Now in public beta · 2,400+ tenants secured

Authorization for multi-tenant SaaS, without the policy chaos.

RBAC + ABAC + OIDC in one platform. Ship authorization in minutes, not months. One API call to evaluate any access decision.

Integrates with
KeycloakAuth0OktaAzure ADGoogle Workspace
12ms avg latency
99.99% uptime
SOC 2 Type II
GDPR compliant
permix ~ access check
ALLOW
Matched: finance-read-policy
latency
12ms

RBAC Engine

Role-based access control with Casbin

ABAC Engine

Attribute-based policies with JSON rules

OIDC / JWT

Native OIDC & JWT validation

Multi-tenancy

Tenant isolation out of the box

Real-time Eval

Access decisions under 15ms

Audit Trail

Immutable audit log for compliance

Why Permix

The old way

  • Custom authorization logic scattered across services
  • No audit trail for access decisions
  • Different policies per tenant, impossible to manage
  • Re-implementing RBAC for every new service
  • OIDC integration takes weeks per provider

The Permix way

  • Centralized policy engine, evaluated in one API call
  • Immutable audit log with correlation IDs
  • Tenant-scoped policies with environment promotion
  • SDK-ready RBAC + ABAC with zero custom logic
  • One-click OIDC provider registration
Capabilities

Everything you need to manage access at scale.

From policy definition to real-time evaluation — Permix handles the full authorization lifecycle so your team ships features instead of access control.

Policy Engine

Visual ABAC rule builder with AND/OR condition trees. Priority-based evaluation with deny-wins strategy.

Learn more

Multi-tenant SaaS

Per-tenant OIDC providers, scoped API keys, and isolated policy namespaces — zero cross-tenant leakage.

Learn more

Access Evaluation API

Single REST endpoint returns ALLOW/DENY in <15ms with full evaluation trace and matched policies.

Learn more

Identity Providers

Register any OIDC-compliant IdP. Supports Keycloak, Auth0, Okta, Azure AD, and Google Workspace.

Learn more

Service Credentials

Per-tenant service API keys with rotation schedules, configurable expiry, and granular usage tracking.

Learn more

Audit & Compliance

Every access decision logged with actor, resource, action, outcome, IP address, and correlation ID.

Learn more
Getting started

From zero to production-ready authorization in five steps.

01

Create a tenant

Register your first tenant and receive a bootstrapKey for further configuration.

Terminal
POST /admin/tenants
{
  "name": "acme-corp",
  "plan": "growth"
}

// → { "tenantId": "t_9kx2", "bootstrapKey": "bk_..." }
02

Register Identity Provider

Add an OIDC issuer URL and define claims mapping to extract user roles and attributes.

Terminal
POST /admin/tenants/t_9kx2/idps
{
  "issuer": "https://login.acme.com",
  "clientId": "permix-app",
  "claimsMapping": {
    "department": "dept",
    "roles": "groups"
  }
}
03

Define Policies

Write ABAC/RBAC rules in the visual policy builder or via the policy API.

Terminal
POST /admin/tenants/t_9kx2/policies
{
  "name": "finance-read-invoices",
  "effect": "ALLOW",
  "action": "read",
  "resource": "billing:invoice:*",
  "conditions": [{
    "field": "user.department",
    "op": "eq", "value": "finance"
  }]
}
04

Issue Service Keys

Generate scoped API keys for backend services with configurable expiry and usage limits.

Terminal
POST /admin/tenants/t_9kx2/credentials
{
  "name": "billing-service",
  "scopes": ["check", "audit:read"],
  "expiresIn": "90d"
}

// → { "apiKey": "sk_live_..." }
05

Evaluate Access

Call the check endpoint from your service. Get ALLOW/DENY with matched policies in <15ms.

Terminal
POST /api/v1/check
Authorization: Bearer sk_live_...

{
  "subject": "user:alice@acme.com",
  "resource": "billing:invoice:inv_9f3a",
  "action": "read"
}

// → { "decision": "ALLOW", "latencyMs": 12 }
Developer-first

Built for developers who move fast.

One API call replaces hundreds of lines of scattered access control logic. Integrate in minutes, not weeks.

  • Single endpoint for all access decisions
  • Full evaluation trace with matched policies
  • Correlation IDs for distributed tracing
  • SDKs for TypeScript, Python, Go, and Java
  • OpenAPI spec with code generation support
import { PermixClient } from '@permix/sdk';

const permix = new PermixClient({
  baseUrl: process.env.PERMIX_API_URL,
  apiKey: process.env.PERMIX_API_KEY,
});

const result = await permix.check({
  subject: 'user:alice@acme.com',
  resource: 'billing:invoice:inv_9f3a',
  action: 'read',
  attributes: {
    user: { department: 'finance' },
  },
});

// {
//   decision: 'ALLOW',
//   latencyMs: 12,
//   matchedPolicies: ['finance-read-invoices'],
//   correlationId: 'cor_8fj2k9'
// }

if (result.decision !== 'ALLOW') {
  throw new UnauthorizedError('Access denied');
}
Security

Security-first, compliance-ready.

Authorization infrastructure demands the highest security standards. Permix is built with defense-in-depth and independently audited.

JWT Validation

All tokens validated against the JWKS endpoint with RS256/ES256 signature verification. Token replay protection via jti claim tracking.

Tenant Isolation

Complete data isolation between tenants at the database, API, and evaluation layer. Row-level security enforced at every query.

Audit Logging

Every action logged with actor identity, source IP, timestamp, resource, action, and outcome. Tamper-evident append-only log.

Encryption at Rest

Secrets and credentials stored as bcrypt hashes, never in plaintext. Database encrypted with AES-256. TLS 1.3 in transit.

Compliance certifications

SOC 2 Type IIAudited annually
GDPREU Data Processing
ISO 27001Information Security
CCPAPrivacy Compliant
Social proof

Trusted by engineering teams shipping fast.

FinanceOSClarity AnalyticsNovaPayShipwrightBuildSpaceFormFlow
2,400+
Tenants managed
1.2B
Evaluations / month
99.99%
Uptime SLA
<15ms
p99 latency
Permix cut our authorization implementation from 3 months to 3 days. The multi-tenant isolation model is exactly what we needed for our SaaS, and the audit log has already saved us during a compliance review.
MC
Marcus Chen
VP Engineering · FinanceOS
We evaluated five authorization platforms. Permix was the only one with ABAC and OIDC in a single product that didn't require us to maintain custom policy infrastructure. The API latency is genuinely impressive.
PN
Priya Nair
Staff Engineer · Clarity Analytics

Start shipping authorization today.

Free for up to 5 tenants. No credit card required. Set up in under 10 minutes.

SOC 2 compliantGDPR ready99.99% uptime SLAFree up to 5 tenants