Duolingo’s Strategic Shift to Oso: Saving Time, Reducing Risk, Powering Innovation

Inside Duolingo’s Powerhouse: The Platform Engineering Play that Supercharges Language Learning

Duolingo is the most popular language-learning platform and the most downloaded, top grossing education app worldwide. The app is so successful because it makes learning new languages fun with bite-sized lessons that feel like playing a game. Founded in 2011, the company's mission is to develop the best education in the world and make it universally available. Today Duolingo offers over 100 courses across 42 languages, from Spanish, French, German and Japanese to Navajo and Yiddish.

Duolingo’s Platform Engineering organization, headed by Fabio Lessa, is split into four areas: Data Platform, Infrastructure Platform, Developer Amplification, and Design Accelerator. While the Platform Engineering team doesn’t directly deliver revenue-facing features, each area accelerates key parts of the business. Describing Platform Engineering’s role, Fabio says “Our job is to enable the business—shortening the time from idea to production so more things can be tested and we can move really fast.” 

Within this structure, the Infrastructure Platform team manages core services such as cloud operations (across AWS, GCP, Azure, and others), security, and Duolingo’s edge APIs. Authorization responsibilities—previously part of an aging internal system—have become a priority for Infrastructure Platform, especially given the company’s drive to “bet on technology,” as their CEO often says. 

 And it's on Oso that Duolingo has made its authorization bet, enabling us to respond to business needs faster and quickly iterate on the product.

- Fabio Lessa, VP of Platform Engineering 

Stuck in Code: The Hidden Drag on Duolingo’s Productivity

Built in the early days of the company, Duolingo’s homegrown authorization solution became increasingly cumbersome. According to Fabio, “We had a massive operational problem with our old system. It was all hard-coded, so you’d have to make a pull request, merge it, and redeploy one of our largest services just to add or remove someone’s access.” 

This outdated process frequently took days, monopolized valuable engineering resources, and delayed new hires and contractors from accessing critical systems—slowing down entire projects and impeding Duolingo’s ability to rapidly test and deliver new ideas.

Compliance needs compounded these pain points, with auditors forced to rely on engineering to view or edit access privileges. “Everything was in code,” Fabio noted, “so they had to go through GitHub and rely on us.” 

Duolingo recognized these inefficiencies were damaging productivity, delaying time to value, and complicating compliance checks, putting unnecessary friction on the business’s growth and innovation.

Stop Reinventing the Wheel: Duolingo’s Smart Move to a Proven Authorization Partner

Duolingo has a long history of building its own solutions, but before defaulting to that route, Fabio’s team defined their ideal end state. 

1. The replacement needed to be mission-critical quality—authorization bugs can create serious security risks. 
2. The system needed enough flexibility to fit Duolingo’s existing setup and seamlessly adapt to future authorization patterns—without requiring a costly rewrite down the road.
3. Engineers needed to be free from the burden of hosting yet another service that wasn’t part of Duolingo’s core business.

The engineering team recognized that authorization was a well-defined problem space and without highly customized needs, there was no need for them to reinvent the wheel.

So we decided to lean on a partner—someone who focuses on authorization full-time and can guide us toward best practices.

- Fabio Lessa, VP of Platform Engineering 

The  Duolingo team researched several vendors, soliciting recommendations from their developers and security engineers. Ultimately, Oso stood out. Fabio recalled, “We did a long proof of concept with Oso—longer than with anyone else—and found their customer support experience and technical solution were a great fit.”

During the POC, Duolingo discovered Polar—Oso’s declarative policy language—worked elegantly for defining roles and permissions. 

We had an early sit-down with an Oso engineer and within twenty minutes we’d defined a custom Polar definition for our use case. That flexibility was a big factor in our decision.

- Fabio Lessa, VP of Platform Engineering 

Set It and Forget It: Duolingo’s Fully Managed Authorization with Oso Cloud

Duolingo’s implementation of Oso began with extensive upfront collaboration, integration planning, and training sessions between Duolingo’s engineers and Oso’s technical team. Fabio highlighted how this proactive approach was key to ensuring a smooth rollout, remarking that previous vendor integrations had struggled due to insufficient support. By clearly aligning on objectives and expectations early in the process, Duolingo successfully trained their internal teams, making the transition seamless and efficient. 

The engineering team has built a self-service dashboard on top of Oso with Polar’s authorization rules governing who can do what. Now anyone in the business can grant and revoke permissions with a few clicks, sparing developers from handling all changes in code. They have also created an API that automates common processes, such as onboarding and offboarding employees and contractors. In addition, auditors can now check roles and privileges directly, no code review required!

We’ve been able to do all of these things using Oso without making large policy adjustments or significant architectural changes to our authorization setup.

- Fabio Lessa, VP of Platform Engineering 

Duolingo is deployed in Oso Cloud , using its fully managed service to reduce infrastructure overhead. Fabio explained, “It’s definitely nice we don’t have to fully host it ourselves. We want our team to focus on what matters most to Duolingo.”

To enhance reliability and performance, Duolingo also implemented local caching through an Oso-provided fallback node, enabling continued authorization checks even if connectivity to Oso Cloud is temporarily disrupted. Duolingo’s deployment runs across multiple AWS regions to further enhance redundancy and resilience.

From Days to Minutes: How Oso Transformed Duolingo’s Authorization

The shift from a code-dependent system to Oso’s authorization services dramatically improves speed, compliance, and maintainability. 

It used to be days to roll out new permissions. Now with Oso it takes minutes.

- Fabio Lessa, VP of Platform Engineering 

This increased speed and flexibility allows Duolingo to respond far more dynamically to short-term business demands—such as rapidly onboarding contractors for urgent content generation or translation tasks—without involving engineers or disrupting core services.

Fabio emphasized the unanimous enthusiasm among the Duolingo team:

 “I pinged our engineers asking for any downsides with Oso, and nobody had anything negative to report. Every experience we've had with Oso has been positive. We made lots of friends in the compliance team!” 

Crucially, he also noted there hasn't been a single use case they couldn't model with Oso’s Polar language. With zero downtime since implementation, Oso’s reliability has given Duolingo’s engineers the freedom to focus elsewhere. As Fabio summarized, “Authorization isn't a problem we stress over anymore. We’ve even started looking at future AI-related internal tools, and Oso is central to any of those authorization discussions.” 

The stability, responsiveness, and flexibility provided by Oso have had a significant impact on the business, and set it up well for future initiatives and demands. 

Key Learnings and Next Steps

Duolingo’s story underscores two lessons. First, authorization is foundational—getting it right accelerates everything else. Second, outsourcing complex but ubiquitous needs—like authorization— to a dedicated partner can save massive effort.

For teams facing similar challenges, Oso offers the Authorization Academy, providing concepts. architecture, and best practices for building application authorization. A practical next step is to book time with an Oso engineer to discuss your authorization needs. As Fabio advises, “Don’t reinvent the wheel; lean on experts who’ve solved this problem before.”