Skip to main content
Permify is an open-source authorization service that lets you implement fine-grained, scalable access control in minutes — not months. It runs as a standalone service your applications call at runtime to answer permission questions like “can user X view document Y?” in under 10ms.

Quickstart

Run Permify locally and make your first permission check in minutes.

Model Authorization

Define entities, relations, and permissions using the Permify Schema DSL.

API Reference

Explore every REST and gRPC endpoint with request/response examples.

Use Cases

See how to implement RBAC, ReBAC, ABAC, and multi-tenancy patterns.

What is Permify?

Permify is a centralized, externalized authorization system. Instead of scattering permission logic across your codebase, you model it once in Permify’s schema language and then query a single API at runtime. It supports the three major access control paradigms:
  • RBAC — assign roles to users and attach permissions to roles
  • ReBAC — derive permissions from relationships between entities (e.g., “user is a member of this org, which owns this resource”)
  • ABAC — evaluate attributes on entities or the request context (e.g., “resource is public”, “request originates from this IP range”)
These can be combined in a single schema, giving you full flexibility for any authorization pattern.

How it works

1

Model your authorization schema

Write a Permify Schema that defines your entities (users, documents, organizations), their relationships, and permission rules.
entity user {}

entity document {
  relation owner @user
  relation viewer @user

  permission view = viewer or owner
  permission edit = owner
}
2

Sync relationship data

Write relationship tuples and attribute values to Permify as they change in your application — for example, when a user is added to a team or a document is shared.
POST /v1/tenants/{tenant_id}/relationships/write
{
  "tuples": [
    {
      "entity": { "type": "document", "id": "doc:1" },
      "relation": "viewer",
      "subject": { "type": "user", "id": "user:alice" }
    }
  ]
}
3

Check permissions at runtime

Call the Check API from any service to enforce access control. Permify evaluates the full permission graph and returns an allow/deny decision in milliseconds.
POST /v1/tenants/{tenant_id}/permissions/check
{
  "entity": { "type": "document", "id": "doc:1" },
  "permission": "view",
  "subject": { "type": "user", "id": "user:alice" }
}

Key capabilities

Permission Check API

Sub-10ms access decisions with a proven Zanzibar-inspired evaluation engine.

Multi-tenancy

Isolated authorization logic and data per tenant with a single deployment.

Snap Tokens

Consistent reads that prevent permission bypass via replication lag.

Contextual Tuples

Pass temporary relationships at check time without persisting them.

Bundles

Atomic writes across relationships and attributes in a single operation.

Watch API

Stream permission change events in real time for audit and cache invalidation.

Self-hosted vs. cloud

Permify is fully open source (AGPL-3.0). You can run it yourself with Docker or Kubernetes, or use Permify Cloud for a fully managed experience with high availability, backups, and enterprise support.

Deploy with Docker

Get Permify running on your infrastructure in minutes.

Deploy on Kubernetes

Production-grade deployment with Helm charts and scaling guidance.

Build docs developers (and LLMs) love

Get started for freeTalk to us