Skip to main content
Tauri’s capability system controls which IPC commands your frontend can invoke. tauri-plugin-configurate follows that system with one permission per command. You can grant the full default set in a single line, or pick individual permissions to restrict access to only the operations your app needs.

The configurate:default permission set

Adding "configurate:default" to your capability file grants all standard permissions at once. This is the recommended starting point for most apps.
src-tauri/capabilities/default.json
{
  "permissions": ["configurate:default"]
}
configurate:default expands to the following 16 individual permissions:
PermissionOperation
configurate:allow-createCreate a new config file
configurate:allow-loadRead a config file from storage
configurate:allow-saveOverwrite a config file completely
configurate:allow-patchDeep-merge a partial update into an existing config
configurate:allow-deleteDelete a config file and wipe associated keyring entries
configurate:allow-existsCheck whether a config file exists
configurate:allow-load-allBatch-load multiple configs in a single IPC call
configurate:allow-save-allBatch-save multiple configs in a single IPC call
configurate:allow-patch-allBatch-patch multiple configs in a single IPC call
configurate:allow-unlockFetch keyring secrets inline during a load operation
configurate:allow-watch-fileRegister a filesystem watcher for external changes
configurate:allow-unwatch-fileRemove a filesystem watcher
configurate:allow-list-configsList config file names in the storage directory
configurate:allow-resetDelete and re-create a config with new default data
configurate:allow-export-configSerialize config data to a JSON, YAML, or TOML string
configurate:allow-import-configReplace config data by parsing a JSON, YAML, or TOML string

Individual permissions

Every command has a matching allow-* permission that enables it and a deny-* permission that blocks it. Use individual permissions when you want to restrict access to a subset of operations.
IdentifierEffect
configurate:allow-createEnables the create command
configurate:deny-createDenies the create command
configurate:allow-loadEnables the load command
configurate:deny-loadDenies the load command
configurate:allow-saveEnables the save command
configurate:deny-saveDenies the save command
configurate:allow-patchEnables the patch command
configurate:deny-patchDenies the patch command
configurate:allow-deleteEnables the delete command
configurate:deny-deleteDenies the delete command
configurate:allow-existsEnables the exists command
configurate:deny-existsDenies the exists command
configurate:allow-load-allEnables the load_all command
configurate:deny-load-allDenies the load_all command
configurate:allow-save-allEnables the save_all command
configurate:deny-save-allDenies the save_all command
configurate:allow-patch-allEnables the patch_all command
configurate:deny-patch-allDenies the patch_all command
configurate:allow-unlockEnables the unlock command
configurate:deny-unlockDenies the unlock command
configurate:allow-watch-fileEnables the watch_file command
configurate:deny-watch-fileDenies the watch_file command
configurate:allow-unwatch-fileEnables the unwatch_file command
configurate:deny-unwatch-fileDenies the unwatch_file command
configurate:allow-list-configsEnables the list_configs command
configurate:deny-list-configsDenies the list_configs command
configurate:allow-resetEnables the reset command
configurate:deny-resetDenies the reset command
configurate:allow-export-configEnables the export_config command
configurate:deny-export-configDenies the export_config command
configurate:allow-import-configEnables the import_config command
configurate:deny-import-configDenies the import_config command

Adding permissions to a capability file

Open your capability file (typically src-tauri/capabilities/default.json) and add permissions to the "permissions" array. Grant everything (recommended for most apps):
src-tauri/capabilities/default.json
{
  "permissions": ["configurate:default"]
}
Grant only the operations you need:
src-tauri/capabilities/default.json
{
  "permissions": [
    "configurate:allow-create",
    "configurate:allow-load",
    "configurate:allow-save",
    "configurate:allow-patch",
    "configurate:allow-exists"
  ]
}
Grant the default set and then deny a specific command:
src-tauri/capabilities/default.json
{
  "permissions": [
    "configurate:default",
    "configurate:deny-delete"
  ]
}
deny-* permissions take precedence over allow-* permissions. If both are listed for the same command, the command is denied.

Keyring permissions

The configurate:allow-unlock permission is required whenever your schema includes keyring() fields and you call .unlock(keyringOpts) or .load().unlock(keyringOpts). Without it, inline keyring decryption during a load will fail.
If you use keyring() fields in your schema, make sure configurate:allow-unlock is included in your capability file. It is part of configurate:default, so granting the default set covers this automatically.
The delete command also interacts with the keyring: when you call config.delete(keyringOpts), the plugin wipes all keyring entries associated with the config. This requires configurate:allow-delete.

Build docs developers (and LLMs) love

Get started for freeTalk to us