A bear playing hopscotch

Authorization for the Next Billion Developers

Graham Neray

Authorization for the Next Billion Developers

TLDR We’re announcing new features to help developers get started with Oso, as well as $15M in new funding, which we’ll use to invest in Oso Cloud, double down on open source Oso, and educate the next billion developers on authorization.

For the last 3+ years, the team at Oso has gotten out of bed everyday to think about roles and permissions. Why?

We’ve spoken with 1,000+ engineering teams, who without fail report a “Groundhog Day” experience of building and maintaining authorization systems time after time throughout their careers. Authorization is the mechanism that controls who has access to what in an app. It’s a problem as old as computers, and it turns out, it’s a hard problem.

That’s because the code for who’s allowed to see what in your application has traditionally been implicit, buried, and convoluted. Worse, this logic is pervasive throughout the codebase and directly tied to how users experience the app.

At Oso, we’re flipping this model on its head: we believe your authorization system should be explicit, abstracted out, and easy to reason about. We also believe developers should outsource this layer of the stack and “stand on the shoulders of giants.” We do this already with everything from compute to feature flags and authentication. Authorization is next.

The next billion developers will not learn to write (and later, debug) custom if statements for permissions – they’ll tweak a pre-configured authorization system, and that system will be Oso.

Companies like Chief, Arc, Intercom, Wayfair, and Productboard have already adopted Oso as the standard for authorization in their applications. Today we’re announcing a new round of funding and capabilities to bring these superpowers to the rest of the world.

What to know

  • What is Oso Cloud? Oso Cloud is authorization as a service. Under the hood it’s powered by open source Oso, our authorization engine.
  • Why authorization? Authorization is mostly invisible to users, but it’s critical and it’s hard to get right. Engineers regularly spend months and even years distracted by building and maintaining complex authorization software, when they should be focused on building features and utility for their users.
  • Why Oso Cloud? Thousands of engineering teams at companies like Chief, Productboard, Olive AI, and Digimarc have signed up for Oso Cloud already for 3 reasons:
    • Batteries-Included - Oso Cloud reduces the cognitive load for you by providing built-in primitives for the most common authorization patterns and use cases, like admin roles, sharing, and filtering lists. It’s fully managed and performance-tuned, with nodes deployed across multiple regions and near you for <10 ms latency and 99.99% uptime.
    • Extensibility - Under the hood, Oso is powered by a declarative configuration language we built just for authorization, called Polar, so you can express even the most specific nuances of your domain.
    • Developer experience - Oso ships with tools to keep feedback loops short and tight, like a visual rules editor, VScode extension, unit tests, Explain debugging, and logging.
  • What’s happening now?
    • Funding – We’re announcing a $15M round led by Felicis, with participation from Sequoia, Harpoon, and the entrepreneurs who have built the most influential developer and infrastructure tools in the world.
    • Product – We’re launching new capabilities to help developers learn about authorization, get started with Oso, and integrate Oso into their existing feedback loops.
    • Open source – We’re doubling down on open source, bringing what we’ve learned building and running Oso Cloud to open source Oso. This makes it easier for anyone to get started with Oso and have confidence that they are free from vendor lock-in.
    • Head of Marketing – Francesca Krihely joins us as Head of Marketing from Snyk, and before that, MongoDB, to help educate developers worldwide about authorization and Oso.

“Like most startups, Productboard started with coarse, simple role-based access. As we started growing and going upmarket, we quickly realized we needed to support more use cases. We reviewed multiple solutions, and Oso came out on top for its superior developer experience, scalable and consistent performance, and the flexibility to match all our needs.”

Jiří Brunclík, VP Engineering, Productboard

“Moving to Oso has saved us thousands of lines of code, made authorization a thing we can actually reason about, and helped us provide better security and privacy to our customers. We couldn’t have done any of this with our prior homegrown system. I'd recommend Oso to anyone building RBAC or any kind of permissions system.”

Peadar Coyle, Founder/CTO, Audiostack

“It used to take us months to add new roles and permissions. Using Oso as our core authorization layer has enabled us to reduce that time a ton. On top of that, the Oso team has been very helpful and responsive, making our migration super smooth.”

Derick Matamoros, Lead Engineer, Oyster HR

“Arc is a banking platform, so getting authorization right is critical. We knew our requirements could get complex – we’ve already got 40 permissions across 9 roles – and we wanted to lean on the experts. So, we researched 5 products and chose Oso for 3 reasons:

  1. Oso had the most intuitive and clear model
  2. Oso was the most mature, with the best tooling and docs
  3. The support from Oso has been unreal – almost like tapping someone on the shoulder.”

Raven Jiang, CTO, Arc

$15M Series A-1

While the rest of the world is retrenching, investors like Felicis, Sequoia, and Harpoon Ventures are doubling down on Oso. In addition to these distinguished firms, we now count the world’s most accomplished infrastructure entrepreneurs as angel investors, including: Olivier Pomel (Founder and CEO, Datadog), Armon Dadgar (Founder and CTO, Hashicorp), Christina Cacioppo (Founder and CEO, Vanta), Paul Copplestone (Founder and CEO, Supabase), Edith Harbaugh (Founder, LaunchDarkly), Dev Ittycheria (CEO, MongoDB), Calvin French-Owen (Founder, Segment), Ryan Petersen (Founder, Flexport), David Petersen (Founder, BuildZoom), and technical advisor Abhishek Parmar (co-creator of Google Zanzibar & Airbnb Himeji).

Together with prior rounds (led by Sequoia), this brings our total funding raised to over $25M, making us the best-capitalized authorization company in the world. This funding will allow us to invest in Oso Cloud, double down on open source Oso, and educate the next billion developers on authorization.

What is Oso Cloud?

Oso Cloud is authorization as a service. Concretely, it consists of the following pieces:

  1. A visual rules editor for describing who’s allowed to do what in your app. Under the hood, this is fully extensible and backed by Polar, our declarative configuration language for authorization.
  2. Oso Cloud, the service (built in Rust 🦀), which stores authorization data (like roles) and responds to permission checks and related questions over an HTTP API. Our servers are replicated globally for <10ms latency and >99.99% uptime.
  3. Clients for Node.js, Python, Go, Ruby, .NET (and Java coming soon!)
  4. Tools to give you short and tight feedback loops, like a VS Code extension, unit tests, Explain debugging, and logging.

Rather than writing custom code and ad hoc SQL statements throughout your app, Oso Cloud takes you through 3 repeatable steps:

  1. Model - First, you model who’s allowed to do what in your application using Workbench, our visual rules editor. Workbench comes with primitives for common patterns like RBAC and multi-tenancy. It’s backed by Polar so you can extend and customize rules however you want.
  2. Test - Then you write tests using inline assertions. If anything doesn’t look right, you’ll see it right away, and you can debug it using Explain.
  3. Integrate - Last, you integrate Oso into your app. Send your core authorization data – like roles and permissions – to Oso Cloud. And add calls to our API where you used to have custom if statements to check if a user can do an action on a resource, get all the resources a user can do that action on, give you all the actions a user can do on a resource – or any pivot on those questions.

What’s New in Oso Cloud?

Over the last 1.5 years, we’ve focused on the fundamentals, making Oso Cloud a rock solid platform that companies like Chief, Productboard, Olive AI, and Digimarc trust.

  • High availability - Oso Cloud runs in dozens of regions and availability zones for 99.99% uptime. It has no single point of failure. It has already withstood multiple AWS outages without any customer-visible impact.
  • Low latency - Oso Cloud deploys nodes at the edge. It precomputes indexes and caches queries to provide latency as low as <10ms end to end.
  • Security - All data is isolated, encrypted, and locked down. All customer-related systems are protected by strong, hardware-backed authentication. SOC 2 is coming shortly.
  • Backup + recovery - Oso Cloud automatically takes snapshots every 15 minutes and lets you restore to any point in time.

With this foundation, today we’re announcing features and workflows to give you the easiest path to authorization in your app:

Starter flow

When you sign up for Oso Cloud, we guide you through your first feedback loop so can build a mental model of how Oso Cloud works:

  • Configuring your first authorization rule
  • Writing a test
  • Adding some authorization data


Then you get to see it working and how it all ties together through Explain.

Visual rules editor

Workbench is a visual rules editor that gives you a template for describing who’s allowed to do what in your app. Add the permissions, resources, etc. that you need, then fill them out using the words that apply to your domain. On the right, we show you the Polar code you’re generating. And if ever you want to do something custom, you can pop into our in-browser IDE and write custom Polar rules.


Test help

Unit tests give you a standard assertion interface for ensuring your rules behave the way you expect them to. Now, when they don’t behave as you expect, they tell you why, and give you a one-click suggested fix.

Screen Shot 2023-06-19 at 12.17.15 PM.png

Local development binary

For production, fully managed cloud services are great. But for development and CI/CD, local is king. Starting today, we ship an Oso Cloud binary that you can run offline for development and CI/CD.

Open Source Oso

Open source is powerful. It can provide the easiest path to trying new software, more eyes on the code to raise quality and security, and freedom from vendor lock-in. Oso started with open source, and we’re grateful to the thousands of developers worldwide who have helped make it great.

With this round of funding, we’re doubling down on open source. In the coming months, we’re going to take what we’ve learned building Oso Cloud and bring it back to open source Oso.

  1. Data model - Bring the Oso Cloud data model (facts) to open source Oso. This is a piece of the equation that developers using open source Oso have traditionally had to solve on their own. We want to make it available to everyone.
  2. Rules - Unify the Polar syntax across open source Oso and Oso Cloud to ensure that engineering teams can move from one to the other without concern for vendor lock-in.
  3. Performance - Take down some long-anticipated performance improvements based on our experience running Oso ourselves in production for the last 1.5 years.

We have a lot more that we’re working on behind the scenes, including better ways to integrate Oso (e.g., at the database or ORM layer). Stay tuned!

Head of Marketing

“I love getting marketed to!”

- No developer ever

The developer is our North Star. To that end, we believe the best way to market Oso is through education that helps developers level up their knowledge of deeply technical domains, like authorization. We’ve already written extensive documentation in resources like Authorization Academy, as well as technical posts on topics like the 10 different authorization models and authorization patterns in GraphQL.

Today, we’re announcing that Francesca Krihely has joined Oso as Head of Marketing to double-down on our education-first approach to telling the world about Oso. Francesca joins us from Snyk, and before that, MongoDB. She is a champion of developers, through and through. Welcome Francesca!

What’s next: Authorization for your inner programmer

Oso Cloud is a new model for authorization that gives superpowers to the next billion developers. Thousands of engineering teams are already taking advantage of it. For more info on these developments and a peek at how Oso Cloud works under the hood, come to our virtual event, Authorization for your inner programmer, on June 27 at 12:00 pm ET.

See you on the Internet!

Want us to remind you?
We'll email you before the event with a friendly reminder.

Write your first policy