Skip to main content
Like any other piece of software, authorization starts small. But as your product grows, scaling it becomes a real pain and begins to hinder product development. Ad-hoc authorization systems scattered throughout your app’s codebase are hard to manage, reason about, and iterate on as the company grows. Traditional approaches like RBAC quickly become insufficient for defining granular permissions such as resource-specific, hierarchical, or context-aware access controls. Architecture compounds the problem — no matter how you’ve structured your services, you need a solid plan to handle permissions between them while keeping that logic separate from your application code. Permify is a centralized authorization service that offers a variety of binding and crafting options to secure your applications. It works at runtime and responds to all authorization questions from any of your apps. Permify as a centralized authorization service

Why in-app authorization doesn’t scale

In a monolithic app, you can abstract authorization using authorization libraries — building a permission system for each application or service that connects directly to the database. This works well until you have several applications or many services. Managing multiple authorization systems for each application is not a scalable approach. Most companies eventually design these systems as abstract entities: a centralized engine that caters to apps with many services. But building that engine yourself is hard.

Stateless engines need data

Centralized authorization engines are stateless — they don’t store data. Every access check requires loading authorization data and relations from the database, which creates significant performance and scalability overhead.

High availability is required

The authorization service will be accessed by nearly every other service in your stack. It must be at least as available as the rest of your infrastructure — fast, consistent, and available at all times.

Policy management is its own service

You need an additional service to store your authorization data model, including roles, attributes, and relationships. This service must manage all authorization policies and give administrators the flexibility to update them.

Refactoring is risky

Authorization systems sit at the heart of your product. Refactoring them is difficult, and changes risk breaking access control across every service that depends on them.

What authorization as a service provides

Authorization as a service abstracts your authorization logic from your codebase and application logic, allowing you to more easily reason, test, and debug your authorization in a scalable, secure, and extendable way. Permify centrally positions itself in your environment as a service consisting of two parts:
  • A Permission Database to store your policies and related authorization data in a structured way.
  • A Policy Decision Point (PDP) to evaluate authorization queries — such as access checks — according to that data.

Core concepts

Entities

Entities are the objects in your system that you want to control access to. In Permify’s authorization language, you define entities and the relations and permissions that apply to them. 
entity user {}

entity organization {
    relation admin @user
    relation member @user
}

entity repository {
    relation parent @organization
    relation owner  @user

    permission edit   = parent.admin or owner
    permission delete = owner
}

Relations and permissions

Relations describe how subjects (users or other entities) relate to a resource — for example, owner, admin, or member. Permissions are derived from those relations and can compose multiple relations using logical expressions. Permify’s authorization language is compatible with RBAC, ReBAC, and ABAC, so you can model virtually any access control pattern.

Relational tuples

Authorization data is stored as relational tuples — structured records that bind a subject to a relation on a specific resource. The basic tuple format is: 
entity # relation @ subject
For example, to make user:1 an admin in organization:1: 
organization:1#admin@user:1
To associate repository:1 as belonging to organization:1: 
repository:1#parent@organization:1
Permify evaluates access checks by traversing these tuples at runtime according to your schema.
Permify is inspired by Google Zanzibar, Google’s consistent, global authorization system used for hundreds of its services including YouTube, Drive, Calendar, Cloud, and Maps.

Benefits of using Permify

Move and iterate faster

Avoid the hassle of building a new authorization system from scratch. Save time and money by leveraging existing, battle-tested code developed by a dedicated team. You can get started quickly with a simple API that integrates directly into your application.

Scale as you wish

Permify applies the proven techniques Google used in Zanzibar. The Zanzibar system achieved more than 95% of access checks responded to in 10 milliseconds and maintained more than 99.999% availability over a 3-year period.
Permify can achieve response times of up to 10ms for access control checks, handling up to 1 million access requests per second, thanks to its parallel graph engine and cache mechanisms.

Gain visibility across teams

Enterprise-grade authorization requires robust, fine-grained permissions and the ability to observe and manage them as a group. Code-level authorization logic and distributed authorization data across multiple services make it harder to change permissions and keep them current. Permify is designed to abstract authorization logic from your code and make authorization accessible to everyone in your organization — including non-technical team members.

Be extendable, at any time

Products change rapidly as user requirements evolve. Permify has an extendable authorization language that allows you to update your current authorization model easily, securely, and without affecting production. Once tested and ready, you can switch to a new version of your model without breaking existing access control.

Audit your authorization and ensure security

Protect your data, prevent unauthorized access, and ensure your customers’ security. Permify supports fraud detection, real-time transaction monitoring, and risk assessment through functions accessible via single API calls.

How Permify works

1

Model your authorization

Define your entities, relations, and permissions using Permify Schema — a domain-specific language compatible with RBAC, ReBAC, and ABAC patterns.
2

Store authorization data

Write relational tuples to Permify’s permission database. These tuples represent the real-world relationships in your system (who owns what, who belongs to which organization, etc.).
3

Perform access checks

Call the Permify API from anywhere in your stack to answer authorization questions in real time. Permify evaluates the request against your schema and stored data and returns a decision.

Need help with authorization?

Our team is happy to help you get started with Permify. If you’d like to learn more about using Permify or how it might fit into your authorization workflow, schedule a consultation call with one of our account executives.

Build docs developers (and LLMs) love

Get started for freeTalk to us