Permission-Aware RAG · Open source core · Self-hostable

Your AI feature can leak one customer's data to another

RAGAuth enforces permissions before vectors are scored — not after. Forbidden documents are never retrieved, never in the prompt, impossible to leak.

Join the waitlistView on GitHub →

Starting at $0 self-hosted. Managed cloud from $149/mo. No per-user pricing.

Enterprise RAG market $1.94B → $9.86B by 2030

73% of enterprises cite security as #1 AI blocker

Glean: $7.2B valuation, $300M ARR — proof this market is real

EU AI Act Article 12 requires audit trails from August 2026

Not just for internal tools.

For any app where users must see different data.

Multi-tenant SaaS

One RAG pipeline, zero tenant isolation

Company A's documents appear in Company B's AI answers.

Tenant ID from JWT scopes retrieval. Cross-tenant access is architecturally impossible.

Healthcare platforms

AI returns another patient's records

A patient asks about their medications and the AI returns another patient's records. HIPAA violation.

Patient identity from JWT maps to their records only. The model never sees another patient's data.

ERP and database AI

Row-level security doesn't travel to the vector store

A sales rep asks about pipeline and sees confidential enterprise deals.

Database ACLs mirrored into OpenFGA tuples at index time. The allow-list reflects exactly what the user sees in the source system.

Legal and compliance

Attorney-client privilege violated by a similarity score

Matter documents from Client A surface in a lawyer's search for Client B.

Matter-level permissions enforced at retrieval. Cross-matter retrieval never happens.

Marketplaces

Seller A sees Seller B's confidential margin data

Seller A asks the AI about pricing strategy and gets Seller B's confidential margin data in context.

Seller identity scopes retrieval to their own catalog. Competitor data is never a search candidate.

Internal knowledge assistants

Engineers get board-level financial projections

An engineer asks the AI about company direction and gets board-level financial projections they aren't cleared for.

Team and role memberships in OpenFGA determine the allow-list. Finance docs never appear in engineering search results.

Same question. Different users. Different answers.

Not “access denied.” The document simply doesn't exist in their world — never retrieved, never in the prompt, impossible to leak.

alice@acme.com · role: engineering

Query

“What was our Q4 revenue and cash runway?”

Response

I don't have enough information in the knowledge base to answer this question.

✗ 0 finance documents retrieved · allow-list empty

carol@acme.com · role: finance

Query

“What was our Q4 revenue and cash runway?”

Response

Q4 revenue was $14.2M with a monthly burn of $1.1M — a 26-month runway at current pace.

✓ 8 finance documents retrieved · full context returned

Pre-filter, not post-filter

Permissions resolved before vectors are scored. The forbidden file was never a candidate.

01

Query with JWT

Every request is authenticated. No anonymous search.

02

Authorizer resolves allow-list

OpenFGA evaluates teams, roles, tenant ID, direct grants. Returns exact documents this user may see.

03

Allow-list applied before retrieval

Allow-list becomes a payload filter. Forbidden documents are excluded during graph traversal — not after scoring.

04

LLM sees only permitted context

Full top-k of allowed chunks. Cannot leak what it never read.

JWTAuthorizerOpenFGA allow-listpayload filterHNSW traversaltop-k permitted chunksLLM prompt

Forbidden documents are never scored. They don't appear in the HNSW graph traversal at all.

The only pre-filter RAG solution that's self-hostable

FeatureGleanOnyx (OSS)Azure AI SearchRAGAuth
Pre-filter at vector layer (not post-filter)
Relationship-based access control (OpenFGA)
Works for multi-tenant public appsPartial
ERP / database connectors✓ roadmap
Fully self-hostable
Instant revocation without re-indexing
Open source core
Pricing$50+/user/mo · $60K minFree self-hostUsage-basedFrom $0 · no per-user fees

Frequently asked questions

Common questions about RAGAuth, permission-aware RAG, and AI data security.

What is RAGAuth?
RAGAuth is a permission-aware RAG (Retrieval-Augmented Generation) security layer that enforces user permissions before documents are retrieved from the vector store — not after. It prevents AI features from leaking one user's data to another by building an OpenFGA-based allow-list that filters at retrieval time, so forbidden documents are never scored, never in the prompt, and impossible to expose.
What is the difference between pre-filter and post-filter RAG?
Post-filter RAG retrieves all matching documents first, then removes the ones the user shouldn't see. The problem: the forbidden documents already influenced the ranking, and post-filtering is easy to bypass or misconfigure. Pre-filter RAG — what RAGAuth does — applies the permission allow-list before graph traversal, so forbidden documents are never candidates in the first place. There is no retrieval step where a leak can occur.
How does RAGAuth prevent AI data leaks?
RAGAuth resolves a per-request allow-list from Authorizer and OpenFGA using the user's JWT. This allow-list is injected as a payload filter into the vector retrieval step before any similarity search happens. Only documents the user is explicitly permitted to see are ever traversed. The LLM receives only allowed chunks — it has no mechanism to reference documents it never read.
Does RAGAuth work with multi-tenant SaaS applications?
Yes. Multi-tenant isolation is the primary use case. Tenant ID is extracted from the JWT and used to scope the OpenFGA allow-list, making cross-tenant document retrieval architecturally impossible rather than just policy-enforced.
Is RAGAuth open source?
The core RAGAuth engine is open source under the MIT license, built on top of Authorizer (authorizer.dev). You can self-host the full stack with a single Docker Compose command. The managed cloud offering adds hosted infrastructure, connectors, and compliance tooling on top of the open-source core.
How much does RAGAuth cost?
RAGAuth starts at $0 for self-hosted deployments. The managed Pro plan is $149/month per project — not per user. There is no per-seat pricing. An early-access founding offer locks in $99/month for the first 3 months. Enterprise pricing is custom and includes dedicated infrastructure and compliance documentation.
Does RAGAuth work with any LLM?
Yes. RAGAuth operates at the retrieval layer, before the LLM call. It is LLM-agnostic — it works with OpenAI, Ollama, local models, or any other inference provider. The Pro plan supports BYO LLM (bring your own LLM API key).
How does RAGAuth handle permission revocation?
Because permissions are resolved at query time from OpenFGA, revocation is instant. Removing a user's access to a document in OpenFGA immediately takes effect on the next query — no re-indexing or cache invalidation required. This is a fundamental advantage over systems that bake permissions into index metadata.
Is RAGAuth suitable for HIPAA or GDPR compliance?
RAGAuth is designed with compliance in mind. The Pro and Enterprise plans include audit log export that is EU AI Act Article 12 ready. The Enterprise plan adds HIPAA and GDPR audit documentation, VPC deployment, and dedicated infrastructure. RAGAuth's pre-filter architecture also satisfies the data minimisation principle — the LLM only ever processes data the user is authorised to see.
Can I use RAGAuth if I already have an existing RAG pipeline?
Yes. RAGAuth is designed to integrate with existing pipelines. It adds a permission resolution step between your JWT-authenticated request and your vector retrieval call. You do not need to rebuild your indexing or embedding pipeline — you add the allow-list filter to the retrieval query.

Per project. Not per user. No surprises.

Pay for the product you're securing, not for every person who uses it.

Open Source

$0

Self-host on your own infrastructure. MIT-licensed core.

  • Full permission-aware RAG engine
  • OpenFGA relationship model
  • Permission pre-filter at retrieval layer
  • Docker compose — one command setup
  • Community support (Discord)
View on GitHub
Most popular

Pro

$149/mo

Per project. Not per user.

Managed hosting, connectors, and compliance tools. We run it. You own the data.

  • Everything in open source
  • Up to 3 projects
  • 50GB document storage *
  • Managed Vector DB + Authorizer
  • Google Drive + Notion connectors *
  • Stale embedding sync (webhook-triggered) *
  • Audit log export (EU AI Act Article 12 ready)
  • BYO LLM (OpenAI / Ollama / local)
  • Email support

* Connectors and sync available Q3 2026. Storage overage $5/GB.

Early access: lock in $99/mo for first 3 months →

Join waitlist

Enterprise

Custom

Dedicated infrastructure, compliance documentation, SLA.

  • Everything in Pro
  • Unlimited projects + storage
  • VPC / on-prem deployment
  • SSO / SAML integration
  • Custom SLA
  • HIPAA / GDPR audit documentation
  • ERP + database connectors
  • Dedicated Slack support
Contact sales

Be first when managed cloud launches

We're onboarding early customers now. Founding members lock in $99/mo for the first 3 months, then standard $149/mo. No minimum contract.