I have been looking through the good OPAL docs and examples to get an overview of OPAL's features 👍 • Is it correct that for using OPAL scopes, the OPAL server needs to have access to a Redis and cannot use a Postgres instead? • I would like the OPAL client to get policies from multiple Git repositories and provide them to the internal OPA. Is it correct that this is not possible? ◦ I found that a scope can only be associated with a single Git repo, and an OPAL client can only request a single scope.

Hi team, is there a metrics endpoint for server and clients?

Hi there! We are integrating OPAL to our application. In our setup, opa and opal-client run in separate deployments (inline OPA is disabled). When opa restarts during a rolling update, it comes up empty, and opal-client doesn’t immediately backfill all data. I tried persistent storage, but I can’t share the PVC between two OPA pods during rollout. What’s the recommended way to ensure the new opa is pre-warmed with current policies and data before it starts serving traffic? Does opal-client support a “full sync on startup/reconnect” mode, or is there another best practice for zero-downtime rollouts in this topology?

#C01RUUYV3TP I am looking for passing OPAL_INLINE_OPA_cONFIG to get the OPA configured for decision logs to an http endpoint and I don’t see a reference how to use this. Could you please guide me ?

Hi. Does OPAL sync relationship tuples to the local PDP? If so, is it done by default or needs configuration?

Can opal read data from redis.

Is there an architectural recommendation to deploy Opal server in AWS EKS and Opal client as sidecar in another EKS cluster

Can in opal client read from a data source set with a timeout

Hello, I have deployed the helm chart but I can't find a way to use a serviceAccount to pull a private git policies repo nor using a volume with an existing repo. I don't want a harcoded token value in my yaml file and if possible i really want to avoid setting up a ssh key. Any workaround ?

Hi all. Sorry if this is really stupid question and I should "RTFM", but I'm under pressure and pulling my hair out between ChatGPT, online docs etc. The scenario is really simple. I need to make a policy decision based on updated user data in Entra ID, we're talking about 10s maybe 100s of thousands of users. I want to dynamically pull data using a fetcher and make sure that it is avaible in the data store before the OPA executes. ChatGPT led me to believe this was possible (see diagram), but online opal docs dont seem to support this. Am I completely on the wrong track? It is fundamental that the data recovered from Entra ID relates to the user represented by the JWT, no for all the users.

image.png

JWT validation using JWKs endpoint: There's a pattern published here using http.send and a cache (plus key rotation detection). However, in general, http.send "is not recommended for production", is this the exception that breaks the rule? Is there something "bad" about http.send that I should know about? Thanks!

As EOPA got opensourced is there any plan to support eopa from opal?

Opal server keeps restarting with sigterm error. Websockets get disconnected frequently. Any insights to debug?

Hi, I am testing ABAC policies locally to change some conditions in ABAC rules. My local PDP needs about 5 minutes to update the changed conditions... Is it possible to force an immediate update? Interestingly, when I change any state in the policy editor, it is updated immediately. PDP LOGS

2025-10-15T09:25:08.891982+0000 | opal_client.policy.updater              | INFO  | Received policy update: topic=d7c2f5d674f54f82a21b401cf5190d32:policy:., message={'old_policy_hash': '9ed9fb1d2c4defae9d020e36f3c8510aa2930464', 'new_policy_hash': '7a919fe931c2403e183b134187a28abd8a8878d4', 'changed_directories': ['.', 'permit', 'permit/generated', 'permit/generated/conditionset']}
2025-10-15T09:25:08.892246+0000 | opal_client.policy.updater              | INFO  | Refetching policy code (delta bundle), base hash: '9ed9fb1d2c4defae9d020e36f3c8510aa2930464'
2025-10-15T09:25:08.892655+0000 | opal_client.policy.fetcher              | INFO  | Fetching policy bundle from <https://opal-v2.permit.io/scopes/d7c2f5d674f54f82a21b401cf5190d32/policy>
2025-10-15T09:25:10.461838+0000 | uvicorn.protocols.http.httptools_impl   | INFO  | 127.0.0.1:37394 - "GET /healthy HTTP/1.1" 200
2025-10-15T09:25:11.840135+0000 | opal_client.policy.fetcher              | INFO  | Fetched valid bundle, id: 7a919fe931c2403e183b134187a28abd8a8878d4
2025-10-15T09:25:11.841801+0000 | opal_client.policy.updater              | INFO  | got policy bundle (delta): '9ed9fb1d2c4defae9d020e36f3c8510aa2930464' -> '7a919fe931c2403e183b134187a28abd8a8878d4', manifest: ['permit/generated/conditionset/Large_5fquantity.rego'], deleted: None
2025-10-15T09:25:11.847489+0000 | opal_client.engine.logger               | INFO  | Received request.    PUT /v1/policies/permit/generated/conditionset/Large_5fquantity.rego
2025-10-15T09:25:11.994635+0000 | opal_client.engine.logger               | INFO  | Sent response.       PUT /v1/policies/permit/generated/conditionset/Large_5fquantity.rego -> 200

Any thoughts? Screenshot from activity logs for the condition change (there is my local time so 9:20 utc)

Hello. I'm running a quick proof of concept with OPA + OPAL on a local workstation where I have OPAL configured to fetch data with the

HttpFetchProvider

from an API. Is there a working example of using the

HttpFetchProvider

for a

POST

request that includes a request body? I've tried a number of things, but every time I try to include a request body, it appears the

HttpFetcherProvider

doesn't even attempt to make a call out to the configured endpoint. For example, I have this set in

OPAL_DATA_CONFIG_SOURCES

in the

permitio/opal-server:latest

container I have running locally:

{
  "config": {
    "entries": [
      {
        "url": "<http://myapi:8080/v1/path>",
        "config": {
          "fetcher": "HttpFetchProvider",
          "method": "post",
          "data": {
            "blah": "blah"
          }
        },
        "topics": [
          "blah"
        ],
        "dst_path": "blah"
      }
    ]
  }
}

This results in a

aiohttp.client_exceptions.ClientResponseError: 400, message='Bad Request', url='<http://myapi:8080/v1/path>

in the

permitio/opal-client-standalone:latest

container I have running locally, and with a

ERROR  | Timeout while fetching url: <http://openfga:8080/stores/01K7MTJYKRN6V5TQ1WT8D83QDQ/list-user>

error. The logs from the app running at

<http://myapi:8080>

don't seem to indicate that the request made it to my app. However, if I remove

config.data

from the configuration, the logs from my app do indicate the request was received. My app responds with a

400

in this case because the request body is required, but it at least proves the request has been received. I will admit it is confusing that the OPAL client indicates a

400

was received from the API when

config.data

is included but, my app logs don't indicate the request was received.

Hi there!, i've been experiencing a ton of restarts on my PDP on k8 using the helm chart with the following error, i have confirmed the pod security policy isn't blocking egress.

2025-10-20T18:21:45.449442+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | RPC Connection failed - [Errno -5] Name has no usable address
2025-10-20T18:21:46.391887+0000 | opal_client.policy_store.opa_client     |WARNING | OPA client health: False (policy: False, data: False)
2025-10-20T18:21:46.392485+0000 | uvicorn.protocols.http.httptools_impl   | INFO  | 127.0.0.1:45740 - "GET /healthy HTTP/1.1" 503
2025-10-20T18:21:47.785723+0000 | opal_client.policy_store.opa_client     |WARNING | OPA client health: False (policy: False, data: False)
2025-10-20T18:21:47.786254+0000 | uvicorn.protocols.http.httptools_impl   | INFO  | 127.0.0.1:45744 - "GET /healthy HTTP/1.1" 503
[2025-10-20T18:21:47Z INFO  pdp_server::api::health::handlers] Health check failed: horizon: Horizon returned status 503 Service Unavailable
2025-10-20T18:21:47.786688+0000 | opal_client.engine.logger               | INFO  | Received request.    GET /health
2025-10-20T18:21:47.787123+0000 | opal_client.engine.logger               | INFO  | Sent response.       GET /health -> 200
2025-10-20T18:21:51.391099+0000 | opal_client.policy_store.opa_client     |WARNING | OPA client health: False (policy: False, data: False)
2025-10-20T18:21:51.391510+0000 | uvicorn.protocols.http.httptools_impl   | INFO  | 127.0.0.1:45740 - "GET /healthy HTTP/1.1" 503
2025-10-20T18:21:52.716743+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | Trying server - <wss://opal.permit.io/ws>
2025-10-20T18:21:52.736808+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | RPC Connection failed - [Errno -5] Name has no usable address
2025-10-20T18:21:53.071268+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | Trying server - <wss://opal.permit.io/ws>
2025-10-20T18:21:53.097005+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | RPC Connection failed - [Errno -5] Name has no usable address
2025-10-20T18:21:54.619022+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | Trying server - <wss://opal.permit.io/ws>
2025-10-20T18:21:54.640207+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | RPC Connection failed - [Errno -5] Name has no usable address
2025-10-20T18:21:55.982693+0000 | opal_client.policy_store.opa_client     |WARNING | OPA client health: False (policy: False, data: False)
2025-10-20T18:21:55.983169+0000 | uvicorn.protocols.http.httptools_impl   | INFO  | 127.0.0.1:51108 - "GET /healthy HTTP/1.1" 503
[2025-10-20T18:21:55Z INFO  pdp_server::api::health::handlers] Health check failed: horizon: Horizon returned status 503 Service Unavailable

hi all, am i correct that the policy store that's supported out of box is git repository only? i was thinking to use Zanzibar inspired DB as the policy store or data store: https://github.com/permitio/opal/discussions/633#discussioncomment-10241951

Hey 🙂 we are trying to install opal in one of our k8 clusters with the helm charts, but the opal-client doesnt seems to be able to start

Hey @everyone! OPAL v0.9.0 is now live!

hi all, can we configure OPAL to run Cedar agent instead of OPA in Helm Chart values?

Hi, I am trying to play around with OPAL locally and am able to evaluate policies as expected but the result field doesn't return a decision id. I tried adding the following in the opal-client but didn't work. Can you please help troubleshoot what I am missing

- OPAL_INLINE_OPA_CONFIG={"decision_logs":{"console":true},"plugins":{"decision_logs":{"reporting":{"min_delay_seconds":1,"max_delay_seconds":5}}},"default_decision_id_enabled":true,"default_authorization_decision_id_enabled":true}

Hi, I’m currently using the OPAL Alpine-based image and noticed that Trivy reported a vulnerability related to Starlette: CVE-2025-62727 Ref: https://avd.aquasec.com/nvd/2025/cve-2025-62727/ Since the OPAL image bundles Starlette, may I ask if there is a plan to update the Starlette version to address this CVE? Thanks~

hello everybody. when a pod with opa + opal-client as sidecar is booted, this container is extremely slow to get healthy. i figured out it depends on the number of rego-policies it fetches from the repo (currently 480 policies) this is the log: 2025-11-18T155741.165363+0000 | 15 | uvicorn.protocols.http.httptools_impl | INFO | 10.100.32.100:57604 - "GET /healthcheck HTTP/1.1" 503 2025-11-18T155745.382529+0000 | 15 | uvicorn.protocols.http.httptools_impl | INFO | 10.100.32.100:57612 - "GET /ready HTTP/1.1" 503 2025-11-18T155751.164121+0000 | 15 | opal_client.policy_store.opa_client |*WARNING | OPA client health: False (policy: False, data: True)* it takes ~10minutes or even longer how can i solve the issue? is this something known? can I workaround it?

In Opal server with scope configuration can we configure each scope to fetch a policy from an http endpoint.

Hi everyone, I'd like to discuss some authorization challenges we’ve been facing with OPAL External Data Source and get some feedback and experiences from the community. In our setup, every time we call the Triggering Data Updates API, we include a data source token in the payload entries that gets pushed to subscribers. The OPAL Client then uses this token to fetch data. Currently, under secure mode, the OPAL_CLIENT_TOKEN (JWT) is only validated at two points: • When initially establishing the WebSocket connection (handshake) • When reconnecting after a disconnect Once the connection is successfully established, the WebSocket connection continues to receive all topic updates even if the client token has expired. A hypothetical concern is that if an attacker obtains a client token, they could continuously access all the latest triggered data as long as the WebSocket connection remains open. Setting a short expiration for the client token seems ineffective and could cause issues with normal disconnects and reconnects, impacting availability. Similarly, setting a short expiration for the data source token also doesn't help because a new token is sent with every Trigger Data Updates call. I’m curious if the community has any strategic recommendations for managing authorization between OPAL client and server? Or if anyone knows of a way for the client to automatically include its OPAL Client Token during data fetch, so the Data Source could verify the token again on its end. Thanks!

Hello everyone, We've encountered something puzzling during our OPAL Client migration from 0.8.3 to 0.9.0, and I'd really appreciate some clarification. What we did: 1. Updated OPAL Client to 0.9.0 2. Initially enabled compatibility mode (

OPAL_OPA_V0_COMPAT=true

) as recommended 3. Then disabled compatibility mode (

OPAL_OPA_V0_COMPAT=false

) to test breaking changes 4. Expected our policies to fail (since we didn't add

.v1

to package names) What actually happened: Everything continues to work perfectly, even with compatibility mode disabled. Here's our policy structure:

package data.role  # No .v1 suffix - should this fail in strict v1 mode?

import rego.v1

import data.utils.v1.functions.jwt as functions_jwt
import data.utils.v1.roles as roles

default allow := false

allow if {
    functions_jwt.user_has_role(roles.admin)
    input.action == "get-roles"
}

According to the migration guide, without

.v1

suffix and with compatibility mode disabled, this should fail. But it doesn't. My questions: 1. Is

import rego.v1

now sufficient for v1 compatibility, making the package

.v1

suffix optional? 2. Has something changed in OPAL 0.9.0 that we're not aware of? 3. Are we possibly misunderstanding how compatibility mode works? We want to ensure we're not missing something important before rolling this out to other environments. Thanks for any insights!

hi, I have a question about limiting / blocking some credential data to be shown to public in opal. as i known, we could write a

system.rego

file like below to limit the url.

# system.rego
allow if {
    input.method == "POST" 
    input.path == ["v1", "data", "token"]
}

however, this would block the data update for that url. we know that the best benefit would be real-time data update in opal. so would there be any problem to trigger using

curl --request POST '<https://opa.xxx.xxx/data/config>'

. great thanks!

Can OPAL sever scopes work with http endpoints delivering policy bundle?

Which version of opal client supports EOPA