Table of Contents
Modern applications deal with increasingly complicated authorization needs. Users collaborate across huge numbers of documents. Teams share resources through deep, nested structures. AI systems pull in data at a massive scale. And behind every one of these interactions is the same essential question:
“Who can access what?”
Answering that question quickly has become increasingly difficult. As collaboration grows and hierarchies get more complex, authorization workloads multiply. Even with a solid Relationship-Based Access Control (ReBAC) or Fine-Grained Authorization (FGA) model in place, real-world applications can feel the strain.
Relational authorization already solves the modeling problem by letting developers express real relationships between users, groups, and resources. But hosted FGA services still face an unavoidable challenge: network latency. Every check requires a round trip to an external service, and those trips stack up fast in high-traffic applications.
That’s where FGA Cache comes in.
Instead of introducing a new authorization approach, we’ve taken all of Descope’s existing ReBAC and FGA capabilities and added a way for you to locally cache your authorization graph. That means you keep your central model in Descope, but evaluate permissions at high speed — often in sub-millisecond time — right where your application runs.
Same model. Same relationships. Just dramatically better performance.
Why RBAC breaks down
Applications have grown far beyond what traditional role-based access control can comfortably handle. RBAC works fine when permissions are simple, but it starts to fall apart once real-world complexity shows up. Modern systems routinely deal with:
Millions of documents or assets
Deep folder and project hierarchies
Complex sharing and inheritance patterns
Multi-tenant organizations with varied access rules
AI agents that perform bulk lookups
As this complexity increases, teams often try to stretch RBAC by layering on more roles, special cases, and ad-hoc rules. Before long, authorization logic is scattered across services, difficult to reason about, and prone to inconsistent behavior.
The strength of relational authorization (FGA / ReBAC)
Relational authorization fixes these issues by modeling the relationships between users, groups, and resources directly. Instead of forcing everything into static roles, you can express real access patterns in clean, simple terms. For example:
“A user can edit a document if they are an editor on that document, or if they inherit edit permissions from its parent folder, or if they belong to a team that has edit rights.”
This approach scales naturally as systems grow without role explosion, tangled logic, or guesswork.
Where things get hard: runtime performance
Even though FGA / ReBAC provides a clean and expressive model, runtime evaluation becomes the bottleneck. A hosted authorization check may take 100–200 ms once network latency is factored in. Multiply that across dozens of checks per page load — or hundreds in an AI workflow — and the slowdown becomes obvious:
Documents open more slowly
Resource lists take longer to render
AI pipelines lose real-time responsiveness
To make relational authorization practical in performance-sensitive systems, evaluations need to run locally, not across the network.
FGA Cache: Local evaluation with centralized modeling
FGA Cache brings Descope’s relational authorization engine directly into your environment. You continue defining Types, Relations, and Permissions inside Descope, but your application performs all authorization checks against a local FGA Cache instance. This eliminates network calls and yields consistent, sub-millisecond response times.
Step 1: Model authorization in Descope
You define three pillars of your authorization logic:
Types, such as document, folder, user, team, or project
Relations, such as parent folder relationships, group membership, ownership, or team affiliation
Permissions, which describe what users can do based on those relationships
This creates a rich, expressive model of how access works in your application.
Step 2. Deploy the FGA Cache container
Run the Docker container anywhere you operate: Kubernetes, ECS, private cloud, on-prem hardware, or internal dev clusters. The service is lightweight and simple to install.
Step 3. Descope synchronizes your graph
Descope FGA Cache keeps an optimized local copy of your schema and relationships. The FGA Cache will also continuously get updates from Descope in the background without blocking evaluations.
Step 4. Your application performs checks locally
Now every permission check happens against your local cache, such as:
Can this user edit this document?
Who can access this folder?
Which resources should appear in this list view?
Typical performance ranges from 0.3 to 0.7 milliseconds per check. This is up to one hundred times faster than remote evaluation.
No network latency, shared infrastructure, throughput contention, or unpredictable spikes. Just fast, consistent authorization.
Also Read: Adding Performant ReBAC to RAG Pipelines at Scale
FGA Cache use cases
FGA Cache is designed for teams whose authorization workloads must be both expressive and extremely fast.
High-volume authorization workloads: Document collaboration tools, real-time dashboards, and AI systems often issue thousands of checks per second. Local evaluation removes the network bottleneck entirely.
Large and dynamic resource sets: Platforms with deep hierarchies or thousands of shared objects benefit from having graph traversal happen locally.
Enterprise performance requirements: Organizations with strict SLAs or regulated environments can run authorization within their own infrastructure for predictable performance.
Here are some common use cases:
High scale document and file platforms
A digital workspace platform manages millions of documents across thousands of tenants. Users open, edit, comment, and share files constantly. Each interaction triggers authorization checks (viewer, commenter, editor, owner, group membership, inheritance, etc). Network-bound FGA evaluation introduces noticeable latency.
How FGA Cache helps: By deploying FGA Cache inside the backend cluster, the platform keeps an up to date local copy of all relationships from Descope and evaluates every permission check on its own infrastructure. This removes network calls and shared service contention, resulting in consistently fast authorization and a smooth real time user experience even during peak activity.
Complex multi-tenant SaaS products
A B2B platform supports enterprises with complex folder structures, teams, departments, and nested access rules. Every navigation event triggers permission checks across a large graph of resources.
How FGA Cache helps: With FGA Cache running inside the company’s own cluster, every authorization check is evaluated locally, giving tenants consistent sub millisecond performance and ensuring that even large, deeply nested hierarchies remain fast and responsive.
AI applications that perform bulk lookups
When an AI agent retrieves user approved data, it may issue hundreds of FGA checks in a single inference. FGA Cache ensures each lookup runs at machine speed without adding latency to AI workflows.
How FGA Cache helps: With FGA Cache running locally, bulk authorization lookups execute at machine speed with no added network latency, allowing AI workflows to maintain fast inference while reliably enforcing access guardrails at high volume.
Conclusion
FGA Cache brings high-performance relational authorization to applications with complex resource graphs, deep hierarchies, or heavy access-check workloads. You get the full modeling power of Descope FGA, paired with the speed of a local evaluation engine.
Define your relationship model centrally in Descope.
Run permission checks locally, in sub-milliseconds.
Scale your product without adding latency to every request.
With FGA Cache, you can modernize your authorization approach without sacrificing performance or re-architecting your application. Learn more in our documentation.
If you are ready to try it out, sign up for a Free Forever account or book a demo with our team to see how easy it is to implement high-performance ReBAC into your app.
