Best Practices

Cloud-native / microservice-based products are complex. Building access control and managing permissions for them is only getting worse by the pull request.

Centralized IAM, and the benefits of implementing it in your organization. 

What changed, both in terms of the challenges and the solutions, and how we can adapt to these changes?

A guide to figuring out which data fetching method is best for you, with full knowledge of each method’s ‘Good, Bad, and Ugly’ aspects.

An Intellyx BrainBlog by Jason Bloomberg, for Permit.io

Understanding the balance between a good experience for the development team and minimizing security risks - and the best practices for achieving it.

Cloud-based SaaS solutions need multi-tenancy. What is Multitenancy? What we can gain from it? How to easily implement it with two simple layers?

An Intellyx BrainBlog for Permit.io by Jason English

Access control is a must in evey app, yet most developers build and rebuild it time and time again. Why? Usually, they make one of these four crucial mistakes -

Policy as Code is the practice of defining, managing, and enforcing policies using code rather than relying on static configurations or manual enforcement. Learn about its benefits, common use cases, implementation and useful tools

The DRACC framework is a DevSecOps methodology which allows mapping the security posture of your application in a communicative, comprehensive way.

Every developer building an app faces the challenge of AuthZ. RBAC, ABAC, multitenancy, invites, approval flows - How do you pick the best service for it?

5 key factors for effective & scalable app authorization: simplicity, flexibility, compliance & more.

OPAL, an open-source project, complements and enhances OPA and is already being used by companies like Tesla, Cisco, and the NBA.

The recent #BingBang vulnerability discovered by the Wiz team proves once again how crucial implementing proper authorization is.

Access Control is a main concern when developing web applications - and the NSA has a lot to say about it, especially the biggest pitfall developers make. 

Best practices for implementing authorization in a microservices architecture. Learn how to create a better access control experience with Permit.io.

Explore 4 app building blocks: Authentication, Authorization, Databases & Payments. Use existing solutions for faster development & user trust.

Preventing broken access control vulnerabilities: a CISO's perspective on the components and importance of proper permission management for cloud-native apps.

Learn the best practices for implementing GitOps in your software development cycle. Read our article and adopt GitOps today to streamline your workflow.

The launch of AWS' OSS - Cedar is a tectonic shift in the IAM space. Permit.io supports with OPAL and Cedar-Agent.

What are the benefits of policy as code, and how does OPA's Rego language differ from AWS' new Cedar policy language?

Migrating from Role-based access control (RBAC) to Attribute-based access control (ABAC) can prove quite challenging - here's how you can do it painlessly.

AWS' new Cedar policy language is now open-source and live! See how you can make the best use of it with Permit.io

The latest OWASP "Top 10 API Security Risks" report once again lists "Broken Object Level Authorization" as its top 1 vulnerability. What can be done about it?

A guide to securing your Nest.js API endpoints with Role Based Access Control (RBAC) and enhancing them with Attribute Based Access Control (ABAC).

Discover best practices for authorization in Python applications. Avoid anti-patterns and create better access control with RBAC and ABAC implementations.

Why and how you should enhance your application's security and compliance with authorization audit logs.

Having an authorization layer is a must. But should you build one yourself?

Authorization as a Service provides a solution for managing user access and permissions in applications. Learn when you might want to consider such a service, how it can streamline your authorization implementation, and simplify permission management.

Choosing the right policy agent to handle your authorization is not a simple task - each offers its benefits and has its drawbacks. How to choose? Read here.

Learn from a real case study how to Shift-Left in a way that will impact the product's security. Minimize friction between security and development teams.

We just launched our developer tool on Product Hunt and got 'Product of the Day'. Here's how we did it. Some useful growth hacking tips.

"Shift-Left" is great, but often results in endless tasks and tools for devs instead of addressing the real issues. How can we avoid it? Implement good DevEx.

Learn how, when, and where to use OAuth scopes for authorization. Get a clear understanding of OAuth scopes definition and their proper usage.

Protecting your user's personal medical information is vital in healthcare apps. Here's how to make sure you're doing everything to keep that data safe -

Learn how to implement proper authorization for a healthcare app with the help of Galactic Health Corporation - a Rick & Morty inspired healthcare application.

Learn how Reddit built its advanced Ad Tech authorization system with Open Policy Agent (OPA) and how you can build one yourself with OPAL!

Discover best practices for authorization in REST API. Learn about API authorization layers, actors, tools like Permit.io and OPAL.

Explore best practices for authentication and authorization in API with clear, practical examples. Including a differentiation guide, and helpful code tips.

Explore comprehensive strategies for API Security in our guide, focusing on best practices in authentication, authorization, and safeguarding applications.

Explore the process of implementing Role-Based Access Control (RBAC) in applications with policy as code, enhancing security and scalability.

If you've worked on authorization before, you know that sometimes standard policy models just aren't enough. What can we do then? Let's find out -

Learn how we use a policy-as-code platform to create a successful engineering culture of authorization and access control.

Explore how Access Request APIs simplify user access management in apps, making them efficient and adaptable to changing user requirements.

10 topics, 45 questions: Authorization is part of every app—here are the questions you NEED to ask yourself before you implement this critical security feature

Learn how to build cloud-native authorization systems with CI/CD, thorough testing, and precise modeling and implementation.

Learn best practices for managing user roles and access delegation and how to implement a cascading authorization model to enhance your app's access control.

Discover how Discord built "Access!" - a secure, user-friendly portal for managing authorization, and what should you use to cover your entire user stack.

Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC) - how to make the most suitable choice for your application?

Discover how AI and authorization intersect. Learn to manage GenAI bots securely with fine-grained authorization using tools like Permit.io and Arcjet.

Developer conferences are a great way to get more eyes on your startup. In this guide, we cover everything we learned about making the most out of them

Learn how to implement hybrid cloud security using the multi-layer approach. Explore best practices with practical examples of IAM security and authorization.

Learn how to use JWT for authorization, understand the basics of what JWT is, and explore examples of proper JWT usage in authentication and authorization.

Today, we are excited to announce the launch of Permit.io’s latest feature: Permit Share-If.

Discover top open-source auth projects enhancing application security, including Hanko, Supabase, and OPAL, for robust authentication and authorization.

Learn what the latest Arc Browser vulnerability can teach us about the proper usage of row-level security.

Discover how AI Identity is transforming Identity and Access Management (IAM). Learn to tackle hybrid identities, dynamic permissions, and proactive security with practical implementations.

Learn how AI identity security is reshaping Identity and Access Management (IAM) and how to tackle these changes with proactive identity security.

Discover strategies to manage AI permissions with Retrieval-Augmented Generation (RAG) and dynamic authorization to ensure AI agents only access authorized data.

Explore how AI in Identity Access Management (IAM) is changing to address the complexities of generative AI. Learn about the challenges and solutions for managing AI-driven identities, permissions, and access control.

Learn about Policy as Code, its use cases, and challenges from leading software developers. Discover tools and frameworks for policy as code implementation, and dive into policy languages like Rego, Cedar, and OpenFGA.

Explore the Policy Engines Showdown: OPA vs. OpenFGA vs. Cedar – Dive into the strengths, trade-offs, and use cases of leading policy engines. Discover how OPA compares to OpenFGA and Cedar for authorization, scalability, and adoption.

Learn about database permissions and authorization, exploring data filtering strategies like application-level checks, PDP filtering, and partial evaluation to enhance security, performance, and scalability for managing user access.

Learn how Open Policy Agent (OPA) is revolutionizing the way developers approach authorization. From managing policies with Rego to handling complex relationship-based access control (ReBAC) scenarios, discover practical OPA strategies, advanced use cases, and real-world insights.

Learn best practices for implementing permissions in Keycloak, from configuration to authorization enforcement. Build scalable access control systems for your applications.

Discover how RBAC transformed access control, why modern apps need more context-driven solutions, and how Fine Grained Authorization (ABAC + ReBAC) extends it for today’s demands.

Cookies are suitable for authentication and session management, while local storage is ideal for storing non-sensitive data on the client side. This detailed guide explains why and when to use each.

Learn how to decouple fine-grained authorization from Firebase Rules, improve them, and expand beyond Firebase Rules for authenticated users by externalizing fine-grained access control.

Explore how to secure AI agents, protect against prompt injections, and manage cascading AI interactions with AI Security Posture Management (AISPM).

Learn how to design your authorization model and architecture with real-world use cases, user management, approval flows, and AI identity support.

Learn the key differences between JWT and opaque bearer tokens, covering how they work, when to use each, and how they impact API authentication, security, and performance.

We surveyed over 200 engineers about how they build and scale authorization. The data reveals where access control is heading, from RBAC and ReBAC to real-time checks and policy languages

PBAC sounds great—until you try to use it. Learn the real challenges of Policy-Based Access Control and how to avoid common pitfalls.