We employ two main methods for our cache system;

OpenFGA Cache Method

FGA has a cache that is set to 10 seconds. If we decide that a very small set of users is going to be active, we’d be able to serve all the requests from the cache. That would make it very easy to misrepresent the test results, as serving everything from memory would only happen in very specific use cases and won’t take into consideration the execution paths that require database access.

source: https://auth0.com/blog/getting-unlimited-scalability-with-okta-fine-grained-authorization/

Concerns and Opinions on OpenFGA's 10-Second Cache Duration

Security Issues:

Potential for Inaccurate Decisions: The 10-second cache duration may lead to outdated or incomplete data being used for authorization decisions. Because the cache is refreshed so frequently, it may not always capture the most current state of user permissions or data changes, potentially resulting in incorrect or inconsistent access control outcomes.

Cache Hit Rate Issues:

Limited Cache Effectiveness: With such a short cache duration, the cache might not be hit frequently, especially if user activity is low. This results in many requests being served directly from the database rather than the cache. As a result, the performance benefits of caching are diminished, and database load remains high. This setup can also lead to misleading performance metrics, as the cache may only be effective in very specific scenarios and not under typical operational conditions.