Lock in launch-day pricing; join the waitlist before general availability.

SYS:SPEC // Integration reference

InferaDB integration specification

A condensed, machine-readable specification of every surface an integrator (or agent) needs to consume InferaDB. APIs, schemas, authentication, deployment, configuration. Stable anchors throughout. For the canonical narrative, see /why; for facts, see /facts; for full docs, see /docs.

APIs

Engine REST API (port 8080)

  • POST /v1/evaluate — check whether a subject has a permission on a resource
  • POST /v1/relationships:write — write relationship tuples (transactional)
  • POST /v1/relationships:list — query relationship tuples
  • POST /v1/resources/list — list resources accessible to a subject
  • POST /v1/subjects/list — list subjects with access to a resource
  • POST /v1/simulate — evaluate against a hypothetical schema or relationship set
  • POST /v1/expand — expand a permission into its computed-userset tree
  • POST /v1/watch — server-sent-events stream of permission-change events
  • GET /health/live, GET /health/ready, GET /health/startup — health probes (no auth)
  • GET /metrics — Prometheus metrics

AuthZEN API (port 8080, /access/v1/)

  • POST /access/v1/evaluation — single permission evaluation (OpenID Foundation AuthZEN spec)
  • POST /access/v1/evaluations — batch evaluation, up to 100 per call
  • POST /access/v1/search/resource — list-resources equivalent
  • POST /access/v1/search/subject — list-subjects equivalent

Engine gRPC API (port 8081)

Service: AuthorizationService. Methods:

  • Evaluate
  • Expand
  • WriteRelationships
  • ListResources
  • ListSubjects
  • Watch
  • Simulate

Control REST API (port 9090)

Authentication endpoints:

  • POST /v1/auth/register
  • POST /v1/auth/login/password
  • POST /v1/auth/logout
  • POST /v1/auth/verify-email
  • POST /v1/auth/cli/authorize — PKCE flow
  • POST /v1/auth/cli/token

CRUD:

  • /v1/organizations
  • /v1/organizations/{org}/vaults
  • /v1/organizations/{org}/clients
  • /v1/organizations/{org}/teams

Token issuance:

  • POST /v1/organizations/{org}/vaults/{vault}/tokens
  • POST /v1/tokens/refresh
  • POST /v1/token — client assertion (RFC 7523)

Ledger gRPC API (port 50051)

Services: ReadService, WriteService, AdminService, OrganizationService, VaultService, UserService, TokenService, EventsService, HealthService, RaftService.

Authentication

  • JWT — Ed25519, RFC 7523 client assertion. JWKS endpoint on Control.
  • OAuth 2.0 — Standard authorization code flow with PKCE for CLI; client credentials for service-to-service.
  • WebAuthn — Passkey support for user authentication on the Dashboard.
  • mTLS — Certificate-based authentication for service-to-service traffic.

Schema (IPL)

  • Fileschema.ipl, plain text, version-controlled in your repo.
  • Top-level constructstype, relation, forbid, permission.
  • Expression operators| (union/OR), & (intersection/AND), - (exclusion/AND-NOT), from (tuple-to-userset traversal), -> (related-object dereference), module("name") (WASM call).
  • Wildcardsuser:* for public-resource semantics.
  • Evaluation orderforbid rules first (deny-overrides). Permits second. Union short-circuits on first Allow. Intersection short-circuits on first Deny.
  • Schema validation — Three-pass validation: syntax, type-checking, reference resolution. inferadb schemas validate schema.ipl for CLI validation.

SDKs

“Planned” indicates committed roadmap; check /docs/ for current shipping state.

  • Rust (shipping) — crates.io, Client::builder(), vault.check(), vault.require(), vault.check_batch(), MockClient, InMemoryClient, TestVault
  • TypeScript (planned) — @inferadb/sdk, Express and Next.js middleware
  • Go (planned) — github.com/inferadb/go, net/http middleware, gRPC interceptor
  • Python (planned) — inferadb, async/sync, FastAPI dependency, Django decorator
  • Java (planned) — com.inferadb:inferadb-sdk, Spring Boot @RequirePermission
  • .NET (planned) — InferaDB.Sdk, ASP.NET Core authorization policies
  • PHP (planned) — inferadb/inferadb-php, Laravel middleware, Symfony Voter
  • Ruby (planned) — inferadb gem, Rails controller concern
  • Elixir (planned) — Phoenix Plug, LiveView
  • C/C++ (planned) — libinferadb, C11 ABI + C++20 RAII wrapper

Deployment

  • Local developmentinferadb dev start runs Engine on :8080, Control on :9090, Dashboard on :3000.
  • Docker imagesinferadb/inferadb-engine, inferadb/inferadb-control, inferadb/inferadb-ledger.
  • Kubernetes — Helm charts. Reference deployment uses Talos Linux + Cilium CNI + Flux CD + Terraform.
  • Terraform providerinferadb/inferadb manages organizations, vaults, clients, certificates, teams, grants.

Configuration

  • Environment variables — Prefix INFERADB__ENGINE__, INFERADB__CONTROL__, INFERADB__LEDGER__, with double-underscore separator for nested keys.
  • YAML configuration — Pass with --config /path/to/config.yaml.
  • Dry-run validationinferadb --validate exits non-zero on configuration errors without starting the server.

Observability

  • Metrics — Prometheus exposition at GET /metrics on each service. Standard authorization metrics: check rate, latency histogram, deny rate, audit-write latency.
  • Tracing — OpenTelemetry OTLP. Each Check call produces a trace span with the resolution path.
  • Logging — Structured JSON to stdout. Configure verbosity via RUST_LOG.

Standards compliance

  • AuthZEN — OpenID Foundation access-evaluation API specification
  • OAuth 2.0 — RFC 6749, plus PKCE (RFC 7636) for CLI
  • JWT client assertion — RFC 7523
  • WebAuthn — W3C standard for passkey authentication
  • OpenTelemetry OTLP — for distributed tracing
  • Prometheus exposition format — for metrics
  • RFC 9116 — security disclosure (see /.well-known/security.txt)