WorkOS acquires Warrant, Zanzibar-style FGA folded into B2B identity stack
WorkOS announced its acquisition of Warrant on April 23, 2024. The deal brings Zanzibar-style fine-grained authorization into WorkOS's B2B-first identity platform, putting it in competition with AuthZed (SpiceDB), OpenFGA, and Permify.
What happened
On April 23, 2024, WorkOS announced the acquisition of Warrant, a Zanzibar-inspired fine-grained authorization (FGA) startup. The Warrant team and product joined WorkOS, with the FGA capability becoming part of the WorkOS platform. WorkOS continues to develop the integration as a first-class authorization primitive alongside its core B2B identity products (SSO, Directory Sync, Audit Logs).
Why it matters
WorkOS had built a strong B2B-first identity platform but lacked native fine-grained authorization. B2B SaaS customers operating at meaningful scale increasingly need ReBAC/FGA, the relationship-based authorization model Google's Zanzibar paper popularized, and were either bolting on AuthZed/SpiceDB or OpenFGA, or building it themselves.
The acquisition collapses two procurement decisions into one for WorkOS customers. It also raises the competitive bar for B2B identity platforms: Frontegg and Auth0 Organizations don't have native Zanzibar-style FGA at this maturity, and the gap matters as customers scale into collaboration features and complex sharing models.
Deepak's take
The Warrant acquisition is the right move at the right time. B2B SaaS identity in 2024-2026 has bifurcated into "the basics" (SSO, SCIM, Organizations) and "the next layer" (FGA, fine-grained audit, behavioral risk). WorkOS owns "the basics" reputation; Warrant gives them a credible play on "the next layer."
For practitioners, the question is whether to standardize on WorkOS's bundled FGA or run it separately on AuthZed/SpiceDB or OpenFGA. The bundled answer reduces operational surface but creates vendor concentration. The separate-stack answer is more flexible but requires running another stateful service. Both are defensible; the right call depends on team size and the criticality of FGA to the product. See the Zanzibar-explained guide for the model and the FGA guide for the buyer's framework.
What to do
- WorkOS customers evaluating FGA: Try the integrated Warrant offering first. The integration story is meaningfully cleaner than running a separate FGA service.
- AuthZed / OpenFGA customers: No urgent action. Both projects continue to develop independently; AuthZed has its managed cloud offering; OpenFGA is on the CNCF sandbox path.
- B2B SaaS evaluating CIAM: WorkOS's expanded surface area shifts the comparison vs Frontegg and Auth0 Organizations. See the B2B SaaS identity guide for the updated shortlist.