Use Frontegg's Entitlements Engine from JVM applications with a gRPC client. Run feature checks, permission checks, and fine-grained authorization (FGA) from services built with Java or other JVM languages.
Prerequisites
Prerequisites
The Entitlements client is the only supported Frontegg SDK for Java today. You need a reachable entitlements engine endpoint, an engine token (for example ENTITLEMENTS_ENGINE_TOKEN), and a project using Maven or Gradle.
Artifacts are published to Maven Central under the group ID com.frontegg.sdk.
| Module | Artifact ID | Description |
|---|---|---|
| Core | entitlements-client | gRPC client, check API, fallback, and caching |
| BOM | entitlements-client-bom | Bill of Materials for aligned dependency versions |
| Spring Boot starter | entitlements-client-spring-boot-starter | Auto-configuration from application.properties |
| Test utilities | entitlements-client-test | MockEntitlementsClient and RecordingEntitlementsClient |
Add BOM import and the core dependency. Replace x.y.z with the current release on Maven Central.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.frontegg.sdk</groupId>
<artifactId>entitlements-client-bom</artifactId>
<version>x.y.z</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>com.frontegg.sdk</groupId>
<artifactId>entitlements-client</artifactId>
</dependency>
</dependencies>implementation(platform("com.frontegg.sdk:entitlements-client-bom:x.y.z"))
implementation("com.frontegg.sdk:entitlements-client")Build ClientConfiguration with your engine host and token, create an EntitlementsClient, then call isEntitledTo with a user context and either a feature or permission context.
import com.frontegg.sdk.entitlements.EntitlementsClient;
import com.frontegg.sdk.entitlements.EntitlementsClientFactory;
import com.frontegg.sdk.entitlements.config.ClientConfiguration;
import com.frontegg.sdk.entitlements.model.EntitlementsResult;
import com.frontegg.sdk.entitlements.model.FeatureRequestContext;
import com.frontegg.sdk.entitlements.model.PermissionRequestContext;
import com.frontegg.sdk.entitlements.model.UserSubjectContext;
ClientConfiguration config = ClientConfiguration.builder()
.engineEndpoint("grpc.authz.example.com:443")
.engineToken(System.getenv("ENTITLEMENTS_ENGINE_TOKEN"))
.build();
try (EntitlementsClient client = EntitlementsClientFactory.create(config)) {
EntitlementsResult featureResult = client.isEntitledTo(
new UserSubjectContext("user-123", "tenant-456"),
new FeatureRequestContext("advanced-reporting")
);
System.out.println(featureResult.result() ? "Access granted" : "Access denied");
EntitlementsResult permissionResult = client.isEntitledTo(
new UserSubjectContext("user-123", "tenant-456"),
new PermissionRequestContext("reports:export")
);
if (!permissionResult.result()) {
throw new AccessDeniedException("Insufficient permissions");
}
}Long-running applications
Long-running applications
In Spring Boot, Quarkus, Micronaut, or other long-lived processes, register the client as a singleton bean instead of creating it for each request or using try-with-resources per call.
For Spring Boot, add the entitlements-client-spring-boot-starter artifact (via the same BOM) and configure properties in application.properties or application.yml so the client is created automatically. See the repository README for property names and examples.
- Full documentation and API reference in the GitHub repository
- Entitlements engine setup — deploy SpiceDB and the sync job (language-agnostic)
- Node.js Entitlements — same engine from Node.js with
@frontegg/e10s-client - Issues