trying to setup GitOps with Permit and a repo in gitlab, im trying to https://docs.permit.io/integrations/gitops/github I tried to validate a repo, but it says its in pending. and I cant find any APIs anywhere to tell me where to check for errors, etc. docs.permit.io Git and Permit | Permit.io Documentation Learn how to manage the policies configured in Permit in your GitHub repositories using GitOps

Sorry, this is the correct channel

Hi, I´m deploying Permit PDP to GCP Cloud Run, and is working fine. However after review metrics, I identify new instances are being created, even workload is low. I´m sharing graphs. Is there a way to optimize number of Cloud Runs PDP is creating ?

Hello, I am trying to get permit elements to work. But i cant get it to work. Even when using the documentation.

Hi i am trying to update user role in a particular tenant where i am removing and adding the role. But permit is not updating the roles according.

Hi, i have gotten the demo instructions(https://permit-demo-element.vercel.app/user-management) to work in my own app. But i cant manage to let my own permit elements work in my app. I had contact with Thomas before but we couldnt get it to work.

I am trying to run

permit env export terraform --api-key ****

but I can't get it running against https://app.eu.permit.io. I guess it might be problem even for

permit login

Any help @Ask Inkeep?

In our app, a tenant represents a farm. Each farm has a subscription level (e.g., Basic / Advanced) that determines available features, and permissions also depend on the user’s role. Within each farm, there can be multiple herds. Each herd has: 1. Its own subscription level (which may differ from the farm’s subscription) 2. A species type (e.g., dairy, beef, sheep, etc.), which can unlock features specific to that species The features available to a user should depend on four factors: • The user’s role • The farm (tenant) context • The currently selected herd’s subscription level • The herd’s species type How can we best model this scenario in Permit.io so that permissions and feature access are evaluated dynamically based on role, farm, selected herd, herd subscription, and herd species?

I’m having an issue with URL mapping. Currently, I have a URL map configuration, and when I try to add another configuration and URL mapping, I get the following 422 error:

{

"detail": [

{      "loc": [

"body",

"mapping_rules",

0,

"should_delete"

],

"msg": "extra fields not permitted",

"type": "value_error.extra"

}

],

"body": {

"name": "internal-endpoints",

"key": "internal-endpoints",

"secret": "FeatureIsntUsedInUrlMappingFearture - see PER 12646",

"auth_mechanism": "Bearer",

"mapping_rules": [

{

"url": "<https://api.abex.com.tr/test/internal/{lang}/addresses/states>",

"url_type": null,

"http_method": "get",

"resource": "bkg_invoice",

"action": "read",

"should_delete": false

}

]

}

}

Hi, I would like to update a user in the directory using the PUT method. How can I specify the resource role assignment? When I tried 'Top Level Role' such as 'Admin', it worked, but 'Application#Trade' is not working for me.

curl -X PUT "<https://api.permit.io/v2/facts/default/dev/users/Test@Test.com>" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer xxx" \
  -d '{
    "key": "<mailto:Test@Test.com|Test@Test.com>",
    "email": "<mailto:Test@Test.com|Test@Test.com>",
    "first_name": "Jane",
    "last_name": "Doe",
    "attributes": {
      "department": "marketing",
      "age": 30,
      "subscription": {}
    },
    "role_assignments": [
      {
        "role": "application#Trade",
        "tenant": "default"
      }
    ]
  }'

response

{
  "id": "4826aa77c24042a4bd4ca460ff37ddd7",
  "title": "We could not find the requested object/s",
  "error_code": "NOT_FOUND",
  "message": "The requested data could not be found, we could not find 'Role' with the given filters: id='application#Trade'. Please try again with different filters.\nIf you are sure there is an object with the given filters, contact our support on Slack for further guidance.",
  "additional_info": {
    "filters": {
      "id": "application#Trade"
    }
  }
}

Role exist in the project.

@Ask Inkeep Can I somehow see if

permitio/pdp-v2

container is healthy?

URL Mapping not matching deeper nested routes under dashboards I have a URL mapping configuration in Permit.io for: https://api.abex.com.tr/test/api/test/booking/{lang}/dashboards/* I expect this mapping to include routes like: https://api.abex.com.tr/test/api/test/booking/tr/dashboards/operational/bookings-used?first_period_start=2025-08-01&first_period_end=2025-08-31&last_period_start=2025-09-01&last_period_end=2025-09-30 https://api.abex.com.tr/test/api/test/booking/tr/dashboards/operational/bookings-canceled?first_period_start=2025-08-01&first_period_end=2025-08-31&last_period_start=2025-09-01&last_period_end=2025-09-30 However, these endpoints are not being matched by the mapping. I have also tried the following patterns, but neither worked: https://api.abex.com.tr/test/api/test/booking/{lang}/dashboards/.*$ https://api.abex.com.tr/test/api/test/booking/{lang}/dashboards/** I want the mapping to include all sub-routes and query parameters under

dashboards

. Could you please confirm the correct pattern format for this case, or check if there is any issue on the Permit.io side with recursive route matching?

Hi Permit.io Team, I’d like to ask for your recommendation on how to best handle field-level or field-group-level authorization in Permit.io. Specifically, how would you model something like this hierarchy: • Car → has an Engine • Engine → has multiple Parts (each part may have different permissions) I saw that Oso has a concept of field-level authorization (docs link ), and I’m wondering what’s the recommended approach in Permit.io for a similar use case. Would you suggest: 1. Creating a separate

resource_type

for each level (e.g.,

car

,

engine

,

engine_part

), 2. Or using some other pattern (like nested attributes, resource instances, or metadata-based policies)? My main concern is scalability — if each car has many parts, then modeling each part as a separate resource type could lead to a very large and complex model. How would you recommend approaching this problem in Permit.io?

Hi guys, we are trying out modelling an ABAC policy involving role attributes. However, that doesn't seem to work. When starting the PDP locally, it's also complaining a little bit about the attribute. ABAC policies with other user or tenant attributes work just fine. Am I missing something? Thanks for you help 🙏 🙂

Hello, my dashboard says Pro plan limit exceeded, I have everything under pro plan limit. Sometimes my permit.check() are also failing. Please guide me what's going wrong, Or I'm missing something. Thanks.

Hello Permit team 🙂 I just wanted to double check: Under Settings I can define user attributes of type

object

, which is great, because we have the need for nested attributes. However, if I test a resource set using this attribute, it doesn't seem to work. Can you please confirm, that it should work? My example: • Define

foo

user attribute and set it for a user to:

"foo": {
    "A": 3,
    "B": 6
}

• Create a resource set using the condition:

resource.foo less-than (ref) user.foo.A

• Testing it with the resource attribute

"foo": 4

returns true, even though it's greater than the value of

foo.A

(3). As always, thanks for your help in advance 🙏 simple smile

Hi, I have a question about the API. I found an inconsistency. The Check endpoint takes into account all RBAC, ABAC, and ReBAC rules, which is fine, but when I want to use user permission, I only get results that are defined in ReBAC. The endpoint does not return resources that are allowed by the ABAC rule.

###
curl -X POST "<http://localhost:7766/allowed>" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer {{api_key}}" \
  -d '{
    "user": { "key": "grzegorz@sea.com" },
    "action": "distribute",
    "resource": {
      "type": "market_order",
      "key": "anton03",
      "tenant": "default"
    },
    "context": {}
  }'

response:
HTTP/1.1 200 OK
content-type: application/json
content-length: 823
connection: close
date: Wed, 15 Oct 2025 09:58:30 GMT

{
  "allow": true,
  "debug": {
    "abac": {
      "allow": true,
      "allowing_rules": [
        {
          "resourceset": "resourceset_Large_5fquantity",
          "userset": "userset_Seacom_5fUsers"
        }
      ],
      "code": "allow",
      "reason": "user 'grzegorz@sea.com' matched 'userset_Seacom_5fUsers' userset conditions, the given resource matched the 'resourceset_Large_5fquantity' resourceset conditions, users matching 'userset_Seacom_5fUsers' userset conditions has the 'distribute' permission on resources of type 'market_order' matching 'resourceset_Large_5fquantity' resourceset conditions"
    },
    "request": {
      "action": "distribute",
      "resource": {
        "attributes": {
          "Quantity": 100000,
          "type": "market_order"
        },
        "type": "market_order"
      },
      "tenant": "default",
      "user": {
        "attributes": {
          "email": "grzegorz@sea.com",
          "key": "grzegorz@sea.com",
          "roles": [],
          "tenants": []
        },
        "key": "grzegorz@sea.com",
        "synced": true
      }
    }
  },
  "result": false
}

GetPermission:

###
curl --location '<http://localhost:7766/user-permissions>' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{api_key}}' \
--data '{
  "user": {
    "key": "grzegorz@sea.com"
  },
  "tenants": [
    "default"
  ]
}'

HTTP/1.1 200 OK
content-type: application/json
cache-control: private, max-age=3600
expires: Wed, 15 Oct 2025 10:58:53 +0000
content-length: 138
connection: close
date: Wed, 15 Oct 2025 09:58:53 GMT

{
  "company:sea": {
    "tenant": {
      "key": "default"
    },
    "resource": {
      "key": "sea",
      "type": "company",
      "attributes": {}
    },
    "permissions": [],
    "roles": [
      "member"
    ]
  }
}

looking at the Check results based on the ABAC policy it should return me market_order:anton03 workspace: sea.live project: dev env: default pdp version : the latest

Hey, I'm having issues with the PATCH /envs/<env-id> endpoint. When I make a request to update the custom-branch-name, I get a succesful response but the value doesn't update.

curl '<https://api.permit.io/v2/projects/><proj-id>/envs/dev' -X 'PATCH' \

-H 'authorization: Bearer <my-key>'\

--data-raw '{"custom_branch_name": "development"}'

Hello, we'll be rolling out our first paid customer facing product over the next few months and I'd like to talk with someone about pricing for an early stage startup. Thanks!

how can i use rbac on my api developer keys

Hi, I can see that the check and bulk check response are ORing the evaluation from RBAC, ReBAC and ABAC evaluations. Is there a built in approach to AND the evaluations?

Hi, I am heading multiple products within my company. Wanted to see how permit can improve the reusabity and consistency in RBAC within our products. Also would like to understand about scalability, SLAs, compliances etc. Would be helpful to get commected with relevant folks from permit team. Thanks.

Hi Team, I was checking the docker images of permit/pdp-v2. Seems it has OS level vulnerabilities(using trivy) in its latest image(

permitio/pdp-v2:0.9.7

). Do we have some automation which fix it, or we need to fix from our end ?

This message was deleted.

Hi, I’m currently preparing performance and load tests for endpoints such as

/check

,

/bulk_check

,

/user-permissions

, and

/authorized-users

. I’d like to ask if you have conducted any internal performance or scalability tests for the PDP and related APIs — and if so, could you share any benchmark results or performance assumptions (e.g., expected throughput, latency, or concurrency levels)? I understand that the actual performance depends heavily on where the PDP is hosted (cloud vs. on-prem, region, hardware specs), but any reference numbers or best practices would be very helpful for setting up my own test plan.

Hi here I am again 🙂 I'm trying to model one of our use case with nested groups (final structure will have 4 levels, but for the example lets do it with first two company,location)

company#member

→

location#member

The plan for that is use group api. Firstly I have created groups for each group workspace: sea.live @project_id = default @env_id = user-management ### Create company group instance

curl -X POST "<https://api.permit.io/v2/schema/{{project_id}}/{{env_id}}/groups>" \

-H "Authorization: Bearer {{API_SECRET_KEY}}" \

-H "Content-Type: application/json" \

--data-raw '{

"group_resource_type_key": "company",

"group_instance_key": "clarksons",

"group_tenant": "default"

}'

### Create location group instance

curl -X POST "<https://api.permit.io/v2/schema/{{project_id}}/{{env_id}}/groups>" \

-H "Authorization: Bearer {{API_SECRET_KEY}}" \

-H "Content-Type: application/json" \

--data-raw '{

"group_resource_type_key": "location",

"group_instance_key": "london",

"group_tenant": "default"

}'

Next logical thing is assign group to group, so I have used endpoint ### company → location

curl -X PUT "<https://api.permit.io/v2/schema/{{project_id}}/{{env_id}}/groups/company:clarksons/assign_group>" \

-H "Authorization: Bearer {{API_SECRET_KEY}}" \

-H "Content-Type: application/json" \

--data-raw '{"group_instance_key": "london"}'

response is even I changed to --data-raw '{"group_instance_key": "location:london"}' it is not able to find.

HTTP/1.1 404 Not Found
Date: Fri, 24 Oct 2025 09:37:14 GMT
Content-Type: application/json
Content-Length: 676
Connection: close
server: uvicorn
x-content-type-options: nosniff
referrer-policy: no-referrer
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-request-id: 14661ae9ed184d7bb84c4bba63701abe
access-control-expose-headers: X-Request-ID

{
  "id": "14661ae9ed184d7bb84c4bba63701abe",
  "title": "We could not find the requested object/s",
  "error_code": "NOT_FOUND",
  "message": "The requested data could not be found, we could not find 'resourceinstance' with the given filters: env_id='aced0086-602a-49a6-8fbe-0c5aebefeb3a', resource_instance_id='london', resource_id='6195f099-37e1-478e-a3c9-7fb16b1d1412'. Please try again with different filters.\nIf you are sure there is an object with the given filters, contact our support on Slack for further guidance.",
  "additional_info": {
    "filters": {
      "env_id": "aced0086-602a-49a6-8fbe-0c5aebefeb3a",
      "resource_instance_id": "london",
      "resource_id": "6195f099-37e1-478e-a3c9-7fb16b1d1412"
    }
  }
}

Group is there and resource instances I can see on the UI: ###

curl -X GET "<https://api.permit.io/v2/schema/{{project_id}}/{{env_id}}/groups>" \

-H "Authorization: Bearer {{API_SECRET_KEY}}"

HTTP/1.1 200 OK
Date: Fri, 24 Oct 2025 09:38:41 GMT
Content-Type: application/json
Content-Length: 603
Connection: close
server: uvicorn
x-content-type-options: nosniff
referrer-policy: no-referrer
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-request-id: 55fd8d5a29df460b912a1a0de8690393
access-control-expose-headers: X-Request-ID

[
  {
    "assigned_roles": [
      "location:london#member"
    ],
    "users": [],
    "group_resource_type_key": "location",
    "group_instance_key": "london",
    "group_tenant": "default"
  },
  {
    "assigned_roles": [
      "company:clarksons#member"
    ],
    "users": [],
    "group_resource_type_key": "company",
    "group_instance_key": "clarksons",
    "group_tenant": "default"
  }
]

@Ask Inkeep what I missed here ?

getting 401 on K8s health checks for PDP version 0.9.8 and 0.9.7

This message was deleted.

Hi! I am creating the webhook in permit.io, I need a help with that. Can anyone please help me with that

My flow is like. We have frontend, bff and microservice of auth service which has integrated permit.io. We have roles and permissions in permit.io. Now we will integrate the SSE for the events. Whenever we remove any permission from the permit.io the event need to be triggered and from that it need to go the frontend and it need to be reflected on that. For that I have to integrate the webhook because permit.io doesn't have a built in functionalities to create SSE instead of that in permit.io have a support to create webhook. But I don't know how to create and configure webhook for this use case. Eventough I am a workspace owner, I didn't see any options to configure webhook. Please help me with this.