OpenFGA currently supports pre-shared keys and OIDC for authenticating calls to the APIs. Those credentials are global, and allow performing any action in any store.

We want to provide more granularity for authorizing calls to the OpenFGA API. Some scenarios:

• Different credentials for each FGA store.
• Different credentials with different permissions per FGA store (e.g. some credentials can perform writes while others cannot).
• Different credentials with different permissions per FGA module (e.g. some credentials can perform writes on types of some modules while others cannot).
• Different credentials with different permissions for different types in the FGA store (e.g. some credentials allow writing tuples for documents and others allow writing tuples for users)

This RFC discusses different alternatives in more depth openfga/rfcs#10