inferadb 0.1.3

InferaDB is a distributed, Google Zanzibar‑inspired authorization engine that replaces ad‑hoc database lookups and scattered logic with a unified, millisecond‑latency source of truth. With this SDK, you define permissions as policy‑as‑code and wire up a type‑safe client in just a few lines.

• Rust‑Native & Async: Fully integrated with the ecosystem (Tokio, Tracing) so you don't have to adapt generic policy engines to your runtime.
• Compile‑Time Safety: Catch permission model mistakes in your build pipeline and tests, preventing surprises in production.
• Standards‑Based & Audit‑Ready: Built on AuthZen with automatic multi‑tenant isolation and cryptographically verifiable audit trails out of the box.

Quick Start

Add the inferadb crate to your Cargo.toml:

[dependencies]
inferadb = "0.1"

Sign up for an account at InferaDB and create a new organization and vault. With these credentials, you can create a new client instance:

use inferadb::prelude::*;

#[tokio::main]
async fn main() -> Result<(), Error> {
    let client = Client::builder()
        .url("https://api.inferadb.com")
        .credentials(ClientCredentialsConfig {
            client_id: "my_service".into(),
            private_key: Ed25519PrivateKey::from_pem_file("private-key.pem")?,
        })
        .build()
        .await?;

    let vault = client.organization("org_...").vault("vlt_...");

    let allowed = vault.check("user:alice", "view", "document:readme").await?;
    println!("Allowed: {allowed}");

    Ok(())
}

Authorization API

let vault = client.organization("org_...").vault("vlt_...");

Permission Checks

let allowed = vault.check("user:alice", "view", "doc:1").await?;

Relationships

vault.relationships()
    .write(Relationship::new("document:readme", "viewer", "user:alice"))
    .await?;

Lookups

let docs = vault.resources()
    .accessible_by("user:alice")
    .with_permission("view")
    .collect()
    .await?;

See the Authorization API Guide for ABAC context, batch checks, explain, simulate, watch, and more.

Management API

let org = client.organization("org_...");

Vaults

let vault = org.vaults()
    .create(CreateVaultRequest::new("production"))
    .await?;

Schemas

vault.schemas().push(r#"
type user {}

type document {
    relation viewer: user
    permission view = viewer
}
"#).await?;

Members & Teams

org.members()
    .invite(InviteMemberRequest::new("alice@example.com", OrgRole::Admin))
    .await?;

org.teams()
    .create(CreateTeamRequest::new("Engineering"))
    .await?;

Audit Logs

let events = org.audit().list().collect().await?;

See the Management API Guide for organizations, API clients, schema versioning, and more.

Local Development

Deploy a local instance of InferaDB, then configure your client to connect to it.

let client = Client::builder()
    .url("http://localhost:8080")
    .insecure()  // Disables TLS verification for local development
    .credentials(BearerCredentialsConfig {
        token: "dev-token".into(),
    })
    .build()
    .await?;

Testing

Use MockClient for unit tests:

use inferadb::testing::{AuthorizationClient, MockClient};

#[tokio::test]
async fn test_authorization() {
    let mock = MockClient::builder()
        .check("user:alice", "view", "document:readme", true)
        .check("user:bob", "delete", "document:readme", false)
        .build();

    assert!(mock
        .check("user:alice", "view", "document:readme")
        .await
        .unwrap());
}

See the Testing Guide for InMemoryClient (full policy evaluation) and integration testing patterns.

Documentation

• API Reference - Full rustdoc documentation

Guides

See docs/README.md for the complete documentation index.

Examples

cargo run -p inferadb-examples --bin basic_check
cargo run -p inferadb-examples --bin batch_operations
cargo run -p inferadb-examples --bin axum_middleware

Contributing

See CONTRIBUTING.md for development setup and guidelines.

License

Licensed under the Apache License, Version 2.0. See LICENSE for details.