Can I use OpenFGA as a CLI?

Yes. KosmoKrator exposes a OpenFGA CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose OpenFGA through MCP?

Yes. The KosmoKrator MCP gateway can expose selected OpenFGA tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are OpenFGA credentials stored?

OpenFGA credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for OpenFGA MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

data

OpenFGA CLI for AI Agents

Use the OpenFGA CLI from KosmoKrator to call OpenFGA tools headlessly, return JSON, inspect schemas, and automate workflows from coding agents, scripts, and CI.

OpenFGA CLI Setup

OpenFGA can be configured headlessly with `kosmokrator integrations:configure openfga`.

Install, configure, and verify

# Install KosmoKrator first if it is not available on PATH.
curl -fsSL https://raw.githubusercontent.com/OpenCompanyApp/kosmokrator/main/install.sh | bash

# Configure and verify this integration.
kosmokrator integrations:configure openfga --set url="$OPENFGA_URL" --enable --read allow --write ask --json
kosmokrator integrations:doctor openfga --json
kosmokrator integrations:status --json

Credentials

Authentication type: optional bearer token optional_bearer_token. Configure credentials once, then reuse the same stored profile from scripts, coding CLIs, Lua, and MCP.

Key	Env var	Type	Required	Label
`url`	`OPENFGA_URL`	URL `url`	yes	API Base URL
`api_token`	`OPENFGA_API_TOKEN`	Secret `secret`	no	Bearer Token

Command Patterns

The generic command is stable across every integration. The provider shortcut is shorter for humans.

Generic CLI call

kosmo integrations:call openfga.openfga_get_configuration '{}' --json

Provider shortcut

kosmo integrations:openfga openfga_get_configuration '{}' --json

Discovery

These commands return structured output for coding agents that need to inspect capabilities before choosing a function.

Discovery commands

kosmo integrations:docs openfga --json
kosmo integrations:docs openfga.openfga_get_configuration --json
kosmo integrations:schema openfga.openfga_get_configuration --json
kosmo integrations:search "OpenFGA" --json
kosmo integrations:list --json

Automation Contexts

The same configured command surface works in these environments. The command does not change unless the host wrapper, credentials, or permissions change.

CI Run integration calls from CI jobs with JSON output, explicit credentials, and predictable exit status. Cron Jobs Schedule repeatable integration workflows from cron while keeping credentials in KosmoKrator config. Shell Scripts Call integration functions from shell scripts with stable JSON input and output. Headless Automation Use KosmoKrator as a non-interactive integration runtime for local automations and wrappers. Coding Agents Let coding agents discover schemas and execute integration functions through CLI commands or MCP.

CLI Functions

Every function below can be called headlessly. Commands are highlighted, copyable, and scroll horizontally when payloads are long.

`openfga.openfga_get_configuration`

[Experimental] The GetConfiguration API returns metadata about the Policy Decision Point (PDP) including its name, version, supported endpoints, and capabilities. This endpoint follows the AuthZEN specification for PDP discovery. Following the AuthZEN spec's m

Read read

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_get_configuration '{}' --json

Shortcut

kosmo integrations:openfga openfga_get_configuration '{}' --json

`openfga.openfga_list_stores`

Returns a paginated list of OpenFGA stores and a continuation token to get additional stores. The continuation token will be empty if there are no more stores. Official OpenFGA endpoint: GET /stores.

Read read

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_list_stores '{}' --json

Shortcut

kosmo integrations:openfga openfga_list_stores '{}' --json

`openfga.openfga_create_store`

Create a unique OpenFGA store which will be used to store authorization models and relationship tuples. Official OpenFGA endpoint: POST /stores.

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_create_store '{}' --json

Shortcut

kosmo integrations:openfga openfga_create_store '{}' --json

`openfga.openfga_get_store`

Returns an OpenFGA store by its identifier Official OpenFGA endpoint: GET /stores/{store_id}.

Read read

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_get_store '{}' --json

Shortcut

kosmo integrations:openfga openfga_get_store '{}' --json

`openfga.openfga_delete_store`

Delete an OpenFGA store. This does not delete the data associated with the store, like tuples or authorization models. Official OpenFGA endpoint: DELETE /stores/{store_id}.

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_delete_store '{}' --json

Shortcut

kosmo integrations:openfga openfga_delete_store '{}' --json

`openfga.openfga_evaluation`

[Experimental] The Evaluation API determines whether a subject is authorized to perform an action on a resource. This endpoint implements the AuthZEN Access Evaluation API specification. ## Request Structure The request requires three components: - **subject**

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_evaluation '{}' --json

Shortcut

kosmo integrations:openfga openfga_evaluation '{}' --json

`openfga.openfga_evaluations`

[Experimental] The Evaluations API allows batch authorization checks in a single request. It supports request-level defaults for subject, action, resource, and context that can be overridden per evaluation item. ## Evaluation Semantics The `options.evaluations

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_evaluations '{}' --json

Shortcut

kosmo integrations:openfga openfga_evaluations '{}' --json

`openfga.openfga_action_search`

[Experimental] The ActionSearch API returns all actions (relations) that a subject can perform on a specific resource. This is useful for answering questions like "What can Anne do with this document?" or building dynamic UIs that show only the actions a user

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_action_search '{}' --json

Shortcut

kosmo integrations:openfga openfga_action_search '{}' --json

`openfga.openfga_resource_search`

[Experimental] The ResourceSearch API returns all resources of a given type that a subject has a specific action (relation) on. This is useful for answering questions like "What documents can Anne read?" or "What folders can Bob administer?" The resource type

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_resource_search '{}' --json

Shortcut

kosmo integrations:openfga openfga_resource_search '{}' --json

`openfga.openfga_subject_search`

[Experimental] The SubjectSearch API returns all subjects that have a specific action (relation) on a given resource. This is useful for answering questions like "Who can read this document?" or "Who can administer this folder?" Results can be filtered by subj

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_subject_search '{}' --json

Shortcut

kosmo integrations:openfga openfga_subject_search '{}' --json

`openfga.openfga_read_assertions`

The ReadAssertions API will return, for a given authorization model id, all the assertions stored for it. Official OpenFGA endpoint: GET /stores/{store_id}/assertions/{authorization_model_id}.

Read read

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_read_assertions '{}' --json

Shortcut

kosmo integrations:openfga openfga_read_assertions '{}' --json

`openfga.openfga_write_assertions`

The WriteAssertions API will upsert new assertions for an authorization model id, or overwrite the existing ones. An assertion is an object that contains a tuple key, the expectation of whether a call to the Check API of that tuple key will return true or fals

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_write_assertions '{}' --json

Shortcut

kosmo integrations:openfga openfga_write_assertions '{}' --json

`openfga.openfga_read_authorization_models`

The ReadAuthorizationModels API will return all the authorization models for a certain store. OpenFGA's response will contain an array of all authorization models, sorted in descending order of creation. ## Example Assume that a store's authorization model has

Read read

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_read_authorization_models '{}' --json

Shortcut

kosmo integrations:openfga openfga_read_authorization_models '{}' --json

`openfga.openfga_write_authorization_model`

The WriteAuthorizationModel API will add a new authorization model to a store. Each item in the `type_definitions` array is a type definition as specified in the field `type_definition`. The response will return the authorization model's ID in the `id` field.

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_write_authorization_model '{}' --json

Shortcut

kosmo integrations:openfga openfga_write_authorization_model '{}' --json

`openfga.openfga_read_authorization_model`

The ReadAuthorizationModel API returns an authorization model by its identifier. The response will return the authorization model for the particular version. ## Example To retrieve the authorization model with ID `01G5JAVJ41T49E9TT3SKVS7X1J` for the store, cal

Read read

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_read_authorization_model '{}' --json

Shortcut

kosmo integrations:openfga openfga_read_authorization_model '{}' --json

`openfga.openfga_batch_check`

The `BatchCheck` API functions nearly identically to `Check`, but instead of checking a single user-object relationship BatchCheck accepts a list of relationships to check and returns a map containing `BatchCheckItem` response for each check it received. An as

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_batch_check '{}' --json

Shortcut

kosmo integrations:openfga openfga_batch_check '{}' --json

`openfga.openfga_read_changes`

The ReadChanges API will return a paginated list of tuple changes (additions and deletions) that occurred in a given store, sorted by ascending time. The response will include a continuation token that is used to get the next set of changes. If there are no ch

Read read

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_read_changes '{}' --json

Shortcut

kosmo integrations:openfga openfga_read_changes '{}' --json

`openfga.openfga_check`

The Check API returns whether a given user has a relationship with a given object in a given store. The `user` field of the request can be a specific target, such as `user:anne`, or a userset (set of users) such as `group:marketing#member` or a type-bound publ

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_check '{}' --json

Shortcut

kosmo integrations:openfga openfga_check '{}' --json

`openfga.openfga_expand`

The Expand API will return all users and usersets that have certain relationship with an object in a certain store. This is different from the `/stores/{store_id}/read` API in that both users and computed usersets are returned. Body parameters `tuple_key.objec

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_expand '{}' --json

Shortcut

kosmo integrations:openfga openfga_expand '{}' --json

`openfga.openfga_list_objects`

The ListObjects API returns a list of all the objects of the given type that the user has a relation with. To arrive at a result, the API uses: an authorization model, explicit tuples written through the Write API, contextual tuples present in the request, and

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_list_objects '{}' --json

Shortcut

kosmo integrations:openfga openfga_list_objects '{}' --json

`openfga.openfga_list_users`

The ListUsers API returns a list of all the users of a specific type that have a relation to a given object. To arrive at a result, the API uses: an authorization model, explicit tuples written through the Write API, contextual tuples present in the request, a

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_list_users '{}' --json

Shortcut

kosmo integrations:openfga openfga_list_users '{}' --json

`openfga.openfga_read`

The Read API will return the tuples for a certain store that match a query filter specified in the body of the request. The API doesn't guarantee order by any field. It is different from the `/stores/{store_id}/expand` API in that it only returns relationship

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_read '{}' --json

Shortcut

kosmo integrations:openfga openfga_read '{}' --json

`openfga.openfga_streamed_list_objects`

The Streamed ListObjects API is very similar to the the ListObjects API, with two differences: 1. Instead of collecting all objects before returning a response, it streams them to the client as they are collected. 2. The number of results returned is only limi

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_streamed_list_objects '{}' --json

Shortcut

kosmo integrations:openfga openfga_streamed_list_objects '{}' --json

`openfga.openfga_write`

The Write API will transactionally update the tuples for a certain store. Tuples and type definitions allow OpenFGA to determine whether a relationship exists between an object and an user. In the body, `writes` adds new tuples and `deletes` removes existing t

Write write

Parameters: none

Generic call

kosmo integrations:call openfga.openfga_write '{}' --json

Shortcut

kosmo integrations:openfga openfga_write '{}' --json

Function Schemas

Use these parameter tables when building CLI payloads without calling integrations:schema first.

openfga.openfga_get_configuration 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_get_configuration --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_list_stores 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_list_stores --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_create_store 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_create_store --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_get_store 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_get_store --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_delete_store 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_delete_store --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_evaluation 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_evaluation --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_evaluations 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_evaluations --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_action_search 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_action_search --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_resource_search 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_resource_search --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_subject_search 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_subject_search --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_read_assertions 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_read_assertions --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_write_assertions 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_write_assertions --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_read_authorization_models 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_read_authorization_models --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_write_authorization_model 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_write_authorization_model --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_read_authorization_model 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_read_authorization_model --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_batch_check 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_batch_check --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_read_changes 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_read_changes --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_check 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_check --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_expand 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_expand --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_list_objects 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_list_objects --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_list_users 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_list_users --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_read 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_read --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_streamed_list_objects 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_streamed_list_objects --json

Parameter	Type	Required	Description
No parameters.

openfga.openfga_write 0 parameters

Schema command

kosmo integrations:schema openfga.openfga_write --json

Parameter	Type	Required	Description
No parameters.

Permissions

Headless calls still follow the integration read/write permission policy. Configure read/write defaults with integrations:configure. Add --force only for trusted automation that should bypass that policy.