Policy-driven authorization control plane for applications that need deterministic, explainable access decisions across RBAC, ACL, and ReBAC.
- Authorization engine with deterministic evaluation and explain traces
- FastAPI API server and operational CLI
- Multi-tenant policy evaluation with strict tenancy controls
- Policy lifecycle operations (validation, compile, simulation, impact analysis)
- Caching and access indexing for low-latency checks
- Structured logging, metrics, and dashboard-ready monitoring
- Deployment assets for Docker, Kubernetes, and Helm
Layering is enforced through import contracts:
keynetra.api-> transport onlykeynetra.services-> orchestration and runtime flowkeynetra.engine-> pure policy decision logickeynetra.domain-> shared models/schemaskeynetra.infrastructure-> repositories, storage, cache adapterskeynetra.config-> configuration loading and guardrails
Detailed architecture notes: ARCHITECTURE.md
python3.11 -m venv .venv
source .venv/bin/activate
pip install --upgrade pip
pip install -r requirements.txt -r requirements-dev.txt
pip install -e .
cp .env.example .envkeynetra serve --host 0.0.0.0 --port 8080curl -i http://localhost:8080/health/ready
open http://localhost:8080/docscurl -s -X POST http://localhost:8080/check-access \
-H "Content-Type: application/json" \
-H "X-API-Key: devkey" \
-H "X-Tenant-Id: acme" \
-d '{
"user": {"id": "u1", "role": "admin"},
"action": "read",
"resource": {"resource_type": "document", "resource_id": "doc-1"},
"context": {}
}'Entrypoint is standardized to keynetra:
keynetra --help
keynetra check-openapi
keynetra migrate --confirm-destructive
keynetra doctor --service corePOST /check-accessPOST /check-access-batchPOST /simulatePOST /simulate-policyPOST /impact-analysisGET /health,GET /health/ready,GET /metrics
OpenAPI contracts:
- Tenant-aware request flow and storage isolation
- Strict tenancy mode available via
KEYNETRA_STRICT_TENANCY=true - API key and JWT auth support
- Admin auth flow for privileged operations
- Rate limiting and request correlation IDs
See SECURITY.md for security policy and reporting.
KeyNetra exposes Prometheus metrics at GET /metrics including:
- HTTP request count/latency/error metrics
- Authorization decision and stage latency metrics
- Cache hit/miss metrics
- DB query latency metrics
- Tenant activity dimensions
Monitoring assets:
- Prometheus config:
monitoring/prometheus/prometheus.yml - Grafana dashboard:
monitoring/grafana/dashboards/keynetra-overview.json - Grafana provisioning:
monitoring/grafana/provisioning
docker build -t keynetra:test .
docker run --rm -p 8080:8080 --env-file .env keynetra:testdocker compose up --buildIncludes:
- KeyNetra API
- PostgreSQL
- Redis
- Prometheus
- Grafana
- node-exporter
- Loki
kubectl apply -f deploy/kubernetes/helm install keynetra ./deploy/helm/keynetraMore deployment detail: DEPLOYMENT.md
SDKs are maintained separately from this engine repository.
- Python SDK package:
keynetra-client - SDK guide:
SDK_GUIDE.md
Example (Python SDK):
from keynetra_client import KeyNetraClient
client = KeyNetraClient("http://localhost:8080")
decision = client.check_access(
user={"id": "alice"},
action="read",
resource={"type": "document", "id": "doc-1"},
)
print(decision.allowed)ruff check .
black --check .
pytest
lint-imports --config .importlinterConvenience commands are available in Makefile.
ARCHITECTURE.mdDEPLOYMENT.mdSDK_GUIDE.mdCONTRIBUTING.mdCODE_OF_CONDUCT.mdSECURITY.mdCHANGELOG.mddocs/README.md
Contributions are welcome. Start with CONTRIBUTING.md and CODE_OF_CONDUCT.md.
Apache-2.0. See LICENSE.
@software{keynetra_2026,
title = {KeyNetra},
author = {KeyNetra Community},
year = {2026},
version = {0.1.1-beta},
url = {https://github.com/keynetra/keynetra}
}Made with love ❤️ for KeyNetra Community.