- REST — available on port 3476
- gRPC — available on port 3478 (see the Buf Schema Registry)
Base URL
All REST endpoints follow this pattern:t1.
Authentication
Permify supports two authentication methods:- OpenID Connect — validate JWTs issued by any OIDC provider
- Pre-Shared Keys — static bearer tokens for service-to-service calls
Bearer token in the Authorization header.
Services
Permission
Check access, look up entities and subjects, and expand permission trees.
Schema
Write, read, and list authorization schema versions.
Data
Write and read relationship tuples and attributes, and delete authorization data.
Tenancy
Create, list, and delete tenants for multi-tenant deployments.
Bundle
Define and execute reusable data bundles tied to application events.
Watch
Stream real-time change events from the authorization data store.
Core Workflow
- Model — write your authorization schema with Write Schema
- Sync — write relationship tuples and attributes with Write Data
- Check — evaluate access with Check API
- Query — find all authorized entities with Lookup Entity or all authorized subjects with Lookup Subject
- Audit — expand permission trees with Expand API
- Clean — remove stale data with Delete Data
- Watch — react to changes in real time with Watch API
Snap Tokens
Write operations return asnap_token. Pass this token in subsequent read or check requests via the metadata.snap_token field to ensure you read your own writes and avoid stale cache responses.
Rate Limits
The default rate limit is 100 requests per second, enforced with a Token Bucket algorithm. This can be adjusted in your configuration file.Latency
With the recommended architecture, Permify targets 7–12 ms p99 latency. Under high load with caching enabled, expect up to 30 ms. See Cache Mechanisms for tuning guidance.SDKs
Service Mesh Compatibility — Permify communicates over standard gRPC and HTTP, making it compatible with service meshes such as Istio. You will need to configure traffic management rules manually within your mesh.