RBAC + ABAC + OIDC in one platform. Ship authorization in minutes, not months. One API call to evaluate any access decision.
RBAC Engine
Role-based access control with Casbin
ABAC Engine
Attribute-based policies with JSON rules
OIDC / JWT
Native OIDC & JWT validation
Multi-tenancy
Tenant isolation out of the box
Real-time Eval
Access decisions under 15ms
Audit Trail
Immutable audit log for compliance
From policy definition to real-time evaluation — Permix handles the full authorization lifecycle so your team ships features instead of access control.
Visual ABAC rule builder with AND/OR condition trees. Priority-based evaluation with deny-wins strategy.
Per-tenant OIDC providers, scoped API keys, and isolated policy namespaces — zero cross-tenant leakage.
Single REST endpoint returns ALLOW/DENY in <15ms with full evaluation trace and matched policies.
Register any OIDC-compliant IdP. Supports Keycloak, Auth0, Okta, Azure AD, and Google Workspace.
Per-tenant service API keys with rotation schedules, configurable expiry, and granular usage tracking.
Every access decision logged with actor, resource, action, outcome, IP address, and correlation ID.
Register your first tenant and receive a bootstrapKey for further configuration.
POST /admin/tenants
{
"name": "acme-corp",
"plan": "growth"
}
// → { "tenantId": "t_9kx2", "bootstrapKey": "bk_..." }Add an OIDC issuer URL and define claims mapping to extract user roles and attributes.
POST /admin/tenants/t_9kx2/idps
{
"issuer": "https://login.acme.com",
"clientId": "permix-app",
"claimsMapping": {
"department": "dept",
"roles": "groups"
}
}Write ABAC/RBAC rules in the visual policy builder or via the policy API.
POST /admin/tenants/t_9kx2/policies
{
"name": "finance-read-invoices",
"effect": "ALLOW",
"action": "read",
"resource": "billing:invoice:*",
"conditions": [{
"field": "user.department",
"op": "eq", "value": "finance"
}]
}Generate scoped API keys for backend services with configurable expiry and usage limits.
POST /admin/tenants/t_9kx2/credentials
{
"name": "billing-service",
"scopes": ["check", "audit:read"],
"expiresIn": "90d"
}
// → { "apiKey": "sk_live_..." }Call the check endpoint from your service. Get ALLOW/DENY with matched policies in <15ms.
POST /api/v1/check
Authorization: Bearer sk_live_...
{
"subject": "user:alice@acme.com",
"resource": "billing:invoice:inv_9f3a",
"action": "read"
}
// → { "decision": "ALLOW", "latencyMs": 12 }One API call replaces hundreds of lines of scattered access control logic. Integrate in minutes, not weeks.
import { PermixClient } from '@permix/sdk';
const permix = new PermixClient({
baseUrl: process.env.PERMIX_API_URL,
apiKey: process.env.PERMIX_API_KEY,
});
const result = await permix.check({
subject: 'user:alice@acme.com',
resource: 'billing:invoice:inv_9f3a',
action: 'read',
attributes: {
user: { department: 'finance' },
},
});
// {
// decision: 'ALLOW',
// latencyMs: 12,
// matchedPolicies: ['finance-read-invoices'],
// correlationId: 'cor_8fj2k9'
// }
if (result.decision !== 'ALLOW') {
throw new UnauthorizedError('Access denied');
}Authorization infrastructure demands the highest security standards. Permix is built with defense-in-depth and independently audited.
All tokens validated against the JWKS endpoint with RS256/ES256 signature verification. Token replay protection via jti claim tracking.
Complete data isolation between tenants at the database, API, and evaluation layer. Row-level security enforced at every query.
Every action logged with actor identity, source IP, timestamp, resource, action, and outcome. Tamper-evident append-only log.
Secrets and credentials stored as bcrypt hashes, never in plaintext. Database encrypted with AES-256. TLS 1.3 in transit.
Compliance certifications
“Permix cut our authorization implementation from 3 months to 3 days. The multi-tenant isolation model is exactly what we needed for our SaaS, and the audit log has already saved us during a compliance review.”
“We evaluated five authorization platforms. Permix was the only one with ABAC and OIDC in a single product that didn't require us to maintain custom policy infrastructure. The API latency is genuinely impressive.”
Free for up to 5 tenants. No credit card required. Set up in under 10 minutes.
SOC 2 compliantGDPR ready99.99% uptime SLAFree up to 5 tenants