TMCnet News Gives Frontend Developers the Keys to Security with FoAz (Frontend-Only Authorization)
[May 31, 2023] Gives Frontend Developers the Keys to Security with FoAz (Frontend-Only Authorization), the permissions platform for cloud-native applications, today launches FoAz which enables frontend developers to confidently take access controls into their own hands. Short for frontend-only authorization, FoAz is a breakthrough technology that empowers frontend developers to use sensitive APIs directly from the frontend, without requiring any backend code, while maintaining the highest level of security.

This press release features multimedia. View the full release here:

Security is shifting left to frontend developers with FoAz (Frontend-only Authorization). (Graphic: Business Wire)

Security is shifting left to frontend developers with FoAz (Frontend-only Authorization). (Graphic: Business Wire)

"The frontend runs on the user's browser which is inherently insecure," said Or Weis, CEO and Co-Founder of "Until today, each time a frontend app requires access controls - say only paid users can send an invoice via Stripe or an SMS via Twilio - they have to bother a backend engineer to write the glue-code. FoAz offers backendless permissions that fulfills the promise of shift-left security, empowering frontend developers to deploy features autonomously without sacrificing the integrity of their security posture."

As more things continue to shift left to the frontend, security must catch up. With FoAz, frontend developers can easily add pemissions to existing services that don't already have an authorization layer in place, require better policy models (e.g. RBAC), or need enhanced access granularity. FoAz is built on top of the open source project OPAL, which acts as the administration layer for the popular Open Policy Agent (OPA). OPAL brings open policy up to the speed needed by live applications: as an application state changes via APIs, databases, git, Amazon S3 and other 3rd-party SaaS services, OPAL makes sure in real-time every microservice is in sync with the policies and data required by the application.

FoAz leverages the low-code interfaces of - especially the Permit Policy Editor - which generates policy as code. This allows the easy creation of frontend access policies and removes the need to write one for each frontend need.

Highlights include:

No code / Low code policy interfaces: FoAz is powered by policy as code (with OPA and Cedar). Combined with Permit's policy-editor UI, policy creation becomes simple yet powerful, generating policy as code from RBAC to ABAC, with as little effort as ticking a few boxes.

An open standard: FoAz is an open internet standard (available at enabling more companies to implement, integrate, and share the technology, as well as collaborate with on its future development and security posture.

Backend-as-a-Service: A FoAz proxy is a backend generic component that takes on the authorization burden from all services and empowers the frontend to utilize it directly. provides a hosted FoAz offering so engineers can forget about the backend altogether.

Zero-Trust and Secrets Management: FoAz securely manages secrets (storing them encrypted or in a secure vault) avoiding the need to expose them to the frontend.

"At Novu, we focus on accelerating the work of developers," said Tomer Barnea, CEO and Founder of, the open-source notifications infrastructure platform. "FoAz is a critical step in removing redundant backend glue-code and providing frontend developers with the freedom and power they need to move fast."

About enables developers to bake in permissions and access-control into any product in minutes. Open source at its core, the platform builds on top of OPA+OPAL as a service, providing the API and UI access-control interfaces that make it simple to shift security left. is founded by former engineers from Facebook, Microsoft, and Rookout and is already used by industry leaders like Accenture, Cisco, Tesla and others.

[ Back To's Homepage ]