Hi, I can see that the check and bulk check response are ORing the evaluation from RBAC, ReBAC and ABAC evaluations. Is there a built in approach to AND the evaluations?

Hi, I am heading multiple products within my company. Wanted to see how permit can improve the reusabity and consistency in RBAC within our products. Also would like to understand about scalability, SLAs, compliances etc. Would be helpful to get commected with relevant folks from permit team. Thanks.

Hi Team, I was checking the docker images of permit/pdp-v2. Seems it has OS level vulnerabilities(using trivy) in its latest image(

permitio/pdp-v2:0.9.7

). Do we have some automation which fix it, or we need to fix from our end ?

This message was deleted.

Hi, I’m currently preparing performance and load tests for endpoints such as

/check

,

/bulk_check

,

/user-permissions

, and

/authorized-users

. I’d like to ask if you have conducted any internal performance or scalability tests for the PDP and related APIs — and if so, could you share any benchmark results or performance assumptions (e.g., expected throughput, latency, or concurrency levels)? I understand that the actual performance depends heavily on where the PDP is hosted (cloud vs. on-prem, region, hardware specs), but any reference numbers or best practices would be very helpful for setting up my own test plan.

Hi here I am again 🙂 I'm trying to model one of our use case with nested groups (final structure will have 4 levels, but for the example lets do it with first two company,location)

company#member

→

location#member

The plan for that is use group api. Firstly I have created groups for each group workspace: sea.live @project_id = default @env_id = user-management ### Create company group instance

curl -X POST "<https://api.permit.io/v2/schema/{{project_id}}/{{env_id}}/groups>" \

-H "Authorization: Bearer {{API_SECRET_KEY}}" \

-H "Content-Type: application/json" \

--data-raw '{

"group_resource_type_key": "company",

"group_instance_key": "clarksons",

"group_tenant": "default"

}'

### Create location group instance

curl -X POST "<https://api.permit.io/v2/schema/{{project_id}}/{{env_id}}/groups>" \

-H "Authorization: Bearer {{API_SECRET_KEY}}" \

-H "Content-Type: application/json" \

--data-raw '{

"group_resource_type_key": "location",

"group_instance_key": "london",

"group_tenant": "default"

}'

Next logical thing is assign group to group, so I have used endpoint ### company → location

curl -X PUT "<https://api.permit.io/v2/schema/{{project_id}}/{{env_id}}/groups/company:clarksons/assign_group>" \

-H "Authorization: Bearer {{API_SECRET_KEY}}" \

-H "Content-Type: application/json" \

--data-raw '{"group_instance_key": "london"}'

response is even I changed to --data-raw '{"group_instance_key": "location:london"}' it is not able to find.

HTTP/1.1 404 Not Found
Date: Fri, 24 Oct 2025 09:37:14 GMT
Content-Type: application/json
Content-Length: 676
Connection: close
server: uvicorn
x-content-type-options: nosniff
referrer-policy: no-referrer
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-request-id: 14661ae9ed184d7bb84c4bba63701abe
access-control-expose-headers: X-Request-ID

{
  "id": "14661ae9ed184d7bb84c4bba63701abe",
  "title": "We could not find the requested object/s",
  "error_code": "NOT_FOUND",
  "message": "The requested data could not be found, we could not find 'resourceinstance' with the given filters: env_id='aced0086-602a-49a6-8fbe-0c5aebefeb3a', resource_instance_id='london', resource_id='6195f099-37e1-478e-a3c9-7fb16b1d1412'. Please try again with different filters.\nIf you are sure there is an object with the given filters, contact our support on Slack for further guidance.",
  "additional_info": {
    "filters": {
      "env_id": "aced0086-602a-49a6-8fbe-0c5aebefeb3a",
      "resource_instance_id": "london",
      "resource_id": "6195f099-37e1-478e-a3c9-7fb16b1d1412"
    }
  }
}

Group is there and resource instances I can see on the UI: ###

curl -X GET "<https://api.permit.io/v2/schema/{{project_id}}/{{env_id}}/groups>" \

-H "Authorization: Bearer {{API_SECRET_KEY}}"

HTTP/1.1 200 OK
Date: Fri, 24 Oct 2025 09:38:41 GMT
Content-Type: application/json
Content-Length: 603
Connection: close
server: uvicorn
x-content-type-options: nosniff
referrer-policy: no-referrer
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-request-id: 55fd8d5a29df460b912a1a0de8690393
access-control-expose-headers: X-Request-ID

[
  {
    "assigned_roles": [
      "location:london#member"
    ],
    "users": [],
    "group_resource_type_key": "location",
    "group_instance_key": "london",
    "group_tenant": "default"
  },
  {
    "assigned_roles": [
      "company:clarksons#member"
    ],
    "users": [],
    "group_resource_type_key": "company",
    "group_instance_key": "clarksons",
    "group_tenant": "default"
  }
]

@Ask Inkeep what I missed here ?

getting 401 on K8s health checks for PDP version 0.9.8 and 0.9.7

This message was deleted.

Hi! I am creating the webhook in permit.io, I need a help with that. Can anyone please help me with that

My flow is like. We have frontend, bff and microservice of auth service which has integrated permit.io. We have roles and permissions in permit.io. Now we will integrate the SSE for the events. Whenever we remove any permission from the permit.io the event need to be triggered and from that it need to go the frontend and it need to be reflected on that. For that I have to integrate the webhook because permit.io doesn't have a built in functionalities to create SSE instead of that in permit.io have a support to create webhook. But I don't know how to create and configure webhook for this use case. Eventough I am a workspace owner, I didn't see any options to configure webhook. Please help me with this.

@Ask Inkeep Is it possible to create a copy of a tenant? I want to duplicate a directory from one tenant to another,

I have a react based frontend how can use permit to add restriction on buttons as well and modify my UI do we have any sdk

can i create roles only for a specific tenant

Hi, I'm getting a

428 Precondition Required

error when calling permit.api.users.getAssignedRoles(). I could not find any mention of this error in Permit's docs, can I get some clarification about what this error means? Thanks!

Howdy! Having trouble setting up the PDP service on docker. INFO Fetching PDP config from control plane… ERROR Expecting value: line 1 column 1 (char 0) CRITICAL Sidecar failed to start … 'NoneType' object has no attribute 'context' This happens on each restart. Even with the correct "dev" PDP environment key, and rotating it a few times, curling https://api.permit.io/v1/pdps/me/config returns a 403 Forbidden. Could you verify the key’s scope or let us know if there’s an updated endpoint we should be hitting? Thanks!

is there a way to just create resources at the project level, rather than needing to recreate at the environment level each time?

corepack pnpm permit:bootstrap -- --env dev

minduo@0.1.0 permit:bootstrap /Users/alechandal/Repos/minduo

tsx scripts/permit/bootstrap-resources.ts -- --env dev

{"level":50,"time":"2025-11-03T172247.414Z","label":"permit-bootstrap","msg":"Got error status code: 500, err:{\"id\":\"30f50c095157412cb3370c9bb5656428\",\"title\":\"The request could not be completed\",\"error_code\":\"UNEXPECTED_ERROR\",\"message\":\"You did nothing wrong, but we could not finish your request due to a technical issue on our end. Please try again.\\nIf the issue keeps happening, contact our support.\"}"} Failed to bootstrap Permit resources PermitApiError: You did nothing wrong, but we could not finish your request due to a technical issue on our end. Please try again. If the issue keeps happening, contact our support for further guidance. at ResourcesApi2.handleApiError (...) at ResourcesApi2.replace (...) at async main (.../scripts/permit/bootstrap-resources.ts2525) { originalError: AxiosError: Request failed with status code 500 at settle (...) at IncomingMessage.handleStreamEnd (...) at process.processTicksAndRejections (...) at Axios.request (...) at async ResourcesApi2.replace (...) at async main (.../scripts/permit/bootstrap-resources.ts2525) { code: 'ERR_BAD_RESPONSE', config: { baseURL: 'http://localhost:7766/', method: 'put', data: '{"name":"Organization","actions":{"create":{},"invite":{},"deprovision":{}},"attributes":{"orgId":{"type":"string","description":"Primary key from Minduo database"}}}', url: 'https://api.permit.io/v2/schema/<project-id>/<env-id>/resources/organization', headers: { Accept: 'application/json, text/plain, */*', 'Content-Type': 'application/json', 'X-Permit-SDK-Version': 'node:0.1.0', Authorization: 'Bearer <REDACTED>', 'User-Agent': 'axios/1.13.1', 'Content-Length': 166, 'Accept-Encoding': 'gzip, compress, deflate, br', Host: 'api.permit.io', Connection: 'keep-alive' }, // remaining axios metadata omitted for brevity }, response: { status: 500, statusText: 'Internal Server Error', headers: { /* redacted */ }, data: { /* redacted */ } }, status: 500 } }

Hi, I'm wondering if the List Role Assignments local query changed recently: https://pdp-api.permit.io/redoc#tag/Local-Queries/operation/list_role_assignments_local_role_assignments_get Previously this would return a complete list of a user's permissions, but now the list is missing entries.

Am I able to set policies by role / resource using OpenAPI / yaml and then syncing via the CLI / SDK? Or do I need to use the UI?

Hey team — I recently started using Permit.io in our project as a web API access controller and have some feedback on the URL-mapping feature: 1. Localhost URLs aren’t accepted Addresses like

<http://localhost:8787>

aren’t allowed as URL inputs, which makes local testing difficult. 2. One (URL, method) → only one (resource, action) Each (url - method) can be mapped to only a single (resource-action). Some endpoints return information across multiple resources, so we need to map to multiple resource/action pairs. 3. Multi-tenancy support The provided example flow doesn’t seem to support a multi-tenant setup (no clear way to include tenantId).

fetch('<https://proxy.api.permit.io/proxy/xxxxxxxxxxxxxxxxxxxxxxxx?url=><PROXIED_URL>', {
  method: '<HTTP_METHOD>',
  headers: {
    'Authorization': 'Bearer <USER_JWT>'
  }
});

If I’m missing a configuration or workaround for any of the above, I’d appreciate pointers. Thanks!

Is permit.io callback can support GRPC?

hi. how do i delete a workspace? my github is associated with the wrong email for login. thanks

Hey team - I’m running into an issue while testing ownership access control with ABAC, using the pattern described in the link below: https://docs.permit.io/how-to/build-policies/abac/patterns#ownership-via-list-on-resource

{
  "__data_use_debugger": true,
  "__input_use_debugger": true,
  "allow": false,
  "allowing_sources": [],
  "debug": {
    "abac": {
      "allow": false,
      "code": "no_matching_rules",
      "matching_resourcesets": [
        "Draft_Blog",
        "User",
        "__autogen_Blog"
      ],
      "matching_usersets": [
        "Draft_Blog",
        "User",
        "__autogen_Blog"
      ],
      "reason": "user 'seiichi1101_user' does not match any rule that grants him the 'read' permission on the given resource of type 'Blog'",
      "support_link": "<https://docs.permit.io/errors/no_matching_rules>"
    },
    "rbac": {
      "allow": false,
      "code": "user_not_synced",
      "reason": "user 'seiichi1101_user' is not synced and therefore has no known role assignments",
      "support_link": "<https://docs.permit.io/errors/user_not_synced>"
    },
    "request": {
      "action": "read",
      "resource": {
        "attributes": {
          "is_paid": false,
          "is_published": false,
          "owner": "seiichi1101_user",
          "type": "Blog"
        },
        "type": "Blog"
      },
      "tenant": "default",
      "user": {
        "attributes": {
          "is_staff": false,
          "roles": [],
          "subscription_plan": "free",
          "tenants": []
        },
        "key": "seiichi1101_user",
        "synced": false
      }
    }
  },
  "debugger_activated": true
}

As you can see in the log and screenshot, access is denied even though I’ve set up the User Sets, Resource Sets, and policy assignments in the Policy Editor. It says

"user 'seiichi1101_user' does not match any rule that grants him the 'read' permission on the given resource of type 'Blog'",

. My expectation is that the user with

key: "seiichi1101_user"

should be allowed to access the resource set MyBlog, because its resource condition is configured as

"resource.owner" - "equals" - "user.key"

and the policy is assigned accordingly. Is there anything I’m missing here?

found a potential "bug" / typo in node sdk. I'm working with bulk unassign, def:

export interface RoleAssignmentRemove {
    /**
     * the role that will be unassigned (accepts either the role id or the role key)
     * @type {string}
     * @memberof RoleAssignmentRemove
     */
    role: string;
    /**
     * the tenant the role is associated with (accepts either the tenant id or the tenant key)
     * @type {string}
     * @memberof RoleAssignmentRemove
     */
    tenant?: string;
    /**
     * the resource instance the role is associated with (accepts either the resource instance id or key using this format resource_type:resource_instance)
     * @type {string}
     * @memberof RoleAssignmentRemove
     */
    resource_instance?: string;
    /**
     * the user the role will be unassigned from (accepts either the user id or the user key)
     * @type {string}
     * @memberof RoleAssignmentRemove
     */
    user: string;
}

but when I make the actual api call, its stating that

tenant

is NOT optional

also question regarding 'default' tenants. shouldn't leaving out tenant (for other api endpoints for examples) default to

default

tenant? i'm noticing that in some of my other apis, when I withold tenant,it doesn't append anything to the 'default' tenant only my other one created. Do I always have to enforce

default

tenant at all times if I only want one?

Hello, where can I find the link to billing for app.permit.io ?

Hi, I'm having an issue accessing the API docs since yesterday, have they moved? https://api.permit.io/v2/redoc Thanks

This message was deleted.

I have an attribute "ViewUsersOnly" (string array) in my resource and an attribute "company" (string) in users. I have a resource set that I created for my ABAC policy with a condition [resource.ViewUsersOnly] [array contains (ref)] [user.key] and it yields the resource when ViewUsersOnly contains the key of the user. But this resource set yields even after I changed the resource set to [resource.ViewUsersOnly] [array contains (ref)] [user.company]. Am I missing something?

I am experiencing slowness when calling endpoint https://api.permit.io/v2/facts/9aa8bcdc454049cd8c1459f6d1215b4f/f5b553a6ef6847779addd901fc44327b/relationship_tuples/bulk for bulk relationship tuple creation. projectId 9aa8bcdc454049cd8c1459f6d1215b4f and environmentId f5b553a6ef6847779addd901fc44327b. even with single operation it takes about 24 seconds. calling single without batch only takes milli seconds. could you please help me with thi.