Skip to main content

Agicap: Fine-grained authorization for a European fintech platform

Agicap is a European fintech that helps small, medium, and large enterprises manage cash flow in real time. Its SaaS platform serves more than 8,000 customers across industries, and every backend service in the platform validates access through OpenFGA.

At a glance

IndustryFintech / cash flow management
In production sinceApril 2023
Scale~250 requests per second, 8,000+ customers
DeploymentSelf-hosted, on-premises
Key features usedReBAC, conditional relationships

Why OpenFGA

Agicap needed an open-source authorization layer with a strong community, on-premises deployment for compliance, and a model flexible enough to express financial-product permissions that pure RBAC could not. They evaluated alternatives such as Oso and concluded OpenFGA was the most stable option that fit those requirements, with approachable maintainers and clear documentation.

The team specifically chose ReBAC over an RBAC redesign because it let them express fine-grained relationships without re-inventing authorization logic inside every service. Learn more about that trade-off in RBAC vs ReBAC.

Architecture and scale

  • All backend services call OpenFGA via an internal secure facade rather than the OpenFGA API directly. The facade enforces application-level rules on top of OpenFGA so the data plane is never exposed.
  • Authorization is enforced consistently across development, pre-production, load-test, and production environments.
  • Performance work over time pushed Agicap from a deeper hierarchy to a flatter authorization model, which improved both query latency and scalability — a pattern documented in the performance best practices.

Engineering with the community

Agicap is an active upstream contributor:

  • Engineers from the platform and SRE teams open pull requests against openfga/openfga to fix bugs and tune performance.
  • The team participates in the monthly OpenFGA community call.
  • Agicap has co-presented OpenFGA talks with maintainers at KubeCon EU 2024 (Paris) and KubeCon NA 2024 (Salt Lake City).

When the team filed a critical performance issue, the upstream maintainers shipped a fix within 24 hours.

Outcomes

  • A single, evolvable authorization layer behind every backend service.
  • Faster delivery of new permissions — schema changes replace code changes.
  • Cost savings from running self-hosted instead of a proprietary alternative.
  • Confidence at production scale with 8,000+ customers and continuous traffic.

Source

This case study is based on the public CNCF TOC adopter interview with Pauline Jamin, Head of Engineering - Finance and Core at Agicap, available in the cncf/toc repository, and a presentation in the OpenFGA community meeting on Agicap's OpenFGA deployment.