Permit.io is the authorization-as-a-service platform that handles RBAC, ABAC, and ReBAC so you do not have to build it from scratch.
What Is Permit.io?
Permit.io provides a complete authorization layer for your app. Instead of writing complex if/else chains for permissions, you define policies in a UI and check them via API.
Quick Start
npm install permitio
import { Permit } from 'permitio'
const permit = new Permit({
token: process.env.PERMIT_API_KEY,
pdp: 'https://cloudpdp.api.permit.io',
})
// Check permission
const allowed = await permit.check('user-123', 'read', 'document')
if (allowed) {
// User can read the document
} else {
return res.status(403).json({ error: 'Forbidden' })
}
Define Roles and Resources
export PERMIT_TOKEN="your-api-key"
# Create a resource
curl -s -X POST 'https://api.permit.io/v2/schema/default/default/resources' \
-H "Authorization: Bearer $PERMIT_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"key": "document",
"name": "Document",
"actions": {
"read": {},
"write": {},
"delete": {}
}
}'
# Create a role
curl -s -X POST 'https://api.permit.io/v2/schema/default/default/roles' \
-H "Authorization: Bearer $PERMIT_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"key": "editor",
"name": "Editor",
"permissions": ["document:read", "document:write"]
}'
# Assign role to user
curl -s -X POST 'https://api.permit.io/v2/facts/default/default/role_assignments' \
-H "Authorization: Bearer $PERMIT_TOKEN" \
-H 'Content-Type: application/json' \
-d '{"user": "user-123", "role": "editor", "tenant": "default"}'
Authorization Models
RBAC (Role-Based)
Admin → can do everything
Editor → can read + write
Viewer → can read only
ABAC (Attribute-Based)
User can edit document IF:
- user.department == document.department
- document.status != "published"
- current_time is within business_hours
ReBAC (Relationship-Based)
User can read document IF:
- user is owner of document
- user is member of document's org
- document is public
Express.js Middleware
import express from 'express'
import { Permit } from 'permitio'
const app = express()
const permit = new Permit({ token: process.env.PERMIT_API_KEY })
const authorize = (action: string, resource: string) => {
return async (req, res, next) => {
const allowed = await permit.check(req.user.id, action, resource)
if (!allowed) return res.status(403).json({ error: 'Forbidden' })
next()
}
}
app.get('/documents', authorize('read', 'document'), async (req, res) => {
const docs = await db.documents.findMany()
res.json(docs)
})
app.delete('/documents/:id', authorize('delete', 'document'), async (req, res) => {
await db.documents.delete({ where: { id: req.params.id } })
res.json({ ok: true })
})
Free Tier
| Feature | Free | Growth |
|---|---|---|
| MAU | 1,000 | 10,000 |
| Tenants | 5 | 100 |
| RBAC | Yes | Yes |
| ABAC | Yes | Yes |
| ReBAC | Yes | Yes |
| Audit log | 7 days | 30 days |
Building a multi-tenant scraping platform? Scrapfly handles web scraping with built-in access control. Email spinov001@gmail.com for custom solutions.
Top comments (0)