casl
CASL is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access
The Lens
CASL handles authorization: who can do what to which resources in your app. Define abilities in one place, enforce them on both frontend and backend. The entire library is 6KB minzipped and MIT licensed.
The mental model is simple. You declare rules like "editors can update articles they own" using a readable DSL, then check permissions with can and cannot methods anywhere in your code. Works with React, Vue, Angular, Prisma, and Mongoose out of the box. Rules serialize to JSON, so the same permission set travels from API to UI without duplication.
Solo developers building anything with user roles need this. Teams get consistent authorization logic across the stack without rolling their own RBAC from scratch. Scales from "admin vs user" to complex attribute-based access control without swapping libraries.
The catch: it is authorization, not authentication. You still need something handling login and identity. CASL just decides what authenticated users are allowed to touch.
Get tools like this every Wednesday
One featured tool, three on the radar. No fluff.
Free vs Self-Hosted vs Paid
fully free## Free Tier Full library, all integrations, MIT license. No restrictions.
## Self-Hosted It is a library, not a service. No hosting required.
## Paid No paid tier exists. Entirely community-maintained.
Completely free and open source. MIT license, no restrictions.
License: MIT License
Use freely, including commercial. Just keep the license.
Commercial use: ✓ Yes
About
- Owner
- Serhii Stotskyi (User)
- Stars
- 6,908
- Forks
- 302