How It Works

"Authorization shouldn't be rocket science. Yet here we are, drowning in complex solutions that make simple permission checks feel like solving quantum physics equations. Enter Kilpi - the TypeScript authorization framework that finally gets it right."

What is Kilpi? The Modern Authorization Framework for TypeScript

The Authorization Headache We All Know

Let's be honest - most authorization solutions feel like they were designed to make developers miserable. You either get:

• 🏗️ Over-engineered behemoths that require a PhD to configure
• 🧩 Patchwork solutions that crumble under real-world complexity
• 🔐 Security nightmares waiting to happen

That's why Kilpi caught my attention. It's not just another auth library - it's the result of someone (Jussi Nevavuori) solving the same authorization problems repeatedly for different clients and finally creating the solution we all needed.

Kilpi in a Nutshell

Kilpi is an open-source TypeScript authorization framework that turns this:

// The old way
if (user.role === 'admin' && resource.ownerId === user.id && resource.status !== 'archived') {
  // Maybe let them do something?
}

Into this clean one-liner:

// The Kilpi way
await authorize(user).can('edit', resource);

Why This Matters

1. Type Safety First: Every authorization check is compile-time verified
2. Real-World Ready: Battle-tested in production environments
3. Developer Happiness: API so intuitive it almost feels cheating

The Killer Features That Set Kilpi Apart

Framework Agnostic by Design

Unlike solutions tied to specific frameworks, Kilpi plays nice with:

• Next.js
• Express
• NestJS
• And anything else in your stack

graph LR
    A[Your App] --> B[Kilpi]
    B --> C[NextAuth/Auth0/Clerk]
    B --> D[Your Database]

Authorization Models Galore

Kilpi doesn't force you into one paradigm:

• 🔵 RBAC (Role-Based Access Control)
• 🟢 ABAC (Attribute-Based Access Control)
• 🟣 ReBAC (Relationship-Based Access Control)
• Or your custom hybrid approach

Server-First Security

In an era of client-side everything, Kilpi keeps authorization where it belongs - on the server. No more "hoping" your client-side checks match the backend.

Policies as Proper Code

Forget JSON configuration hell. Your authorization rules live in TypeScript:

// Define once, use everywhere
const postPolicy = {
  create: (user) => user.isVerified,
  edit: (user, post) => user.id === post.authorId || user.role === 'moderator'
};

Real-World Use Cases Where Kilpi Shines

1. SaaS Applications

• Handle multi-tenant permissions cleanly
• Easily manage team-based access controls

2. Content Management Systems

• Flexible publishing workflows
• Granular content access rules

3. Internal Tools

• Rapidly adapt to changing org structures
• Maintain audit trails through code

The Developer Experience Difference

What makes Kilpi stand out isn't just what it does, but how it feels to use:

1. Autocomplete That Actually Helps: The TypeScript integration is so good it feels like the framework reads your mind
2. Sensible Defaults: Comes configured for security out of the box
3. No Surprise Errors: Clear, actionable messages when something's misconfigured

Getting Started With Kilpi

Installation is straightforward:

npm install @kilpi/auth
# or
yarn add @kilpi/auth

Basic setup example:

import { createKilpi } from '@kilpi/auth';

const kilpi = createKilpi({
  policies: {
    post: postPolicy,
    user: userPolicy
  }
});

// Then anywhere in your app:
await kilpi.authorize(currentUser).can('edit', blogPost);

When You Might Need Something Else

While Kilpi is incredibly flexible, it's not always the perfect fit:

• If you need built-in authentication (Kilpi focuses on authorization)
• For extremely simple apps where basic role checks suffice
• When working with non-TypeScript codebases

The Future of Authorization?

What excites me most about Kilpi is how it represents a shift in how we think about authorization:

• From configuration to code
• From rigid to flexible
• From afterthought to first-class citizen

As Jussi mentioned in his announcement post, this is just the beginning. With its plugin system and active community, Kilpi is poised to become the go-to solution for TypeScript authorization.

Ready to Try Kilpi?

If you're tired of authorization being the worst part of your codebase:

1. 🌟 Star the Kilpi GitHub repo
2. 📚 Dive into the documentation
3. 🚀 Implement your first policy today

Because life's too short for bad authorization code.

Features

• Framework agnostic: Works with any existing tech stack.
• Server-first authorization: Runs all authorizations on the server for security.
• Any auth provider: Supports all auth providers via the Subject API.
• Policies as code: Implement policies in type-safe TypeScript.
• Async policies: Fetch data from databases or APIs during authorization.
• All authorization models: Supports RBAC, ABAC, ReBAC, and more.
• Protected queries: Wrap queries to ensure secure data access.
• Client-side authorization: Fetch authorization decisions with deduping and caching.
• Plugin API & Library: Extend Kilpi with custom or ready-made plugins.
• Developer-friendly API: Clean, simple, and intuitive API design.