CINXE.COM

<!doctype html> <html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-overview/how-does-it-work" data-has-hydrated="false"> <head> <meta charset="UTF-8"> <meta name="generator" content="Docusaurus v2.4.3"> <title data-rh="true">How does Permit.io work? | Permit.io Documentation</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:url" content="https://docs.permit.io/overview/how-does-it-work"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="How does Permit.io work? | Permit.io Documentation"><link data-rh="true" rel="icon" href="/logo/favicon.ico"><link data-rh="true" rel="canonical" href="https://docs.permit.io/overview/how-does-it-work"><link data-rh="true" rel="alternate" href="https://docs.permit.io/overview/how-does-it-work" hreflang="en"><link data-rh="true" rel="alternate" href="https://docs.permit.io/overview/how-does-it-work" hreflang="x-default"><link data-rh="true" rel="stylesheet" href="https://fonts.googleapis.com/icon?family=Material+Icons"><link data-rh="true" href="https://cdn.jsdelivr.net/npm/remixicon@4.2.0/fonts/remixicon.css" rel="stylesheet"><link data-rh="true" rel="preconnect" href="https://MVBO9ANY91-dsn.algolia.net" crossorigin="anonymous"><link rel="preconnect" href="https://www.google-analytics.com"> <link rel="preconnect" href="https://www.googletagmanager.com"> <script async src="https://www.googletagmanager.com/gtag/js?id=G-S2W3HZX9EZ"></script> <script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","G-S2W3HZX9EZ",{anonymize_ip:!0})</script> <link rel="search" type="application/opensearchdescription+xml" title="Permit.io Documentation" href="/opensearch.xml"> <script>!function(t,h,e,j,s,n){t.hj=t.hj||function(){(t.hj.q=t.hj.q||[]).push(arguments)},t._hjSettings={hjid:3529378,hjsv:6},s=h.getElementsByTagName("head")[0],(n=h.createElement("script")).async=1,n.src="https://static.hotjar.com/c/hotjar-"+t._hjSettings.hjid+".js?sv="+t._hjSettings.hjsv,s.appendChild(n)}(window,document)</script> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/remixicon@4.2.0/fonts/remixicon.css"><link rel="stylesheet" href="/assets/css/styles.ecbeac4c.css"> <link rel="preload" href="/assets/js/runtime~main.d64cc98d.js" as="script"> <link rel="preload" href="/assets/js/main.1e418128.js" as="script"> <!-- Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=G-S2W3HZX9EZ"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-S2W3HZX9EZ'); </script><script src="https://cdn.lr-in.com/LogRocket.min.js" crossorigin="anonymous"></script> <script>window.LogRocket && window.LogRocket.init('s0szi1/permitio-docs');</script></head> <body class="navigation-with-keyboard"> <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}(),document.documentElement.setAttribute("data-announcement-bar-initially-dismissed",function(){try{return"true"===localStorage.getItem("docusaurus.announcement.dismiss")}catch(t){}return!1}())</script><div id="__docusaurus"> <div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><div class="announcementBar_mb4j" style="background-color:#6851ff;color:#FFFFFF" role="banner"><div class="announcementBarPlaceholder_vyr4"></div><div class="content_knG7 announcementBarContent_xLdY">If you like Permit, give us a ⭐️ on <a href="https://www.github.com/permitio/opal" target="_blank" rel="noopener noreferrer">GitHub</a> and follow us on <a href="https://www.twitter.com/permit_io" target="_blank" rel="noopener noreferrer">Twitter</a></div><button type="button" aria-label="Close" class="clean-btn close closeButton_CVFx announcementBarClose_gvF7"><svg viewBox="0 0 15 15" width="14" height="14"><g stroke="currentColor" stroke-width="3.1"><path d="M.75.75l13.5 13.5M14.25.75L.75 14.25"></path></g></svg></button></div><nav aria-label="Main" class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"></a><div class="algolia-search searchBox_ZlJk"><button type="button" class="DocSearch DocSearch-Button" aria-label="Search"><span class="DocSearch-Button-Container"><svg width="20" height="20" class="DocSearch-Search-Icon" viewBox="0 0 20 20"><path d="M14.386 14.386l4.0877 4.0877-4.0877-4.0877c-2.9418 2.9419-7.7115 2.9419-10.6533 0-2.9419-2.9418-2.9419-7.7115 0-10.6533 2.9418-2.9419 7.7115-2.9419 10.6533 0 2.9419 2.9418 2.9419 7.7115 0 10.6533z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"></path></svg><span class="DocSearch-Button-Placeholder">Search</span></span><span class="DocSearch-Button-Keys"></span></button></div></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a aria-current="page" class="navbar__link active" aria-haspopup="true" aria-expanded="false" role="button" href="/">2.0.0</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/overview/how-does-it-work">2.0.0</a></li><li><a class="dropdown__link" href="/1.0.0/">1.0.0</a></li></ul></div><a href="https://github.com/permitio" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link github-icon nav-icon" alt="twitter logo"></a><a href="https://twitter.com/permit_io" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link twitter-icon nav-icon" alt="github logo"></a><a href="https://io.permit.io/docs-to-slack" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link slack-icon nav-icon" alt="slack logo"></a><div class="navbar__item dashboard"><a target="_blank" href="https://io.permit.io/QoPSfh">Go to dashboard</a></div><div class="toggle_vylO colorModeToggle_DEke"><button class="clean-btn toggleButton_gllP toggleButtonDisabled_aARS" type="button" disabled="" title="Switch between dark and light mode (currently light mode)" aria-label="Switch between dark and light mode (currently light mode)" aria-live="polite"><svg class="dark-theme-toggle" width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M9.48522 1.68164C8.26441 2.82232 7.5013 4.44667 7.5013 6.24925C7.5013 9.70101 10.2996 12.4993 13.7513 12.4993C15.5539 12.4993 17.1782 11.7362 18.3189 10.5153C18.0524 14.8773 14.4304 18.3326 10.0013 18.3326C5.39893 18.3326 1.66797 14.6016 1.66797 9.99926C1.66797 5.57021 5.12321 1.94817 9.48522 1.68164Z" fill="#846358"></path></svg><svg class="light-theme-toggle" width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg"><g clip-path="url(#clip0_10761_10952)"><path d="M9.9987 15.0007C8.67262 15.0007 7.40085 14.4739 6.46316 13.5362C5.52548 12.5985 4.9987 11.3267 4.9987 10.0007C4.9987 8.67457 5.52548 7.4028 6.46316 6.46512C7.40085 5.52744 8.67262 5.00065 9.9987 5.00065C11.3248 5.00065 12.5966 5.52744 13.5342 6.46512C14.4719 7.4028 14.9987 8.67457 14.9987 10.0007C14.9987 11.3267 14.4719 12.5985 13.5342 13.5362C12.5966 14.4739 11.3248 15.0007 9.9987 15.0007ZM9.9987 13.334C10.8828 13.334 11.7306 12.9828 12.3557 12.3577C12.9808 11.7326 13.332 10.8847 13.332 10.0007C13.332 9.1166 12.9808 8.26875 12.3557 7.64363C11.7306 7.01851 10.8828 6.66732 9.9987 6.66732C9.11464 6.66732 8.2668 7.01851 7.64168 7.64363C7.01655 8.26875 6.66536 9.1166 6.66536 10.0007C6.66536 10.8847 7.01655 11.7326 7.64168 12.3577C8.2668 12.9828 9.11464 13.334 9.9987 13.334V13.334ZM9.16536 0.833984H10.832V3.33398H9.16536V0.833984ZM9.16536 16.6673H10.832V19.1673H9.16536V16.6673ZM2.92786 4.10815L4.1062 2.92982L5.8737 4.69732L4.69536 5.87565L2.92786 4.10898V4.10815ZM14.1237 15.304L15.302 14.1257L17.0695 15.8932L15.8912 17.0715L14.1237 15.304ZM15.8912 2.92898L17.0695 4.10815L15.302 5.87565L14.1237 4.69732L15.8912 2.92982V2.92898ZM4.69536 14.1257L5.8737 15.304L4.1062 17.0715L2.92786 15.8932L4.69536 14.1257V14.1257ZM19.1654 9.16732V10.834H16.6654V9.16732H19.1654ZM3.33203 9.16732V10.834H0.832031V9.16732H3.33203Z" fill="#FFB381"></path></g><defs><clipPath id="clip0_10761_10952"><rect width="20" height="20" fill="white"></rect></clipPath></defs></svg></button></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><aside class="theme-doc-sidebar-container docSidebarContainer_b6E3"><div class="sidebarViewport_Xe31"><a href="/"></a><div class="sidebar_njMd"><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_SIkG menuWithAnnouncementBar_GW3s"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menuHtmlItem_PEWV menu__list-item"><div class="sidebar_top_wrapper"> <div class="sidebar_top"> <div class="sidebar_top_logo is-dark"> <a target="_blank" rel="noopener noreferrer" href="/"> <img src="/logo/site-logos/marketing-dark.svg" alt=""> </a> <a href="/"> <img src="/logo/site-logos/docs-dark.svg" alt=""> </a> </div> <div class="sidebar_top_logo is-light"> <a target="_blank" rel="noopener noreferrer" href="/"> <img src="/logo/site-logos/marketing-light.svg" alt=""> </a> <a href="/"> <img src="/logo/site-logos/docs-light.svg" alt=""> </a> </div> </div> <div class="sidebar_bottom"> <a target="_blank" rel="noopener noreferrer" href="https://www.permit.io/"> <div> <img src="/sidebar-top-icons/normal-icons/marketing-home.svg" alt=""> <img src="/sidebar-top-icons/hover-icons/marketing-home.svg" alt=""> </div> Permit Homepage </a> <a target="_blank" rel="noopener noreferrer" href="https://api.permit.io/v2/redoc"> <div> <img src="/sidebar-top-icons/normal-icons/api.svg" alt=""> <img src="/sidebar-top-icons/hover-icons/api.svg" alt=""> </div> API Reference </a> <a target="_blank" rel="noopener noreferrer" href="https://permit-io.slack.com/join/shared_invite/zt-nz6yjgnp-RlP9rtOPwO0n0aH_vLbmBQ#/shared-invite/email"> <div> <img src="/sidebar-top-icons/normal-icons/slack.svg" alt=""> <img src="/sidebar-top-icons/hover-icons/slack.svg" alt=""> </div> Slack Community </a> <a target="_blank" rel="noopener noreferrer" href="https://github.com/permitio"> <div> <img src="/sidebar-top-icons/normal-icons/github.svg" alt=""> <img src="/sidebar-top-icons/hover-icons/github.svg" alt=""> </div> GitHub </a> </div> </div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item hidden"><a class="menu__link" href="/"><i class="ri-road-map-line" style="padding-inline-end:8px;width:16.11px;height:16.16px;inline-size:inherit"></i>Welcome to Permit</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/quickstart"><i class="ri-rocket-line" style="padding-inline-end:8px;width:16.11px;height:16.16px;inline-size:inherit"></i>Getting Started</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item category-as-header"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--active">Start Quickly</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/overview/connecting-your-app">Walkthroughs</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/category/learn-by-example">Examples</a><button aria-label="Toggle the collapsible sidebar category &#x27;Examples&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--active" aria-expanded="true" tabindex="0" href="/overview/best-practices">Best Practices</a><button aria-label="Toggle the collapsible sidebar category &#x27;Best Practices&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/how-to/ownership">Modeling Ownership</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/overview/how-does-it-work">Decoupling Policy and Code</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/concepts/multitenancy">Multitenancy</a></li></ul></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item category-as-header"><div class="menu__list-item-collapsible"><a class="menu__link">Model Policies</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/how-to/build-policies/rbac/overview">Roles (RBAC)</a><button aria-label="Toggle the collapsible sidebar category &#x27;Roles (RBAC)&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/how-to/build-policies/abac/overview">Attributes (ABAC)</a><button aria-label="Toggle the collapsible sidebar category &#x27;Attributes (ABAC)&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/how-to/build-policies/rebac/overview">Relationships (ReBAC)</a><button aria-label="Toggle the collapsible sidebar category &#x27;Relationships (ReBAC)&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/integrations/gitops/custom_policy">Policy as Code (PBAC)</a><button aria-label="Toggle the collapsible sidebar category &#x27;Policy as Code (PBAC)&#x27;" type="button" class="clean-btn menu__caret"></button></div></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item category-as-header"><div class="menu__list-item-collapsible"><a class="menu__link">Enforce Permissions</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/concepts/pdp/overview">The Policy Decision Point (PDP)</a><button aria-label="Toggle the collapsible sidebar category &#x27;The Policy Decision Point (PDP)&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/how-to/enforce-permissions/check">Permit.check()</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/how-to/enforce-permissions/bulk-check">Bulk Check</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/how-to/enforce-permissions/data-filtering">Data Filtering</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/foaz/url-mapping-check">URL Mapping Permissions Check</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/how-to/enforce-permissions/list-role-assignments">Permission Queries</a></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/integrations/feature-flagging/casl">Frontend</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item category-as-header"><div class="menu__list-item-collapsible"><a class="menu__link">Work with Data</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/how-to/sync-users">Users and Identities</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/how-to/manage-data/loading-data">Custom Data</a></div></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item category-as-header"><div class="menu__list-item-collapsible"><a class="menu__link">Manage the SDLC</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/how-to/deploy/deploy-to-production">Deploy</a><button aria-label="Toggle the collapsible sidebar category &#x27;Deploy&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/how-to/SDLC/authz-testing">Test &amp; Monitor</a></div></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item category-as-header"><div class="menu__list-item-collapsible"><a class="menu__link">Connect Your App</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/sdk/nodejs/quickstart-nodejs">NodeJS</a><button aria-label="Toggle the collapsible sidebar category &#x27;NodeJS&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/sdk/python/quickstart_python_sync">Python</a><button aria-label="Toggle the collapsible sidebar category &#x27;Python&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/sdk/golang/quickstart-golang">Golang</a><button aria-label="Toggle the collapsible sidebar category &#x27;Golang&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/sdk/dotnet/quickstart-dotnet">.NET</a><button aria-label="Toggle the collapsible sidebar category &#x27;.NET&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/sdk/java/quickstart-java">Java</a><button aria-label="Toggle the collapsible sidebar category &#x27;Java&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/sdk/ruby/quickstart-ruby">Ruby on Rails</a><button aria-label="Toggle the collapsible sidebar category &#x27;Ruby on Rails&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/api/api-with-cli">REST API</a><button aria-label="Toggle the collapsible sidebar category &#x27;REST API&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/integrations/infra-as-code/terraform-provider">Terraform</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/integrations/gateways/overview">Proxies &amp; API Gateways</a><button aria-label="Toggle the collapsible sidebar category &#x27;Proxies &amp; API Gateways&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/integrations/gitops/github">Git Providers</a><button aria-label="Toggle the collapsible sidebar category &#x27;Git Providers&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/integrations/GraphQL/overview">GraphQL</a><button aria-label="Toggle the collapsible sidebar category &#x27;GraphQL&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/sdk/php/quickstart-php">PHP (Beta)</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/sdk/kotlin/quickstart-kotlin">Kotlin (Beta)</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/sdk/erlang/quickstart-erlang">Erlang (Beta)</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/sdk/cpp/quickstart-cpp">C++ (Beta)</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/sdk/rust/quickstart-rust">Rust (Coming Soon)</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item category-as-header"><div class="menu__list-item-collapsible"><a class="menu__link">Integrate with Authentication</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/authentication/auth0/permit-integration">Auth0</a><button aria-label="Toggle the collapsible sidebar category &#x27;Auth0&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="false" tabindex="0" href="/authentication/cognito/permit-integration">AWS Cognito</a><button aria-label="Toggle the collapsible sidebar category &#x27;AWS Cognito&#x27;" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/authentication/stytch/permit-integration">Stytch</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/authentication/fusionauth">FusionAuth</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/authentication/supertokens">SuperTokens</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/authentication/hankopermit">Hanko</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/integrations/SCIM/OKTA">Okta (SCIM)</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/integrations/SCIM/EntraID">Entra ID (SCIM)</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item category-as-header"><div class="menu__list-item-collapsible"><a class="menu__link">Embed Frontend Components</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/embeddable-uis/overview">Overview</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/embeddable-uis/element/user-management">User Management</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/embeddable-uis/element/audit-logs">Audit Logs</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/embeddable-uis/element/access-request">Access Request</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/embeddable-uis/element/operation-approval">Operation Approval</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/embeddable-uis/element/approval-management">Approval Management</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/embeddable-uis/permission-levels">Guides</a></div></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item category-as-header"><div class="menu__list-item-collapsible"><a class="menu__link">Advanced Learning</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/overview/why-permit">Conceptual Guides</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/api/api-reference">API References</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/api/v2-migration-guide">Migrations</a></div></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item category-as-header"><div class="menu__list-item-collapsible"><a class="menu__link">Updates and Feedback</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/updates-and-feedback/changelog">Changelog</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/updates-and-feedback/roadmap">Roadmap</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/updates-and-feedback/feature-requests">Feature Requests</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/faq"><i class="ri-seo-line" style="padding-inline-end:8px;width:16.11px;height:16.16px;inline-size:inherit"></i>FAQ</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/status"><i class="ri-planet-line" style="padding-inline-end:8px;width:16.11px;height:16.16px;inline-size:inherit"></i>Permit Uptime Status</a></li></ul></li></ul></nav></div></div></aside><main class="docMainContainer_gTbr"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_z5aJ"><div class="docItemContainer_c0TR"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Z_bl" aria-label="Breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a aria-label="Home page" class="breadcrumbs__link" href="/"><svg viewBox="0 0 24 24" class="breadcrumbHomeIcon_YNFT"><path d="M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z" fill="currentColor"></path></svg></a></li><li class="breadcrumbs__item"><span class="breadcrumbs__link">Start Quickly</span><meta itemprop="position" content="1"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item"><a class="breadcrumbs__link" itemprop="item" href="/overview/best-practices"><span itemprop="name">Best Practices</span></a><meta itemprop="position" content="2"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="name">Decoupling Policy and Code</span><meta itemprop="position" content="3"></li></ul></nav><span class="theme-doc-version-badge badge badge--secondary">Version: 2.0.0</span><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>How does Permit.io work?</h1></header><p>One of the main challenges of implementing authorization properly is making sure it can evolve along with your application. As our app’s requirements evolve (From a simple Admin - Non-Admin logic into roles, attributes, relationships, and more), it becomes very difficult to maintain a consistent authorization layer without cumbersome spaghetti code.</p><p>Here&#x27;s how Permit can help -</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="decoupling-policy-and-code">Decoupling policy and code<a href="#decoupling-policy-and-code" class="hash-link" aria-label="Direct link to Decoupling policy and code" title="Direct link to Decoupling policy and code">​</a></h2><p>A best practice utilized to separate our app’s authorization code from the actual application code. Open-source <strong>Policy Engines</strong> such as <a href="https://github.com/open-policy-agent/opa" target="_blank" rel="noopener noreferrer">Open Policy Agent</a> (OPA) and <a href="https://github.com/cedar-policy" target="_blank" rel="noopener noreferrer">AWS’ Cedar</a> provide an excellent baseline for creating such a microservice. Still, this authorization microservice requires a lot of maintenance work, especially around connecting the microservice to the application, its policy sources, the data it needs, and the access-control interfaces we need to build on top.</p><p><strong>That’s where Permit comes in</strong> - utilizing these existing open source solutions, Permit provides you with a microservice for authorization based on your <strong>Policy Engine</strong> of choice, an administration layer, <a href="https://github.com/permitio/opal" target="_blank" rel="noopener noreferrer">OPAL</a>, which keeps the policy engine up to date with the latest policy and data updates, a set of <strong>SDKs</strong> per your language of choice, and a cloud service to manage it all.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="permits-hybrid-architecture">Permit’s Hybrid Architecture<a href="#permits-hybrid-architecture" class="hash-link" aria-label="Direct link to Permit’s Hybrid Architecture" title="Direct link to Permit’s Hybrid Architecture">​</a></h2><p>The Permit architecture consists of two main parts, a <strong>Control Plane</strong> and a <strong>Data Plane</strong>:</p><ul><li><p>The <strong>Data Plane</strong> stores all the actual data required to make authorization decisions. This includes authorization policies, names, emails, etc.</p></li><li><p>The <strong>Control Plane</strong> includes the relationships between various entities required to make authorization decisions (User IDs, Roles, Attributes, etc.).</p></li></ul><p>Basically, the Control plane, through which you make changes and updates to your authorization layer, is managed via <strong>Permit’s Cloud Service</strong>, while the <strong>Data Plane</strong> can be fully kept and managed <strong>within your own VPC / Network</strong>.</p><p>This means you can manage your authorization layer with Permit <strong>without the need to expose any of your data to the cloud</strong>. Some of the benefits of this architecture are:</p><ul><li><p>No sensitive data leaves your network/cloud, ensuring your app’s security and compliance.</p></li><li><p>Authorization decisions are made on your side with zero latency.</p></li><li><p>You are not dependent on Permit’s availability to make authorization decisions.</p></li></ul><p>Two main components enable this hybrid architecture - <strong>OPAL</strong>, and the <strong>Permit PDP</strong>:</p><p><img loading="lazy" alt="Connectivity Map Diagram" src="/assets/images/connectivity-4f9ace81574257119dd6907bd2f733d0.png" width="6714" height="3774" class="img_ev3q"></p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="opal">OPAL<a href="#opal" class="hash-link" aria-label="Direct link to OPAL" title="Direct link to OPAL">​</a></h2><p><a href="https://github.com/permitio/opal" target="_blank" rel="noopener noreferrer">Open Policy Administration Layer (OPAL)</a> is an open-source project developed and maintained by the Permit.io team. It serves as an administration layer for Policy Engines detecting changes to both policy and policy data in real-time and pushing live updates to your agents.</p><p>OPAL consists of two elements - The <strong>OPAL Server</strong> and the <strong>OPAL Client</strong></p><p>The <strong>OPAL Server</strong> is hosted as part of Permit’s Could Service. It Creates a Pub/Sub channel for OPAL clients to subscribe to, tracks a Git repository (via webhook/polling) for policy updates, and pushes those updates to clients (as diffs - only updating changes, not the entire thing).</p><p>The <strong>OPAL Client</strong> is deployed as part of the PDP -</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="the-policy-decision-point-pdp">The Policy Decision Point (PDP)<a href="#the-policy-decision-point-pdp" class="hash-link" aria-label="Direct link to The Policy Decision Point (PDP)" title="Direct link to The Policy Decision Point (PDP)">​</a></h2><p>A PDP is a network node responsible for answering authorization queries using policies and contextual data. The PDP provided to you by Permit acts as your microservice for authorization and is deployed beside your own services.</p><p>Permit’s PDP consists of a <strong>Policy Engine</strong> and the <strong>OPAL Client</strong>:</p><ul><li><p><strong>The Policy Engine</strong> is in charge of evaluating authorization queries, using the policy rules as a source of truth. Authorization policies are written in Policy Languages (such as Rego or Cedar), which the policy engine interprets, providing a decision to any authorization query it is presented with.</p><p>Permit is <a href="/integrations/policy-engines/overview">policy engine agnostic</a>, currently supporting <a href="https://github.com/open-policy-agent/opa" target="_blank" rel="noopener noreferrer">Open Policy Agent</a> and <a href="https://github.com/cedar-policy" target="_blank" rel="noopener noreferrer">AWS’ Cedar</a>, (With support for more policy engines coming soon), allowing you to choose the one most suitable for your needs.</p></li><li><p><strong>The OPAL Client</strong> is deployed alongside the policy agent and keeps it up to date with the latest policy and data. It does so by subscribing to topic-based Pub/Sub updates for both data and policy. Policy and data are fetched from the <strong>OPAL Server</strong> (Hosted in Permit’s Clout Service) and any other relevant sources (e.g., DBs, APIs, 3rd party services).</p></li></ul><p>The combination of <strong>Permit’s Cloud Service</strong>, <strong>OPAL</strong>, and the <strong>PDP</strong> allows you to manage changes to your authorization layer via Permit (using the UI/API), and have these changes propagated instantly into your application - all without your data ever having to leave your network/cloud.</p><p>For more information, check out the <a href="/concepts/pdp/overview">PDP Documentation</a>.</p></div></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/how-to/ownership"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Modeling Ownership</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/concepts/multitenancy"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Multitenancy</div></a></nav></div></div><div class="col col--3"><div class="toc-wrapper"><h2>Contents</h2><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#decoupling-policy-and-code" class="table-of-contents__link toc-highlight">Decoupling policy and code</a></li><li><a href="#permits-hybrid-architecture" class="table-of-contents__link toc-highlight">Permit’s Hybrid Architecture</a></li><li><a href="#opal" class="table-of-contents__link toc-highlight">OPAL</a></li><li><a href="#the-policy-decision-point-pdp" class="table-of-contents__link toc-highlight">The Policy Decision Point (PDP)</a></li></ul></div></div></div></div></div></main></div></div></div> <script src="/assets/js/runtime~main.d64cc98d.js"></script> <script src="/assets/js/main.1e418128.js"></script> <script> function getCookie(name) { var nameEQ = name + "="; var ca = document.cookie.split(';'); for(var i=0;i < ca.length;i++) { var c = ca[i]; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length); } return null; } var cookie = getCookie('_lr_id'); if (cookie && window.LogRocket){ lr_id = JSON.parse(atob(decodeURIComponent(escape(cookie)))); window.LogRocket.identify(lr_id.email, {name:lr_id.fullName, email:lr_id.email}); } </script></body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10