Kilpi - Simplify TypeScript authorization
"Authorization shouldn't be rocket science. Yet here we are, drowning in complex solutions that make simple permission checks feel like solving quantum physics equations. Enter Kilpi - the TypeScript authorization framework that finally gets it right."
The Authorization Headache We All Know
Let's be honest - most authorization solutions feel like they were designed to make developers miserable. You either get:
- 🏗️ Over-engineered behemoths that require a PhD to configure
- 🧩 Patchwork solutions that crumble under real-world complexity
- 🔐 Security nightmares waiting to happen
That's why Kilpi caught my attention. It's not just another auth library - it's the result of someone (Jussi Nevavuori) solving the same authorization problems repeatedly for different clients and finally creating the solution we all needed.
Kilpi in a Nutshell
Kilpi is an open-source TypeScript authorization framework that turns this:
// The old way
if (user.role === 'admin' && resource.ownerId === user.id && resource.status !== 'archived') {
// Maybe let them do something?
}
Into this clean one-liner:
// The Kilpi way
await authorize(user).can('edit', resource);
Why This Matters
- Type Safety First: Every authorization check is compile-time verified
- Real-World Ready: Battle-tested in production environments
- Developer Happiness: API so intuitive it almost feels cheating
The Killer Features That Set Kilpi Apart
Framework Agnostic by Design
Unlike solutions tied to specific frameworks, Kilpi plays nice with:
- Next.js
- Express
- NestJS
- And anything else in your stack
Authorization Models Galore
Kilpi doesn't force you into one paradigm:
- 🔵 RBAC (Role-Based Access Control)
- 🟢 ABAC (Attribute-Based Access Control)
- 🟣 ReBAC (Relationship-Based Access Control)
- Or your custom hybrid approach
Server-First Security
In an era of client-side everything, Kilpi keeps authorization where it belongs - on the server. No more "hoping" your client-side checks match the backend.
Policies as Proper Code
Forget JSON configuration hell. Your authorization rules live in TypeScript:
// Define once, use everywhere
const postPolicy = {
create: (user) => user.isVerified,
edit: (user, post) => user.id === post.authorId || user.role === 'moderator'
};
Real-World Use Cases Where Kilpi Shines
1. SaaS Applications
- Handle multi-tenant permissions cleanly
- Easily manage team-based access controls
2. Content Management Systems
- Flexible publishing workflows
- Granular content access rules
3. Internal Tools
- Rapidly adapt to changing org structures
- Maintain audit trails through code
The Developer Experience Difference
What makes Kilpi stand out isn't just what it does, but how it feels to use:
- Autocomplete That Actually Helps: The TypeScript integration is so good it feels like the framework reads your mind
- Sensible Defaults: Comes configured for security out of the box
- No Surprise Errors: Clear, actionable messages when something's misconfigured
Getting Started With Kilpi
Installation is straightforward:
npm install @kilpi/auth
# or
yarn add @kilpi/auth
Basic setup example:
import { createKilpi } from '@kilpi/auth';
const kilpi = createKilpi({
policies: {
post: postPolicy,
user: userPolicy
}
});
// Then anywhere in your app:
await kilpi.authorize(currentUser).can('edit', blogPost);
When You Might Need Something Else
While Kilpi is incredibly flexible, it's not always the perfect fit:
- If you need built-in authentication (Kilpi focuses on authorization)
- For extremely simple apps where basic role checks suffice
- When working with non-TypeScript codebases
The Future of Authorization?
What excites me most about Kilpi is how it represents a shift in how we think about authorization:
- From configuration to code
- From rigid to flexible
- From afterthought to first-class citizen
As Jussi mentioned in his announcement post, this is just the beginning. With its plugin system and active community, Kilpi is poised to become the go-to solution for TypeScript authorization.
Ready to Try Kilpi?
If you're tired of authorization being the worst part of your codebase:
- 🌟 Star the Kilpi GitHub repo
- 📚 Dive into the documentation
- 🚀 Implement your first policy today
Because life's too short for bad authorization code.
Features
Framework agnostic
Works with any existing tech stack.
Server-first authorization
Runs all authorizations on the server for security.
Any auth provider
Supports all auth providers via the Subject API.
Policies as code
Implement policies in type-safe TypeScript.
Async policies
Fetch data from databases or APIs during authorization.
All authorization models
Supports RBAC, ABAC, ReBAC, and more.
Protected queries
Wrap queries to ensure secure data access.
Client-side authorization
Fetch authorization decisions with deduping and caching.
Plugin API & Library
Extend Kilpi with custom or ready-made plugins.
Developer-friendly API
Clean, simple, and intuitive API design.
Traffic(2025-03)
Monthly Traffic
Traffic Source
Top Keywords
| Keyword | Traffic | Volume | CPC |
|---|
Source Region
Whois
| Domain | kilpi.vercel.app |
Featured Products
TempMail
ATemplate
BacklinkX
TempMailSafe
ExplodingTopics
ImageTranslateAI
PageFlows
Atlas
Copy embed code
