Duck IAM
ABAC + RBAC access control engine. Server adapters for Express, NestJS, Hono, and Next.js. Client bindings for React and Vue.
One policy graph. Server and client.
Define roles and predicates once. The server enforces. The UI projects. Swap frameworks without rewriting access rules.
ABAC engine
Attribute-based rules over subject, resource, action, and context. Combine predicates, negate them, trace the decision.
RBAC roles
Typed roles and role hierarchies. Use alone, or layer ABAC predicates on top for per-resource rules.
Policy DSL
Declarative policies with typed keys. Typos in action or resource names fail at compile time.
Server adapters
Middleware for Express, NestJS, Hono, and Next.js route handlers. One policy graph runs the same everywhere.
React + Vue clients
Typed `<Can />` components and hooks. The UI shows or hides using the same policies the API enforces.
Explain + benchmarks
Every decision ships with a reason trace. Designed to stay under a microsecond per check. See the benchmarks page.
Install
Pick an adapter on the server or the client.
# Install
bun add @gentleduck/iam
# Define a policy
import { createEngine } from '@gentleduck/iam'
export const iam = createEngine({
roles: { admin: ['*'], editor: ['post:write'] },
})Free & open source
gentleduck is MIT licensed and will always be free and open source. Every package ships with full source access — fork it, modify it, own it.