Python-native embedding
Embed NPA directly as a Python library — no HTTP calls, no serialization overhead, no network latency. Pure in-process speed: 200,000+ decisions per second at ~5 µs per evaluation.
Available now — Open Source
NPA
Intelligent policy engine. Blazing fast. Python-native. OPA-compatible.
200,000+ decisions per second — 60× less memory than OPA.
Why NPA?
Policy engines are the backbone of modern security architectures. Existing solutions like OPA are written in Go, require separate processes, and bring significant overhead. NPA combines the proven Rego language with the flexibility of Python — no language barrier, no foreign binaries, no performance compromises.
60× less memory
While OPA typically uses 20–30 MB RAM, NPA gets by with 0.5 MB peak — even with all policies loaded. More containers on the same cluster, ideal for sidecars and edge scenarios.
OPA drop-in replacement
NPA implements the complete OPA REST API. Replace existing OPA deployments without changing a single line of client code. All 192+ Rego built-in functions included.
Key strengths
Integrated web dashboard
7-page SPA with live metrics, policy editor with syntax highlighting, interactive playground, data browser, bundle management, decision logs and configuration — all out of the box.
HTTPS by default
TLS 1.2+ enabled by default with automatic certificate generation for development. Session-based auth, security headers (HSTS, X-Content-Type-Options), GZip compression and CORS.
Linear scaling
Predictable performance — only ~0.22 µs per additional rule. Even with 100 rules, NPA delivers 32,000+ decisions per second.
Modern architecture
Built on FastAPI + uvicorn (ASGI), Typer + Rich CLI, multi-layer caching, plugin system, dual storage (in-memory / SQLite) and full OpenTelemetry + Prometheus observability.
From CLI to container
13 CLI commands, Docker-ready, Swagger/ReDoc documentation — everything DevOps teams need. Development, testing, and production workflows fully covered.
NPA vs OPA at a glance
Comparison
- Language: Python 3.12+ vs Go
- SDK embedding: Direct in Python apps (~5 µs) vs not available
- SDK throughput: 200,000+ eval/s vs —
- REST API latency: < 1 ms vs < 0.5 ms
- Memory usage: 0.5 MB vs 20–30 MB
- Web dashboard: 7-page SPA vs none
- TLS by default: Yes, with auto-cert vs manual
- Rego-compatible: Yes (192+ built-ins) vs native
- License: GPL-3.0 (Open Source) vs Apache 2.0
Use cases
API gateway & microservices
Central authorization for all microservices. NPA as sidecar or central policy server — under 1 ms response time.
Kubernetes admission control
Pod validation, namespace policies, resource quotas — all defined in Rego and enforced by NPA. Compatible with existing OPA/Gatekeeper policies.
CI/CD pipeline security
Policy-as-Code in the build process: compliance checks, license validation, security scanning — automated and reproducible.
Python apps & ML pipelines
NPA embedded directly as SDK — 200,000 policy decisions per second without HTTP overhead. Perfect for real-time inference with policy enforcement.
Get started in 60 seconds
Python
pip install npanpa run
Dashboard: https://localhost:8443
Docker
docker run -d -p 8443:8443 npa:latest
Dashboard: https://localhost:8443
As SDK
Import NPA, load a policy, and call engine.decide() — decisions in ~5 µs, directly in your Python application.
Repository
NPA is open source under the GNU General Public License v3.0. Contributions, bug reports and feature requests are welcome.
Git repository: github.com/BLS-ISP/NextPolicyAgent