duck-iam -- Type-safe access control that actually works.
duck-iam is a unified RBAC + ABAC authorization engine for TypeScript. Define roles, write policies, and protect your app with type-safe middleware.
Built for duck-iam
Type-safe RBAC + ABAC access control engine for TypeScript with framework integrations for Express, NestJS, Hono, Next.js, React, and Vue.
RBAC + ABAC
Combine role-based and attribute-based access control in one engine. Define roles with inheritance, then layer on fine-grained ABAC policies.
Type-Safe Permissions
Define actions, resources, and scopes with const assertions. Typos become compile errors, not runtime bugs.
Multi-Tenant Scopes
Built-in support for multi-tenant scoped roles. A user can be an editor in org-1 and a viewer in org-2.
Framework Integrations
Ready-made middleware for Express, Hono, NestJS, and Next.js. Client providers for React, Vue, and vanilla JS.
Explain & Debug
Call engine.explain() to get a full trace of every policy, rule, and condition with actual vs expected values.
Pluggable Adapters
Store policies and roles anywhere. Ship with Memory, Prisma, Drizzle, and HTTP adapters out of the box.
