Skip to main content

Launch Week, Day 1 - Warrant OSS v1.0 Release & v2 API Generally Available

ยท 7 min read
Karan Kajla
Co-Founder @ Warrant

Launch Week, Day 1

Hey everyone! It's finally time to kick off our first ever Launch Week! Before we get started, for those of you who don't know: At Warrant, we're building authorization and access control infrastructure for developers.

The team has been hard at work over the past few months iterating on our platform in close partnership with our customers. We've improved many areas, from developer experience to performance and reliability, while also adding a slew of new features and can't wait to share more about everything we've built. Now let's get started!

On this inaugural day of Launch Week, we're excited to announce two huge releases:

  • v1.0 of Warrant OSS, the open source, self-hostable authorization service powering Warrant
  • Our v2 API, with tons of new features and improvements to both performance and developer experience

Let's get into the details!

Warrant OSS v1.0 ๐Ÿš€โ€‹

Warrant OSS GitHub Repository

It's been almost eight months since we open sourced the authorization service powering Warrant. After almost 80 releases, it's finally ready for a v1.0 release! At its core, Warrant OSS is an implementation of Google Zanzibar, the globally distributed service powering authorization across Google's many products and services. In addition to being a feature-complete Zanzibar implementation, Warrant OSS also includes several improvements to functionality and developer experience baked in. Check out our docs to learn more.

The v1.0 release marks Warrant OSS as stable and production-ready. Teams with small-to-moderate authorization workloads looking for an off-the-shelf, self-hosted authorization service to power authz across their applications and infrastructure should look no further. As always, Warrant OSS is fully compatible with the same API available in our managed offering, so it's easy to swap between the two. It can be deployed with either MySQL or Postgres as the backing datastore (with SQLite also available as an option for embedded or air-gapped environments).

To get started with Warrant OSS, follow along with the steps in the README, and be sure to join us on Slack if you need help or have any questions.

v2 API Now Generally Available ๐ŸŽ‰โ€‹

Our v1 API has been reliably serving production traffic ever since we launched Warrant more than two years ago. While many of our initial assumptions when designing the interfaces have proven to be correct, some of them have since changed. We also received tons of valuable feedback from our customers, all of which drove the updates we made when designing the v2 API. Today, we're excited to finally launch it publicly!

The v2 API is production-ready and already in-use by many of our customers. It's available at Let's cover some of the key improvements it offers over the v1 API:

Cursor-Based Pagination + Standard List Params & Response Formatโ€‹

Cursor-Based Paginationโ€‹

The biggest improvement to the v2 API in terms of both performance and developer experience is the introduction of cursor-based pagination on all list endpoints. Many of our customers use the Warrant API list endpoints to build user-facing pages in their own applications, so having a performant, intuitive, and smooth pagination experience is crucial. Not only for customers interacting with the Warrant API, but also for their customers!

All v2 list endpoints are paginated using a form of pagination known as cursor-based pagination. While more complicated to implement, cursor-based pagination provides a major performance improvement over basic offset-based pagination, particularly as a result set gets larger. Check out our documentation on Pagination & Sorting to learn more about how to use cursor based pagination.

Cursor-Based Pagination

Standard List Params & Response Formatโ€‹

This one might seem simple, but it goes a long way in improving developer experience. All list endpoints in the v2 API now return a standard response containing a results array and nextCursor and prevCursor, both cursors pointing to the next page of results (if applicable). All list endpoints also now support a common set of parameters for performing pagination, sorting, and even filtering. Check out our documentation on Pagination & Sorting to learn more.

Pagination & Sorting Parameters
List Response
"results": [
"prevCursor": "b9fg98sdf",
"nextCursor": "as9fvasd"

Batch Warrant Operationsโ€‹

Next up, probably a long awaited feature among developers, is the ability to create and delete multiple warrants in a single API call. Batch warrant operations are guaranteed to be atomic, all-or-nothing actions, so they're especially useful in scenarios that require multiple warrants to be created or deleted at the same time (e.g. creating default permissions for a new user). Check out our docs on creating and deleting multiple warrants to learn more.

POST /v2/warrants
"objectType": "document",
"objectId": "document-A",
"relation": "editor",
"subject": {
"objectType": "user",
"objectId": "john"
"objectType": "document",
"objectId": "document-B",
"relation": "editor",
"subject": {
"objectType": "user",
"objectId": "john"

Objects, Metadata, and Automatic Object Creationโ€‹

Objects API & Metadataโ€‹

The v1 API supports use-case specific endpoints dedicated to managing authorization-specific resources like pricing tiers, feature flags, roles & permissions, and so much more. While this approach is great for developer-experience, we've now heard so many unique use cases from developers that don't quite fit into what we natively support, so we decided to generalize the concept into what we call Objects.

Objects can represent anything from authorization-specific data โ€” roles, permissions, pricing-tiers, feature flags, etc. โ€” to application-specific resources like organizations, users, and more. The v2 API supports a complete set of endpoints for managing objects.

Objects can also be augmented with arbitrary metadata. Metadata is especially useful for storing authorization-specific data about a particular resource that developers don't want to store in their application's datastore (e.g. a flag indicating if a user has verified their email or not).

Feature Object with Metadata
"objectType": "feature",
"objectId": "advanced_search",
"meta": {
"name": "Advanced Search",
"description": "Allows the user to perform fuzzy searches and apply up to 5 filters to a standard search.",
"maxFilters": 5

Automatic Object Creationโ€‹

The most frequent gripe we heard from developers building application authorization with Warrant was that it's too complicated to manage application-specific objects (e.g. tenants, users, documents, etc.) separately in Warrant when those objects already exist in their application's primary datastore.

To make it dead-simple for developers to integrate with Warrant, we eliminated the need to manually create and manage objects all together! Developers now only need to deal with creating and managing object types and warrants (i.e. authz specific data). Objects referenced by newly created warrants (e.g. document:expense-report-aug-2023) will automatically be created by Warrant in the background. These automatically created objects act like file descriptors and can be deleted to delete all warrants associated with that object in a single operation.

That's a wrap for day 1! We hope you're excited by the new features we announced today and look forward to sharing a whole new batch of announcements with you tomorrow! Join us back here tomorrow for day 2, and be sure to join us on Slack to talk shop, give us your feedback, or tell us what you'd like us to work on next!