Using Open Policy Agent with Express.js

Manfred Lange
14 min readMay 7, 2023

How to set up and integrate Open Policy Agent (OPA) with Express.js in a TypeScript project


Accessing data and functionality requires checking two different things. First you need to establish the identity of the user. The user may be another software that uses your API. Once you have established identity you need to check the permissions of the validated identity.

Establishing identity is also called authentication, often shortened to just “authN”. Determining whether a given access is granted or denied is typically called authorization, often shortened to “authZ”.

In this article I’ll focus on authZ. Future articles will address authN, e.g. by using Keycloak as an identity provider (IDP). For authZ we will use Open Policy Agent (OPA) in this article. I like OPA because it is one of the Cloud Native Computing Foundation (CNCF) projects.

We will explore the following topics:

  • How to use OPA from the command line during development
  • How to set up OPA as a demon in the dev container
  • How to write a simple policy file
  • How to integrate authZ in the request pipeline of express.js