When I invite a user using the elements, I don't see the pending user show up in the list. I swear I saw this working before and I can see that UX in the user invitations inside permit itself. Is there a config for this somewhere that I'm missing?

Attempting to use the API to fetch information about an invite_code.

GET <https://api.permit.io/v2/facts/963052528a05464f81806c264751d0ea/8671f6b2ae42487fa851e9f6c43a8cbd/user_invites/fe250482c2ab403795f8312f06a48aa0>

Including Authorization Bearer header

{
  "id": "73576d6c002d4a60bfe01d1b51ee729c",
  "title": "The request could not be completed",
  "error_code": "UNEXPECTED_ERROR",
  "message": "You did nothing wrong, but we could not finish your request due to a technical issue on our end. Please try again.\nIf the issue keeps happening, contact our support on Slack for further guidance."
}

What is the latency and SLA, TPS (transactions per second) that permit.io SaaS offer?

Can we rely on PDP cloud for production workload?

Hi! We've had some issues with our PDP deployment on the last couple of weeks. We are currently using PDP V0.9.3. In summary, the permission checks stops working after a random period of time (around once a week). Below I describe two instances of this issue: Last Friday, one of our users was receiving an empty array on the permissions bulkCheck. We made sure this user had the proper roles assigned in Permit. To resolve the issue, we took 2 actions. Unsure which one was actually effective. • Restarted the PDP deployment • Rotated the user roles. i.e. we changed its role to something else and then back to the correct one. I have the logs around the time this issue happened and can share in private if needed. Today, we also saw issues with permission checks. The following error caught my eye in the logs:

[25/Aug/2025:14:28:16] [2025-08-25T14:28:16Z ERROR pdp_server::api::authz::user_permissions] Failed to send request to OPA: Failed to send request to OPA: error sending request for url (<http://localhost:8181/v1/data/permit/user_permissions>)
[25/Aug/2025:14:28:16] [2025-08-25T14:28:16Z ERROR pdp_server::api::authz::allowed_bulk] Failed to send request to OPA: Failed to send request to OPA: error sending request for url (<http://localhost:8181/v1/data/permit/bulk>)

We restarted the PDP deployment and the issue was fixed. Could you help us understand what's causing this issue and how to fix it? Thanks in advance.

Hi there, I’m a fullstack developer working on an application using a microservice architecture, where we process vehicle-related data.Our company plans to sell the system as a subscription-based service, but the development is still in its early stages. Many permissions are expected to change, and the exact boundaries of subscription tiers and their associated permissions have not yet been defined. I’m looking for an authorization service built on Permit.io that can: • Provide a flexible interface for mapping roles and permissions. • Restrict organizational members to access only within their own organization (e.g., an orgAdmin can modify data only for their own organization, and an orgUser can view vehicle data only within their organization). • Here, I’m curious whether it’s better to use multi-tenant RBAC, or ABAC where orgID is an attribute on both the user and the resource, and policies check for matches. What is the best practice in such a scenario? Or is there a third approach that might better address this use case? • Support role derivation, so that, for example, an orgAdmin role can be overridden for a specific company (e.g., as concreteOrgAdmin), while retaining the permissions of the original OrgAdmin role, but allowing additional rules—such as enabling or denying specific permissions. • Later, we plan to limit subscription tiers based on quotas. This is partly an authorization question, and I’m not sure how suitable Permit.io is for handling such data. Should these quotas be implemented in Permit.io (e.g., number of data queries, amount of data retrieved stored in the database, with authorization decisions based on these values)? Could these values be added as user attributes in Permit.io? Thanks in advance for your guidance!

This message was deleted.

hi permitters! i am exploring using your product for implementing rebac data filtering in my python/django project - i have some questions about the implementation. apologies for any misunderstandings - i have just started looking. details in a thread 🧵

Hello, we're seeing regular gateway timeouts when trying to use the condition sets API, as well as create condition sets via the UI. Our implementation uses condition sets extensively and we can't afford for this endpoint to regularly time out. Is this on your radar to fix? Or can you recommend a work around? Please see the attached for an example of it failing via your UI. This is the body that was sent in the request:

{
  "key": "megatest",
  "type": "resourceset",
  "resource_id": "document",
  "name": "megatest",
  "description": "megatest",
  "conditions": {
    "allOf": [
      {
        "allOf": [
          {
            "resource.documentTypeId": {
              "equals": "roflcopter"
            }
          },
          {
            "resource.owner": {
              "equals": "123456"
            }
          }
        ]
      }
    ]
  },
  "parent_id": null
}

Hey team, quick clarification: In the Python SDK,

permit.check()

expects a user_id as the subject, and evaluates permissions based on that user’s assigned roles/policies. Is there a supported way to directly check permissions for a role (e.g.

"admin"

) without going through a user? Or should we always create a test user with that role when we want to validate role-based access? Thanks.

/permit-ticket-status PER-12695

Identifier: PER-12695 Title: Fix load options in create condition set State: Acceptance (Share) Status: started

/permit-ticket-status PER-12695

Identifier: PER-12695 Title: Fix load options in create condition set State: Acceptance (Share) Status: started

Sometimes I´m getting this message from my Permit PDP deployed in a GCP Cloud Run ERROR 2025-08-27T222109.130272Z [httpRequest.requestMethod: POST] [httpRequest.status: 502] [httpRequest.responseSize: 280 B] [httpRequest.latency: 1.458 s] [httpRequest.userAgent: axios 1.10.0] https://xxx.us-central1.run.app/allowed How can I avoid this error ?

/permit-ticket-status PER-12695

Identifier: PER-12695 Title: Fix load options in create condition set State: Acceptance (Share) Status: started

Hello, when updating user attributes we are receiving a 500 error both using your API and via your UI. The update actually seems to succeed but the response takes ages to return and when it does it's a 500 error. I've recorded this happening via the UI in the video attached. The logs claim the response returned a 200 when it didn't, see attached image. The UI isn't so much of an issue for us as we don't use it in this way (it just seemed like a good way to illustrate the problem), but it's causing problems with how we need to use the API. URL

PATCH /v2/facts/9aa8bcdc454049cd8c1459f6d1215b4f/890e358221b34dee9ac6fb6103b762f8/resource_instances/3804d4a9ef3144ec98aa17b22e274a1b

Body

{
  "attributes": {
    "id": "83136998-510c-4f3d-8316-97e503a4ff4a",
    "name": "2nd Wood Doc",
    "owner": "7ca6992a-726f-4ddf-bdbc-8d5b8baa0c0e",
    "tenant": "c8217bd9-ed07-4898-b455-f9c9eb615977",
    "documentTypeId": "8f419f7a-7ea3-413e-a09b-2142504c579f",
    "isSmartDocument": true
  }
}

workspace = alex-trustflight-sandbox project = sandbox env = lewisdevelopment

I’m trying to figure out a clean way to model B2B type scenarios where the Tenants I create in Permit can group their Resources under an Account resource and manage roles on that via Groups. I was hoping to avoid syncing all my relationships into Permit and using JIT ABAC checks with the Account key for any of the Account’s resources as I have the Account key readily available for all resources in my app. It feels like I’m missing something obvious, but after reading through all the docs on ABAC and ReBAC it’s still not clicking. Any pointers?

What is the plan for PDP data scaling with the sunsetting of PDP sharding tomorrow?

hey folks, we're doing our annual audit... how would i inquire about obtaining a SoC2 report? currently pro plan, happy to receive DMs 🙏

Groups are scoped to the tenant from what I’ve seen in the docs, is there a recommended way to use them cross-tenant? I’d like to able to create a group for my support team or for larger clients that fit better into multiple tenants to have an easier experience managing users. Would ABAC with an intersection check on a “groups” array on user and tenant be the best way?

Hey everyone, thank you for having such a nice community! I have two questions: • we would like to get your SOC2 Type 2 report, how can we do that? • we would like to switch from api to api.eu, what do we need for that? Thank you 🙂

Spent some time yesterday trying this with just ABAC and it started to feel messy. I’ve got two problems left I’m trying to solve, cross-Tenant groups for collaboration without having to invite individuals and partially synced ReBAC so I can derive roles without duplicating all instances to Permit. Here’s a scenario to help break it down: There are two Tenants, A and B. The schema has resources Account, Team, Device, Connection. Roles are assigned to Teams. There is an Editor role on Account and the role derives on any child Device and derives the role on child Connection. User:A has the Member role on Team:A in Tenant:A. Team:A is given a Collaborator role in Tenant:B in Team:B. Team:B has Editor role on Account:B1. Stored within our DB: Device:B1-1 is child of Account:B1. Connection:B1-1-1 is child of Device:B1-1. User:A attempts to edit Connection:B1-1-1, in the check we send {{type: Connection, key: B1-1-1, attributes: {account: B1, device: B1-1}}, tenant: B} This should succeed. Ideally I’d like to not sync every instance to Permit, just Accounts and Teams for now, but still leverage derivative roles. Since we know the role should cascade to children, we just need to check that the user is authorized at Account or Top-level. Is this possible? Does this need custom rego?

Curious about permit deployment in Fargate, Do you all recommend running permit as a separate instance or do you "support" (as in yay verily/best practice) running it as a sidecar on an Fargate instance?

Also, is there a way to promote changes to policies through environments, so that I dont have to recreate them in each?

Hello, I am integrating Permit.io with my AWS API Gateway. My PDP check works fine — when I send a request to

/allowed_url

, the PDP correctly returns

"allow": true

for my user and URL. Example PDP request: POST http://172.24.16.56:7766/allowed_url { "user": { "key": "ae454a25-958b-40c0-b004-a02495c0293f" }, "url": "https://api.abex.com.tr/test/api/booking/en/bookings/", "http_method": "GET", "tenant": "default" } RESPONSE { "allow": true, "query": {}, "debug": { "rbac": { "allow": true, "allowing_roles": [ "Employee" ], "code": "allow", "reason": "user 'ae454a25-958b-40c0-b004-a02495c0293f' has the role 'Employee' in tenant 'default', role 'Employee' has the 'read' permission on resources of type 'document'" }, "request": { "action": "read", "resource": { "attributes": { "booking_id": "", "type": "document" }, "type": "document" }, "tenant": "default", "user": { "attributes": { "email": "employee@test.com", "key": "ae454a25-958b-40c0-b004-a02495c0293f", "roles": [ "Employee" ], "tenants": [ "default" ] }, "key": "ae454a25-958b-40c0-b004-a02495c0293f", "synced": true } } }, "result": true } However, when I call the Permit.io proxy endpoint: https://proxy.api.permit.io/proxy/46686b3e7f804317a3143ad1e3a757bc?url=https://api.abex.com.tr/test/api/booking/en/bookings/ I always get the following error: { "detail": "Proxy rule not found, consider checking your 'URL' parameter and the request method, or adding a new mapping rule. Hint: pay attention to the trailing slash, or lack thereof." } my current proxy config { "key": "api-abex", "id": "46686b3e7f804317a3143ad1e3a757bc", "organization_id": "50b10af7e4d44b9aae623be4c2466e5a", "project_id": "167998e377d0412d9822b65450d740ba", "environment_id": "8fb17dd891a741c4bcc55bf2d4c4dd55", "created_at": "2025-09-05T072121+00:00", "updated_at": "2025-09-05T073503+00:00", "secret": "permit_key_3SJZ915SqaxuMSf6GU7WxGk1VDZ9JWzm4Xw3i8HQCGguq3Ra5IZ8gMGVPJ0H8gHWkFiVRdtS2xDrH78JevtQqS", "name": "api-abex", "mapping_rules": [ { "url": "https://api.abex.com.tr/test/api/booking/en/bookings/{booking_id}", "url_type": null, "http_method": "get", "resource": "document", "headers": {}, "action": "read", "priority": null }, { "url": "https://api.abex.com.tr/test/api/booking/en/bookings/", "url_type": null, "http_method": "get", "resource": "document", "headers": {}, "action": "read", "priority": null } ], "auth_mechanism": "Bearer" } and proxy config screenshot added as attachment Thank you!

We reported issue with condition sets and condition rules time out and slowness last week and it was fixed on Monday. Today we are experiencing issue with slowness. it times out 2-3 times even in UI and then it response back in 5-60 seconds. we have 64 condition sets which might grow to hundreds.

Is it possible for our workspace name to be changed or is the name an important identifier? Ideally we'd like it changed from

alex-trustflight-sandbox

to just

trustflight

.

i just saw our meeting canceled so i will ask my questions through here. • URL Mapping ◦ Each time a URL mapping is edited, a new one is created while the old one remains. What is the recommended solution for this issue? ◦ also i cannot delete url mapping. • User Sync ◦ When should the user sync process be executed? What is considered best practice? (We are considering doing this at the pre-token generation stage to keep sync users with cognito) • Lambda Authorizer + Permit.io ◦ Is it recommended to perform resource, user, and action checks directly within the Lambda Authorizer using Permit.check()? with usage of lambda layer ◦ Or should we instead query the PDP’s

/allowed_url

endpoint?