Best Practices

Coding agents execute code, run commands, and call APIs — not just generate text. This guide covers the real security risks, why authorization must happen at the tool-call level, and how Permit.io and the Permit MCP Gateway enforce least-privilege access for agentic workflows.

AI agents acting across tools, APIs, and multi-agent pipelines raise hard questions about identity, authentication, and authorization. This article covers agentic identity (delegating human + workflow context + intent), agent interrogation, SPIFFE, OAuth token exchange, least privilege at runtime, and what audit actually means for agentic systems.

AI agents break the traditional least-privilege model. This article explains why, defines agentic identity (delegating human + workflow context + declared intent), and shows how Permit.io enforces zero standing privileges through gateway-vaulted credentials, the PDP, MCP Gateway, and downscoped delegation chains.

A practical review guide for security, privacy, and procurement teams evaluating whether an MCP gateway can meet SOC 2, HIPAA, and privacy requirements — with concrete examples from Permit MCP Gateway.

A practical blueprint for securing Model Context Protocol (MCP) agents across identity, consent, policy, and audit layers without rewrites.

Learn how to use JWTs for authorization the right way. This guide covers best practices, common mistakes, and why JWTs should carry identity, not permissions.

The new Permit.io CLI brings developer-first workflows to access control. Define, test, deploy, and enforce fine-grained authorization using AI, CI/CD, GitOps, and OpenAPI — all from your terminal

PBAC sounds great—until you try to use it. Learn the real challenges of Policy-Based Access Control and how to avoid common pitfalls.

We surveyed over 200 engineers about how they build and scale authorization. The data reveals where access control is heading, from RBAC and ReBAC to real-time checks and policy languages

Learn the key differences between JWT and opaque bearer tokens, covering how they work, when to use each, and how they impact API authentication, security, and performance.

Learn how to design your authorization model and architecture with real-world use cases, user management, approval flows, and AI identity support.

Explore how to secure AI agents, protect against prompt injections, and manage cascading AI interactions with AI Security Posture Management (AISPM).

Learn how to decouple fine-grained authorization from Firebase Rules, improve them, and expand beyond Firebase Rules for authenticated users by externalizing fine-grained access control.

Cookies are suitable for authentication and session management, while local storage is ideal for storing non-sensitive data on the client side. This detailed guide explains why and when to use each.

Discover how RBAC transformed access control, why modern apps need more context-driven solutions, and how Fine Grained Authorization (ABAC + ReBAC) extends it for today’s demands.

Learn best practices for implementing permissions in Keycloak, from configuration to authorization enforcement. Build scalable access control systems for your applications.

Learn how Open Policy Agent (OPA) is revolutionizing the way developers approach authorization. From managing policies with Rego to handling complex relationship-based access control (ReBAC) scenarios, discover practical OPA strategies, advanced use cases, and real-world insights.

Learn about database permissions and authorization, exploring data filtering strategies like application-level checks, PDP filtering, and partial evaluation to enhance security, performance, and scalability for managing user access.

Policy as Code is the practice of defining, managing, and enforcing policies using code rather than relying on static configurations or manual enforcement. Learn about its benefits, common use cases, implementation and useful tools

Explore the Policy Engines Showdown: OPA vs. OpenFGA vs. Cedar – Dive into the strengths, trade-offs, and use cases of leading policy engines. Discover how OPA compares to OpenFGA and Cedar for authorization, scalability, and adoption.

Learn about Policy as Code, its use cases, and challenges from leading software developers. Discover tools and frameworks for policy as code implementation, and dive into policy languages like Rego, Cedar, and OpenFGA.

Explore how AI in Identity Access Management (IAM) is changing to address the complexities of generative AI. Learn about the challenges and solutions for managing AI-driven identities, permissions, and access control.

Discover strategies to manage AI permissions with Retrieval-Augmented Generation (RAG) and dynamic authorization to ensure AI agents only access authorized data.

Learn how AI identity security is reshaping Identity and Access Management (IAM) and how to tackle these changes with proactive identity security.

A guide to securing your Nest.js API endpoints with Role Based Access Control (RBAC) and enhancing them with Attribute Based Access Control (ABAC).

Discover how AI Identity is transforming Identity and Access Management (IAM). Learn to tackle hybrid identities, dynamic permissions, and proactive security with practical implementations.

Learn what the latest Arc Browser vulnerability can teach us about the proper usage of row-level security.

Best practices for implementing authorization in a microservices architecture. Learn how to create a better access control experience with Permit.io.

Authorization as a Service provides a solution for managing user access and permissions in applications. Learn when you might want to consider such a service, how it can streamline your authorization implementation, and simplify permission management.

Learn how to implement hybrid cloud security using the multi-layer approach. Explore best practices with practical examples of IAM security and authorization.

Developer conferences are a great way to get more eyes on your startup. In this guide, we cover everything we learned about making the most out of them

Today, we are excited to announce the launch of Permit.io’s latest feature: Permit Share-If.

Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC) - how to make the most suitable choice for your application?

Discover how Discord built "Access!" - a secure, user-friendly portal for managing authorization, and what should you use to cover your entire user stack.

Learn best practices for managing user roles and access delegation and how to implement a cascading authorization model to enhance your app's access control.

Learn how to use JWT for authorization, understand the basics of what JWT is, and explore examples of proper JWT usage in authentication and authorization.

Learn how to build cloud-native authorization systems with CI/CD, thorough testing, and precise modeling and implementation.

10 topics, 45 questions: Authorization is part of every app—here are the questions you NEED to ask yourself before you implement this critical security feature

Explore how Access Request APIs simplify user access management in apps, making them efficient and adaptable to changing user requirements.

If you've worked on authorization before, you know that sometimes standard policy models just aren't enough. What can we do then? Let's find out -

Explore the process of implementing Role-Based Access Control (RBAC) in applications with policy as code, enhancing security and scalability.

Explore best practices for authentication and authorization in API with clear, practical examples. Including a differentiation guide, and helpful code tips.

Explore comprehensive strategies for API Security in our guide, focusing on best practices in authentication, authorization, and safeguarding applications.

Discover best practices for authorization in REST API. Learn about API authorization layers, actors, tools like Permit.io and OPAL.

Discover top open-source auth projects enhancing application security, including Hanko, Supabase, and OPAL, for robust authentication and authorization.

Learn how to implement proper authorization for a healthcare app with the help of Galactic Health Corporation - a Rick & Morty inspired healthcare application.

Protecting your user's personal medical information is vital in healthcare apps. Here's how to make sure you're doing everything to keep that data safe -

Learn how, when, and where to use OAuth scopes for authorization. Get a clear understanding of OAuth scopes definition and their proper usage.

"Shift-Left" is great, but often results in endless tasks and tools for devs instead of addressing the real issues. How can we avoid it? Implement good DevEx.

We just launched our developer tool on Product Hunt and got 'Product of the Day'. Here's how we did it. Some useful growth hacking tips.

Learn from a real case study how to Shift-Left in a way that will impact the product's security. Minimize friction between security and development teams.

Choosing the right policy agent to handle your authorization is not a simple task - each offers its benefits and has its drawbacks. How to choose? Read here.

Having an authorization layer is a must. But should you build one yourself?

Why and how you should enhance your application's security and compliance with authorization audit logs.

Discover best practices for authorization in Python applications. Avoid anti-patterns and create better access control with RBAC and ABAC implementations.

The latest OWASP "Top 10 API Security Risks" report once again lists "Broken Object Level Authorization" as its top 1 vulnerability. What can be done about it?

AWS' new Cedar policy language is now open-source and live! See how you can make the best use of it with Permit.io

Migrating from Role-based access control (RBAC) to Attribute-based access control (ABAC) can prove quite challenging - here's how you can do it painlessly.

What are the benefits of policy as code, and how does OPA's Rego language differ from AWS' new Cedar policy language?

The launch of AWS' OSS - Cedar is a tectonic shift in the IAM space. Permit.io supports with OPAL and Cedar-Agent.

Access Control is a main concern when developing web applications - and the NSA has a lot to say about it, especially the biggest pitfall developers make. 

Explore 4 app building blocks: Authentication, Authorization, Databases & Payments. Use existing solutions for faster development & user trust.

The recent #BingBang vulnerability discovered by the Wiz team proves once again how crucial implementing proper authorization is.

OPAL, an open-source project, complements and enhances OPA and is already being used by companies like Cisco and the NBA.

5 key factors for effective & scalable app authorization: simplicity, flexibility, compliance & more.

Every developer building an app faces the challenge of AuthZ. RBAC, ABAC, multitenancy, invites, approval flows - How do you pick the best service for it?

Access control is a must in evey app, yet most developers build and rebuild it time and time again. Why? Usually, they make one of these four crucial mistakes -

An Intellyx BrainBlog for Permit.io by Jason English

Cloud-based SaaS solutions need multi-tenancy. What is Multitenancy? What we can gain from it? How to easily implement it with two simple layers?

Understanding the balance between a good experience for the development team and minimizing security risks - and the best practices for achieving it.

An Intellyx BrainBlog by Jason Bloomberg, for Permit.io

A guide to figuring out which data fetching method is best for you, with full knowledge of each method’s ‘Good, Bad, and Ugly’ aspects.

Centralized IAM, and the benefits of implementing it in your organization. 

Cloud-native / microservice-based products are complex. Building access control and managing permissions for them is only getting worse by the pull request.