v1.0.0 — stable release

Grant management with
verifiable audit trails

API-first. Built for developers. RS256 JWT, workspace isolation, and cryptographically linked audit chains — open source and ready in minutes.

Read the docs → View on GitHub
quickstart.py
$ pip install grantlayer-sdk
✓ grantlayer-sdk 1.0.0 installed

# RS256 auth, workspace isolation out of the box
from grantlayer import GrantLayerClient

client = GrantLayerClient("https://api.grantlayer.de")
grant = client.grants.create(
    workspace_id="nonprofit-2024",
    amount=50000, recipient="org-123"
)

✓ grant-7f3a9c created · audit chain initialized
3,149
tests passing
0
failures
v1.0
stable
Apache 2
open source

Features

Production-grade security,
developer-first design

Every feature built correctly from day one — not retrofitted later.

RS256 JWT authentication

Asymmetric key signing by default. Algorithm-confusion guard. HS256 legacy backward-compat. Rate limiting on token endpoints.

Hard workspace isolation

Tenant separation enforced at database level. workspace_id NOT NULL in schema. No silent fallbacks, no cross-tenant data leakage.

Verifiable audit chain

Cryptographically linked audit log. Every state change is tamper-evident. Multi-worker safe with PostgreSQL SELECT FOR UPDATE.

API versioning

All endpoints under /v1/. OpenAPI spec, Pydantic schemas, 307 backward-compat redirects. Pagination on all list endpoints.

Alembic migrations

12 tables, 33 indexes. SQLite for development, PostgreSQL for production. Clean upgrade path with every release.

Python SDK

pip install grantlayer-sdk. Built on httpx, fully typed. 9 integration tests. More language SDKs on the roadmap.

Audit trail

Every action, cryptographically linked

GrantLayer records every state change in a tamper-evident chain. Each entry is hashed and linked to the previous one — making silent manipulation impossible. Designed for compliance, audits, and regulatory requirements.

Read the audit docs →
Grant created
sha256: a3f8b2c1d4e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3
2026-06-13 · workspace: nonprofit-2024
verified
Policy evaluated → approved
sha256: b4c9d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6
2026-06-13 · policy: standard-v2
verified
Evidence bundle attached
sha256: c5d0e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7
2026-06-13 · 3 documents
verified
Grant executed · €50,000 disbursed
sha256: d6e1f5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8
2026-06-13 · final state
verified

Roadmap

What's next

GrantLayer is actively developed. Here's where we're headed.

Done
FastAPI migration + API versioning
Full migration from BaseHTTPRequestHandler. All endpoints under /v1/.
Done
RS256 JWT + PyJWT
Asymmetric key signing, algorithm-confusion guard, PyJWT[crypto] replacing custom crypto.
Done
Workspace isolation + Alembic
Hard tenant separation, 12 tables, 33 indexes, NOT NULL enforcement at schema level.
Done
Python SDK + ruff/mypy CI
pip install grantlayer-sdk. Strict typing enforced in CI.
Next
SQLAlchemy ORM + Prometheus metrics
Replace raw SQL with ORM. Add /metrics endpoint for observability.
Next
Redis-backed rate limiting
Replace in-process rate limiter — multi-worker safe across Gunicorn workers.
Planned
OIDC / OAuth2 integration
First-class support for external identity providers. Key rotation and revocation.
Planned
More language SDKs
TypeScript/Node.js SDK, Go client, OpenAPI-generated clients.

Pricing

Free and open source, always

GrantLayer is Apache 2.0. Self-host for free. Commercial support coming soon.

Self-hosted
Free / forever
Run GrantLayer on your own infrastructure. No usage limits, no telemetry.
  • Full source code on GitHub
  • SQLite + PostgreSQL support
  • Docker Compose + Nginx TLS
  • All features included
  • Apache 2.0 license
Get started →
Managed cloud
Coming soon
Fully managed hosting, automatic updates, SLA. Sign up for early access.
  • Zero infrastructure management
  • Automatic backups + updates
  • Uptime SLA
  • Priority support
  • Multi-region deployment
Join waitlist →
Enterprise
Custom
For organizations needing custom integrations, on-premise deployment, or compliance support.
  • Custom deployment options
  • OIDC / SSO integration
  • Dedicated support
  • SLA + audit reports
  • Custom development
Contact us →

FAQ

Common questions

GrantLayer v1.0.0 is a stable developer preview. It has 3,149 passing tests, RS256 JWT auth, hard workspace isolation, and Alembic-managed schema. It is not yet a production SaaS — some features like Redis-backed rate limiting and OIDC are still on the roadmap.
SQLite is supported for local development and testing. PostgreSQL is the recommended production database with full support for SELECT FOR UPDATE, connection pooling via ThreadedConnectionPool, and Alembic migrations.
Every state change — grant creation, policy evaluation, evidence attachment, execution — is written to an append-only audit log. Each entry contains a SHA-256 hash linked to the previous entry, making the chain tamper-evident. Multi-worker integrity is guaranteed via PostgreSQL SELECT FOR UPDATE.
Yes. GrantLayer is licensed under Apache 2.0, which allows commercial use, modification, distribution, and private use. You can use it in your own products and services without restriction.
The Python SDK (pip install grantlayer-sdk) provides a typed httpx-based client for the GrantLayer API. It covers grants, workspaces, audit logs, and authentication. 9 integration tests are included.

Start building today

Open source, self-hostable, production-quality. Everything you need to manage grants with verifiable audit trails.

Get started → View on GitHub

API-first grant management with verifiable audit trails. Open source, built for developers.

Product

Features Roadmap Pricing FAQ

Developers

GitHub Documentation Quickstart Changelog

Legal

Apache 2.0 Contact
© 2026 GrantLayer
v1.0.0 stable
Apache 2.0 License