authorization wheel.

The platform is architected for high performance and reliability, built in Rust to deliver sub-10ms latency and scale to over a million requests per second. It can be deployed in the cloud or self-hosted, offering flexibility to fit any system architecture. A key innovation of Oso is its specialized support for AI-native applications, enabling developers to create permissions-aware RAG (Retrieval-Augmented Generation) systems and secure agentic workflows where AI agents act on behalf of users with limited, auditable permissions.

How to use Oso

Integrating Oso into an application follows a straightforward, three-step process designed for developer efficiency:

1. Write Your Policy: Define your authorization logic using Polar, Oso's powerful and flexible declarative language. Polar allows you to express any authorization model you need, from simple Role-Based Access Control (RBAC) to complex Relationship-Based (ReBAC) and Attribute-Based (ABAC) controls, or any combination thereof. The logic is centralized and easy to reason about.
2. Plug in Your Data: Connect your application's data to Oso. You have the flexibility to either sync your authorization-relevant data (like user roles and resource ownership) with the Oso service or keep the data in your own database and have Oso query it at runtime. This adaptability ensures Oso fits seamlessly into your existing architecture.
3. Integrate and Enforce: Use Oso's idiomatic SDKs for your programming language to call the Oso API from your application. These SDKs provide simple abstractions to enforce the policies you've written. The platform also includes a suite of developer tools for inline testing, logging, regression testing, and debugging to ensure your authorization logic is correct and secure.

Core Features of Oso

• Polar Policy Language: A flexible, declarative Domain-Specific Language (DSL) for expressing any authorization model (RBAC, ReBAC, ABAC, and more).
• Authorization as a Service: A fully managed service (cloud or self-hosted) that handles the performance, scalability, and reliability of authorization checks.
• Fine-Grained Authorization: Enables highly specific and conditional permissions, essential for features like user impersonation, tiered service entitlements, and field-level data access.
• AI-Native Permissions: Provides tools to secure AI applications, including permissions for AI agents acting on behalf of users and filtering vector embeddings for permissions-aware RAG responses.
• High Performance & Scalability: Built in Rust, offering <10ms p90 latency and horizontal scaling to over 1 million requests per second, with a 99.99% uptime SLA available.
• Developer-First Tooling: Includes idiomatic SDKs, policy testing frameworks, detailed logging, and debugging tools to streamline the development and maintenance of access control.
• Flexible Deployment: Available as a multi-tenant cloud service, in a hybrid model, or fully self-hosted on-premises to meet various security and compliance needs.

Use Cases for Oso

Oso is trusted by companies like Duolingo, Productboard, and Intercom for a variety of scenarios:

• Building Enterprise-Ready Features: Quickly add complex, fine-grained access controls and custom roles to meet the demands of enterprise customers.
• Securing AI Agentic Workflows: Allow AI agents to act on behalf of users with narrowly defined, temporary permissions, with full visibility and auditability for every action.
• Permissions-Aware RAG: Ensure that Large Language Models (LLMs) in RAG applications only generate responses based on data the user is explicitly authorized to see by filtering vector search results.
• Centralizing Authorization: Unify disparate permission logic from multiple microservices into a single, consistent, and maintainable authorization framework.
• Modernizing Legacy Systems: Replace brittle, homegrown authorization systems with a scalable, flexible, and expert-supported solution, reducing bugs and maintenance overhead.

Advantages of Oso

Oso offers significant advantages over building authorization in-house or using other solutions:

• Accelerated Time-to-Market: Drastically reduces the time required to implement new roles and permissions, with some customers reporting a 10x speed improvement.
• Unmatched Flexibility: The Polar language allows developers to model real-world access scenarios without being constrained by a single authorization model.
• Enhanced Security and Reliability: Centralizing logic reduces the surface area for bugs and security vulnerabilities. Oso's infrastructure is built for enterprise-grade reliability with up to 99.99% uptime.
• Superior Developer Experience: Praised for its clear documentation, powerful tooling, and ease of integration, making authorization a productive part of the development cycle.
• Future-Proof for AI: Provides a clear path for securing the next generation of AI-native applications, a challenge many traditional systems are not equipped to handle.

Pricing and Plans

Oso offers a tiered pricing structure to accommodate different needs:

• Developer Plan: Free. Designed for individuals learning and experimenting. Includes support for up to 100 Monthly Active Users (MAUs) and 5 developers.
• Startup Plan: Starting at $149/month. Aimed at growing teams needing production-ready SLAs. Includes 300 MAUs (with volume pricing available), a 99.95% SLA, and standard support.
• Growth Plan: Custom pricing. For organizations with advanced security, support, and deployment needs. Offers a 99.99% SLA, 24/7 support, custom deployment options (cloud, hybrid, on-prem), and white-glove onboarding.
• Migration Services: A one-time fee service where the Oso team helps de-risk and accelerate the migration from an existing system, ensuring 100% parity and cutting time to production.