Quick Start
Run InferaDB locally and make your first authorization check.
Prerequisites
You need Docker installed to follow this guide. InferaDB requires no other dependencies.
Prerequisites
- Docker installed and running
- inferadb CLI (install via
cargo install inferadb-cli)
Install the CLI
curl -fsSL https://inferadb.com/install | shdocker pull inferadb/inferadb:latestcargo install inferadb-cli1. Start InferaDB Locally
inferadb dev start
This starts a complete local stack (Engine, Control, Ledger, Dashboard) via Docker:
| Service | Port |
|---|---|
| Engine (REST) | localhost:8080 |
| Engine (gRPC) | localhost:8081 |
| Control | localhost:9090 |
| Dashboard | localhost:3000 |
Or run the Engine standalone with in-memory storage:
docker run -p 8080:8080 -p 8081:8081 inferadb/inferadb-engine:latest
2. Define a Schema
Create schema.ipl with your authorization model:
type user {}
type team {
relation member
}
type document {
relation viewer
relation editor
relation owner
relation can_view = viewer | editor | owner
relation can_edit = editor | owner
}
Push it:
inferadb schemas push schema.ipl
3. Write Relationships
Add relationship tuples:
inferadb relationships add user:alice editor document:readme
inferadb relationships add user:bob viewer document:readme
4. Check Permissions
# Alice can edit (she's an editor)
inferadb check document:readme can_edit user:alice
# ✓ ALLOWED 2.1ms · revision r_1
# Bob cannot edit (he's only a viewer)
inferadb check document:readme can_edit user:bob
# ✗ DENIED 1.8ms · revision r_1
# Bob can view (viewers have can_view)
inferadb check document:readme can_view user:bob
# ✓ ALLOWED 1.9ms · revision r_1
Exit codes: 0 = allowed, 20 = denied, 21 = indeterminate.
5. Simulate Changes
Test hypothetical changes without persisting them:
inferadb simulate \
--add "user:charlie viewer document:readme" \
--check "document:readme can_view user:charlie"
# ✓ ALLOWED (simulated)
6. Use the REST API
# AuthZEN evaluation endpoint
curl -X POST http://localhost:8080/access/v1/evaluation \
-H "Content-Type: application/json" \
-d '{
"subject": {"type": "user", "id": "alice"},
"action": {"name": "can_edit"},
"resource": {"type": "document", "id": "readme"}
}'
Response:
{
"decision": true
}
Note:
inferadb dev startruns without authentication. For production, include anAuthorization: Bearer <token>header. See Authentication.
7. Integrate with Your Application
For production, use an SDK. The same permission check:
from inferadb import InferaDB
client = InferaDB(
url="http://localhost:8080",
api_key="dev",
)
vault = client.organization("default").vault("default")
allowed = await vault.check("user:alice", "can_edit", "document:readme")
print(allowed) # True
import { InferaDB } from "@inferadb/sdk";
const client = new InferaDB({
url: "http://localhost:8080",
apiKey: "dev",
});
const vault = client.organization("default").vault("default");
const allowed = await vault.check(
"user:alice",
"can_edit",
"document:readme"
);
console.log(allowed); // true
import com.inferadb.InferaDB;
var client = InferaDB.builder()
.url("http://localhost:8080")
.apiKey("dev")
.build();
var vault = client.organization("default").vault("default");
boolean allowed = vault.check("user:alice", "can_edit", "document:readme");
System.out.println(allowed); // true
using InferaDB;
var client = new InferaDBClient(new InferaDBOptions
{
Url = "http://localhost:8080",
ApiKey = "dev",
});
var vault = client.Organization("default").Vault("default");
var allowed = await vault.CheckAsync("user:alice", "can_edit", "document:readme");
Console.WriteLine(allowed); // True
client, _ := inferadb.NewClient(
inferadb.WithURL("http://localhost:8080"),
inferadb.WithAPIKey("dev"),
)
defer client.Close()
vault := client.Organization("default").Vault("default")
allowed, _ := vault.Check(ctx, "user:alice", "can_edit", "document:readme")
fmt.Println(allowed) // true
use inferadb::Client;
let client = Client::builder()
.url("http://localhost:8080")
.api_key("dev")
.build()
.await?;
let vault = client.organization("default").vault("default");
let allowed = vault
.check("user:alice", "can_edit", "document:readme")
.await?;
assert!(allowed);
use InferaDB\InferaDB;
$client = InferaDB::builder()
->url('http://localhost:8080')
->apiKey('dev')
->build();
$vault = $client->organization('default')->vault('default');
$allowed = $vault->check('user:alice', 'can_edit', 'document:readme');
var_dump($allowed); // bool(true)
require "inferadb"
client = InferaDB::Client.new(
url: "http://localhost:8080",
api_key: "dev"
)
vault = client.organization("default").vault("default")
allowed = vault.check("user:alice", "can_edit", "document:readme")
puts allowed # true
#include <inferadb.hpp>
auto client = inferadb::Client::builder()
.url("http://localhost:8080")
.api_key("dev")
.build();
auto vault = client.organization("default").vault("default");
bool allowed = vault.check("user:alice", "can_edit", "document:readme");
std::cout << std::boolalpha << allowed << std::endl; // true
client = InferaDB.client(
url: "http://localhost:8080",
api_key: "dev"
)
vault = InferaDB.organization(client, "default") |> InferaDB.vault("default")
{:ok, allowed} = InferaDB.check(vault, "user:alice", "can_edit", "document:readme")
IO.inspect(allowed) # true
See the Python SDK docs for authentication, error handling, and framework integrations.