Capability-based access control is fascinating. Here's an interesting article about capabilities vs. ACLs: <a href="http://www.erights.org/elib/capability/duals/myths.html" rel="nofollow">http://www.erights.org/elib/capability/duals/myths.html</a><p>I'm also a fan of Macaroons for this purpose, which I was disappointed to see weren't being used here. But for an example of using macaroons as capabilities in practice, see: <a href="http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex/" rel="nofollow">http://hackingdistributed.com/2014/11/23/macaroons-in-hyperd...</a>
From their homepage, "this is the only way to make Open Source web apps viable." What does viable mean in this context? Why is this service different from hosting on heroku or my own free Amazon instance? Is it just convenience or is there something more?