# The server section specifies the HTTP and gRPC server settings,# including whether or not TLS is enabled and the certificate and# key file locations.server:rate_limit:100http:enabled:trueport:3476tls:enabled:truecert: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
key: /etc/letsencrypt/live/yourdomain.com/privkey.pem
grpc:port:3478tls:enabled:truecert: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
key: /etc/letsencrypt/live/yourdomain.com/privkey.pem
# The logger section sets the logging level for the service.logger:level: info
# The profiler section enables or disables the pprof profiler and# sets the port number for the profiler endpoint.profiler:enabled:trueport:6060# The authn section specifies the authentication method for the service.authn:enabled:truemethod: preshared
preshared:keys:[]# The tracer section enables or disables distributed tracing and sets the# exporter and endpoint for the tracing data.tracer:exporter: zipkin
endpoint: http://localhost:9411/api/v2/spans
enabled:true# The meter section enables or disables metrics collection and sets the# exporter and endpoint for the collected metrics.meter:exporter: otlp
endpoint: localhost:4318enabled:true# The service section sets various service-level settings, including whether# or not to use a circuit breaker, and cache sizes for schema, permission,# and relationship data.service:circuit_breaker:falsewatch:enabled:falseschema:cache:number_of_counters: 1_000
max_cost: 10MiB
permission:bulk_limit:100concurrency_limit:100cache:number_of_counters: 10_000
max_cost: 10MiB
# The database section specifies the database engine and connection settings,# including the URI for the database, whether or not to auto-migrate the database,# and connection pool settings.database:engine: postgres
uri: postgres://user:password@host:5432/db_name
auto_migrate:falsemax_open_connections:20max_idle_connections:1max_connection_lifetime: 300s
max_connection_idle_time: 60s
garbage_collection:enabled:trueinterval: 200h
window: 200h
timeout: 5m
# distributed configuration settingsdistributed:# Indicates whether the distributed mode is enabled or notenabled:true# The address of the distributed service.# Using a Kubernetes DNS name suggests this service runs in a Kubernetes cluster# under the 'default' namespace and is named 'permify'address:"kubernetes:///permify.default"# The port on which the service is exposedport:"5000"
Authentication method can be either oidc or preshared.
[ ]
enabled
true
switch option authentication config
[x]
keys
-
Private key/keys for server authentication. Permify does not provide this key, so it must be generated by the users.
ENV
Argument
ENV
Type
authn-enabled
PERMIFY_AUTHN_ENABLED
boolean
authn-method
PERMIFY_AUTHN_METHOD
string
authn-preshared-keys
PERMIFY_AUTHN_PRESHARED_KEYS
string array
OpenID Connect
Permify supports OpenID Connect (OIDC). OIDC provides an identity layer on top of OAuth 2.0 to address the shortcomings
of using OAuth 2.0 for establishing identity.
With this authentication method, you be able to integrate your existing Identity Provider (IDP) to validate JSON Web
Tokens (JWTs) using JSON Web Keys (JWKs). By doing so, only trusted tokens from the IDP will be accepted for
authentication.
Authentication method can be either oidc or preshared.
[ ]
enabled
false
switch option authentication config
[x]
audience
-
The audience identifies the intended recipients of the token, typically the API or resource server. It ensures tokens are used only by the authorized party.
[x]
issuer
-
This is the URL of the provider that is responsible for authenticating users. You will use this URL to discover information about the provider in step 1 of the authentication process.
ENV
Argument
ENV
Type
authn-enabled
PERMIFY_AUTHN_ENABLED
boolean
authn-method
PERMIFY_AUTHN_METHOD
string
authn-oidc-issuer
PERMIFY_AUTHN_OIDC_ISSUER
string
authn-oidc-audience
PERMIFY_AUTHN_OIDC_AUDIENCE
string
Definition
Permify integrated with jaeger, otlp, signoz, and zipkin tacing tools to analyze performance and behavior of
your
authorization when using Permify.
Configurations for the database that points out where your want to store your authorization data (relation tuples,
audits, decision logs, authorization model)
Data source. Permify supports PostgreSQL('postgres') for now. Contact with us for your preferred database.
[x]
uri
-
Uri of your data source.
[ ]
auto_migrate
true
When its configured as false migrating flow won’t work.
[ ]
max_open_connections
20
Configuration parameter determines the maximum number of concurrent connections to the database that are allowed.
[ ]
max_idle_connections
1
Determines the maximum number of idle connections that can be held in the connection pool.
[ ]
max_connection_lifetime
300s
Determines the maximum lifetime of a connection in seconds.
[ ]
max_connection_idle_time
60s
Determines the maximum time in seconds that a connection can remain idle before it is closed.
[ ]
enable (for garbage collection)
false
Switch option for garbage collection.
[ ]
interval
3m
Determines the run period of a Garbage Collection operation.
[ ]
timeout
3m
Sets the duration of the Garbage Collection timeout.
[ ]
window
720h
Determines how much backward cleaning the Garbage Collection process will perform.
ENV
Argument
ENV
Type
database-engine
PERMIFY_DATABASE_ENGINE
string
database-uri
PERMIFY_DATABASE_URI
string
database-auto-migrate
PERMIFY_DATABASE_AUTO_MIGRATE
boolean
database-max-open-connections
PERMIFY_DATABASE_MAX_OPEN_CONNECTIONS
int
database-max-idle-connections
PERMIFY_DATABASE_MAX_IDLE_CONNECTIONS
int
database-max-connection-lifetime
PERMIFY_DATABASE_MAX_CONNECTION_LIFETIME
duration
database-max-connection-idle-time
PERMIFY_DATABASE_MAX_CONNECTION_IDLE_TIME
duration
database-garbage-collection-enabled
PERMIFY_DATABASE_GARBAGE_COLLECTION_ENABLED
boolean
database-garbage-collection-interval
PERMIFY_DATABASE_GARBAGE_COLLECTION_INTERVAL
duration
database-garbage-collection-timeout
PERMIFY_DATABASE_GARBAGE_COLLECTION_TIMEOUT
duration
database-garbage-collection-window
PERMIFY_DATABASE_GARBAGE_COLLECTION_WINDOW
duration
Definition
Configurations for the permify service and how it should behave. You can configure the circuit breaker pattern,
configuration watcher, and service specific options for permission and schema services (rate limiting, concurrency
limiting, cache size).
pprof is a performance profiler for Go programs. It allows developers to analyze and understand the performance
characteristics of their code by generating detailed profiles of program execution
Structure
├── profiler
| ├── enabled
| ├── port
Glossary
Required
Argument
Default
Description
[ ]
enabled
true
switch option for profiler.
[x]
port
-
port that profiler runs on (default: 6060).
ENV
Argument
ENV
Type
profiler-enabled
PERMIFY_PROFILER_ENABLED
boolean
profiler-port
PERMIFY_PROFILER_PORT
string
Definition
A consistent hashing ring ensures data distribution that minimizes reorganization when nodes are added or removed,
improving scalability and performance in distributed systems.”
