# The server section specifies the HTTP and gRPC server settings,# including whether or not TLS is enabled and the certificate and# key file locations.server:rate_limit:100 http:enabled:trueport:3476 tls:enabled:truecert: /etc/letsencrypt/live/yourdomain.com/fullchain.pemkey: /etc/letsencrypt/live/yourdomain.com/privkey.pem grpc:port:3478 tls:enabled:truecert: /etc/letsencrypt/live/yourdomain.com/fullchain.pemkey: /etc/letsencrypt/live/yourdomain.com/privkey.pem# The logger section sets the logging level for the service.logger:level: info# The profiler section enables or disables the pprof profiler and# sets the port number for the profiler endpoint.profiler:enabled:trueport:6060# The authn section specifies the authentication method for the service.authn:enabled:truemethod: preshared preshared:keys:[]# The tracer section enables or disables distributed tracing and sets the# exporter and endpoint for the tracing data.tracer:exporter: zipkinendpoint: http://localhost:9411/api/v2/spansenabled:true# The meter section enables or disables metrics collection and sets the# exporter and endpoint for the collected metrics.meter:exporter: otlpendpoint: localhost:4318enabled:true# The service section sets various service-level settings, including whether# or not to use a circuit breaker, and cache sizes for schema, permission,# and relationship data.service:circuit_breaker:false watch:enabled:false schema: cache:number_of_counters: 1_000max_cost: 10MiB permission:bulk_limit:100concurrency_limit:100 cache:number_of_counters: 10_000max_cost: 10MiB# The database section specifies the database engine and connection settings,# including the URI for the database, whether or not to auto-migrate the database,# and connection pool settings.database:engine: postgresuri: postgres://user:password@host:5432/db_nameauto_migrate:falsemax_open_connections:20max_idle_connections:1max_connection_lifetime: 300smax_connection_idle_time: 60s garbage_collection:enabled:trueinterval: 200hwindow: 200htimeout: 5m# distributed configuration settingsdistributed:# Indicates whether the distributed mode is enabled or notenabled:true# The address of the distributed service.# Using a Kubernetes DNS name suggests this service runs in a Kubernetes cluster# under the 'default' namespace and is named 'permify'address:"kubernetes:///permify.default"# The port on which the service is exposedport:"5000"
Authentication method can be either oidc or preshared.
[ ]
enabled
true
switch option authentication config
[x]
keys
-
Private key/keys for server authentication. Permify does not provide this key, so it must be generated by the users.
ENV
Argument
ENV
Type
authn-enabled
PERMIFY_AUTHN_ENABLED
boolean
authn-method
PERMIFY_AUTHN_METHOD
string
authn-preshared-keys
PERMIFY_AUTHN_PRESHARED_KEYS
string array
OpenID Connect
Permify supports OpenID Connect (OIDC). OIDC provides an identity layer on top of OAuth 2.0 to address the shortcomings
of using OAuth 2.0 for establishing identity.
With this authentication method, you be able to integrate your existing Identity Provider (IDP) to validate JSON Web
Tokens (JWTs) using JSON Web Keys (JWKs). By doing so, only trusted tokens from the IDP will be accepted for
authentication.
Authentication method can be either oidc or preshared.
[ ]
enabled
false
Switch option to enable or disable authentication config.
[x]
audience
-
The audience identifies the intended recipients of the token, typically the API or resource server. It ensures tokens are used only by the authorized party.
[x]
issuer
-
This is the URL of the provider that is responsible for authenticating users. You will use this URL to discover information about the provider in step 1 of the authentication process.
[x]
refresh_interval
15m
The interval at which the authentication information should be refreshed to ensure that it remains valid and up-to-date.
[x]
backoff_interval
12s
The delay between retries when attempting to authenticate if the key is not found. The system will retry at intervals, which may vary, to avoid constant retry attempts.
[x]
backoff_frequency
-
The duration to wait before retrying after a failed authentication attempt. This helps to manage the load on the authentication service by introducing a delay between retries, ensuring that repeated failures do not overwhelm the service or lead to excessive requests. This value should be configured according to the expected response times and reliability of the authentication provider.
[x]
backoff_max_retries
5
The maximum number of retry attempts to make if key is not found.
[x]
valid_methods
[“RS256”,“HS256”]
A list of accepted signing methods for tokens. This ensures that only tokens signed using one of the specified algorithms will be considered valid.
ENV
Argument
ENV
Type
authn-enabled
PERMIFY_AUTHN_ENABLED
boolean
authn-method
PERMIFY_AUTHN_METHOD
string
authn-oidc-issuer
PERMIFY_AUTHN_OIDC_ISSUER
string
authn-oidc-audience
PERMIFY_AUTHN_OIDC_AUDIENCE
string
authn-oidc-refresh-interval
PERMIFY_AUTHN_OIDC_REFRESH_INTERVAL
duration
authn-oidc-backoff-interval
PERMIFY_AUTHN_OIDC_BACKOFF_INTERVAL
duration
authn-oidc-backoff-frequency
PERMIFY_AUTHN_OIDC_BACKOFF_FREQUENCY
duration
authn-oidc-backoff-max-retries
PERMIFY_AUTHN_OIDC_BACKOFF_RETRIES
int
authn-oidc-valid-methods
PERMIFY_AUTHN_OIDC_VALID_METHODS
string array
Definition
Permify integrated with jaeger, otlp, signoz, and zipkin tacing tools to analyze performance and behavior of
your
authorization when using Permify.
Configurations for the database that points out where your want to store your authorization data (relation tuples,
audits, decision logs, authorization model)
Data source. Permify supports PostgreSQL('postgres') for now. Contact with us for your preferred database.
[x]
uri
-
Uri of your data source.
[ ]
auto_migrate
true
When its configured as false migrating flow won’t work.
[ ]
max_open_connections
20
Configuration parameter determines the maximum number of concurrent connections to the database that are allowed.
[ ]
max_idle_connections
1
Determines the maximum number of idle connections that can be held in the connection pool.
[ ]
max_connection_lifetime
300s
Determines the maximum lifetime of a connection in seconds.
[ ]
max_connection_idle_time
60s
Determines the maximum time in seconds that a connection can remain idle before it is closed.
[ ]
enable (for garbage collection)
false
Switch option for garbage collection.
[ ]
interval
3m
Determines the run period of a Garbage Collection operation.
[ ]
timeout
3m
Sets the duration of the Garbage Collection timeout.
[ ]
window
720h
Determines how much backward cleaning the Garbage Collection process will perform.
ENV
Argument
ENV
Type
database-engine
PERMIFY_DATABASE_ENGINE
string
database-uri
PERMIFY_DATABASE_URI
string
database-auto-migrate
PERMIFY_DATABASE_AUTO_MIGRATE
boolean
database-max-open-connections
PERMIFY_DATABASE_MAX_OPEN_CONNECTIONS
int
database-max-idle-connections
PERMIFY_DATABASE_MAX_IDLE_CONNECTIONS
int
database-max-connection-lifetime
PERMIFY_DATABASE_MAX_CONNECTION_LIFETIME
duration
database-max-connection-idle-time
PERMIFY_DATABASE_MAX_CONNECTION_IDLE_TIME
duration
database-garbage-collection-enabled
PERMIFY_DATABASE_GARBAGE_COLLECTION_ENABLED
boolean
database-garbage-collection-interval
PERMIFY_DATABASE_GARBAGE_COLLECTION_INTERVAL
duration
database-garbage-collection-timeout
PERMIFY_DATABASE_GARBAGE_COLLECTION_TIMEOUT
duration
database-garbage-collection-window
PERMIFY_DATABASE_GARBAGE_COLLECTION_WINDOW
duration
Definition
Configurations for the permify service and how it should behave. You can configure the circuit breaker pattern,
configuration watcher, and service specific options for permission and schema services (rate limiting, concurrency
limiting, cache size).
pprof is a performance profiler for Go programs. It allows developers to analyze and understand the performance
characteristics of their code by generating detailed profiles of program execution
Structure
├── profiler| ├── enabled| ├── port
Glossary
Required
Argument
Default
Description
[ ]
enabled
true
switch option for profiler.
[x]
port
-
port that profiler runs on (default: 6060).
ENV
Argument
ENV
Type
profiler-enabled
PERMIFY_PROFILER_ENABLED
boolean
profiler-port
PERMIFY_PROFILER_PORT
string
Definition
A consistent hashing ring ensures data distribution that minimizes reorganization when nodes are added or removed,
improving scalability and performance in distributed systems.”
Structure
├── distributed| ├── enabled| ├── address| ├── port