Implementing Authentication and Authorization in Next.js
Learn how to implement a complete authentication and authorization solution in Next.js with this step-by-step implementation guide.
Read More
Daniel Bass
Application authorization enthusiast with years of experience as a customer engineer, technical writing, and open-source community advocacy. Comunity Manager, Dev. Convention Extrovert and Meme Enthusiast.
How to Use JWTs for Authorization: Best Practices and Common Mistakes
Learn how to use JWTs for authorization the right way. This guide covers best practices, common mistakes, and why JWTs should carry identity, not permissions.
Read MoreThe State of Authorization - 2025
We surveyed over 200 engineers about how they build and scale authorization. The data reveals where access control is heading, from RBAC and ReBAC to real-time checks and policy languages
Read MoreAnnouncing Permit.io AI Access Control: AI Identity FGA
Enforcing fine-grained access control is critical for AI-driven applications. Permit.io AI Access Control introduces a new Four-Perimeter Framework as well as a set of new integrations—PydanticAI, LangChain, MCP, and LangFlow—ensuring secure prompts, controlled AI workflows, and identity-aware AI decisions.
Read MoreImplementing Serverless Authorization in Node.js with the Serverless Framework
Learn how to implement serverless authorization in your Node.js applications using the Serverless Framework. Set up access control with roles, attributes, and relationships using AWS Lambda and Permit.io.
Read MoreSalt Security: Enterprise-Grade API Security with Fine-Grained Authorization
How Salt Security integrated Fine-Grained Authorization (FGA) to enhance security, compliance, and user flexibility.
Read MoreA Full Guide to Planning Your Authorization Model and Architecture
Learn how to design your authorization model and architecture with real-world use cases, user management, approval flows, and AI identity support.
Read MoreMachine Identity Security: Managing Risk, Delegation, and Cascading Trust
Machine identity security is essential as AI agents become integral to your application. Discover best practices for managing access, auditing AI actions, and preventing cascading trust attacks.
Read MoreWhat is a Machine Identity? Understanding AI Access Control
Machine identities are set to outnumber human users in every system. Learn why treating machine identities like human ones is crucial for security, access control, and future-proofing your applications.
Read MoreAI Security Posture Management (AISPM): How to Handle AI Agent Security
Explore how to secure AI agents, protect against prompt injections, and manage cascading AI interactions with AI Security Posture Management (AISPM).
Read MoreFirebase Rules Aren’t Enough: Decoupling Authorization for Scalable, Fine-Grained Access Control
Learn how to decouple fine-grained authorization from Firebase Rules, improve them, and expand beyond Firebase Rules for authenticated users by externalizing fine-grained access control.
Read MoreBest Practices for Multi-Tenant Authorization
Multi-tenant authorization combined with Role-Based Access Control (RBAC) simplifies user permissions management across different accounts, organizations, or groups. In this guide, we’ll explore why and how to implement Multi-Tenant authorization using Permit.io.
Read MoreCookies vs. Local Storage: What’s the Difference? When and Where to Use Each?
Cookies are suitable for authentication and session management, while local storage is ideal for storing non-sensitive data on the client side. This detailed guide explains why and when to use each.
Read MoreWhat is Token-Based Authentication?
Explore token-based authentication, its advantages over sessions, various token types, and the role of authorization tokens in security.
Read MoreYou're Doing Shift-Left Wrong
Learn from a real case study how to Shift-Left in a way that will impact the product's security. Minimize friction between security and development teams.
Read MoreCentauri AI: Enhancing AI-Driven Fintech with Fine-Grained Authorization (FGA)
How externalizing authorization helped Centauri AI secure financial data while focusing on core product development.
Read MoreBest Practices for Implementing Permissions in Keycloak
Learn best practices for implementing permissions in Keycloak, from configuration to authorization enforcement. Build scalable access control systems for your applications.
Read MoreHow HippHealth Secures Patient Data with Fine-Grained Authorization (FGA)
Externalizing FGA allows developers to focus on core application features while ensuring secure authorization – A case study of HippHealth’s experience with Fine-Grained Authorization (FGA).
Read MoreAuthorization with Open Policy Agent (OPA)
Learn how Open Policy Agent (OPA) is revolutionizing the way developers approach authorization. From managing policies with Rego to handling complex relationship-based access control (ReBAC) scenarios, discover practical OPA strategies, advanced use cases, and real-world insights.
Read MoreHow to Setup Role Based Access Control (RBAC) with Keycloak
Step-by-step guide on how to build RBAC with Keycloak and implement dynamic policy rules with Permit.io into Keycloak RBAC. Including practical keycloak RBAC example.
Read MoreAuthN vs. AuthZ: Understanding the Difference
Authentication (AuthN) and Authorization (AuthZ) are two critical Identity IAM concepts. Although often confused, they have distinct meanings and functions.
Read MorePolicy Engine Showdown - OPA vs. OpenFGA vs. Cedar
Explore the Policy Engines Showdown: OPA vs. OpenFGA vs. Cedar – Dive into the strengths, trade-offs, and use cases of leading policy engines. Discover how OPA compares to OpenFGA and Cedar for authorization, scalability, and adoption.
Read MorePolicy as Code | From Infrastructure to Fine-Grained Authorization
Learn about Policy as Code, its use cases, and challenges from leading software developers. Discover tools and frameworks for policy as code implementation, and dive into policy languages like Rego, Cedar, and OpenFGA.
Read MoreProtecting Democracy Through Fine-Grained Authorization
See how Maricopa County used Fine-Grained Authorization (FGA) to secure its voting system. A case study for developers protecting data in large-scale operations
Read MorePermit.io Launch Week: Exciting Announcements and New Features!
Permit.io Launch Week unveils new features to enhance developer experience, streamline policy decisions, simplify modeling, and boost performance with daily updates, live demos, and exciting integrations.
Read MorePermit.io Launch Week - Day 5: Fine-Tuned Performance
Discover the Log Forwarder for better observability, Local Facts for direct updates to PDPs, and Offline Mode for reliable decision-making without cloud connectivity.
Read MorePermit.io Launch Week - Day 4: Intelligent Integrations
Learn how to integrate with Langflow for AI/LLM, Stytch for authentication, SCIM for user provisioning, and GitHub Actions to automate authorization in your CI/CD pipeline.
Read MorePermit.io Launch Week - Day 3: Fine-Grained Modeling
Learn about the new Terraform Provider, Groups API, and Foreign Key Conditions for easier, more efficient management of RBAC, ReBAC, and ABAC policies in your applications.
Read MorePermit.io Launch Week - Day 2: Precise Decisions
Explore how Permit.io is revolutionizing decision-making with new features like Couchbase data filtering, partial evaluation, RBAC CASL, and scaling OPA with SQLite.
Read MorePermit.io Launch Week - Day 1: Optimized Developer Experience
Discover how Permit.io is enhancing the developer experience with new features, including the open-sourcing of the Permit CLI, Approval Flow, a documentation revamp, and Guarding Policies.
Read MoreOPAL - an Authorization Service for Fine-Grained Permissions
Open Policy Administration Layer (OPAL) is an open-source administration layer for OPA and AWS' Cedar Agent that allows you to keep your authorization layer up-to-date in real time
Read MoreAnnouncing “Permit Share-If"
Today, we are excited to announce the launch of Permit.io’s latest feature: Permit Share-If.
Read MoreEverything We Learned About Developer Conference Sponsorship
Developer conferences are a great way to get more eyes on your startup. In this guide, we cover everything we learned about making the most out of them
Read MoreBroken Access Control: The CISO Perspective
Preventing broken access control vulnerabilities: a CISO's perspective on the components and importance of proper permission management for cloud-native apps.
Read MoreAuthorization is changing - how we can harness the benefits?
What changed, both in terms of the challenges and the solutions, and how we can adapt to these changes?
Read MoreHoneycomb - A Case Study in Fine Grained Authorization
Externalizing FGA allows developers to focus on core application features while ensuring secure authorization - A case study of Honeycombs’ experience with FGA
Read MoreIrrigating Innovation: How Fine-Grained Authorization Helps Developers Focus on What Matters
Externalizing FGA allows developers to focus on core application features, ensuring secure access control - A case study of Rivulis’ experience with FGA
Read MoreJWTs Aren’t Made for Authorization
Learn how to use JWT for authorization, understand the basics of what JWT is, and explore examples of proper JWT usage in authentication and authorization.
Read MoreHow to Model (and Implement) Cloud-Native Authorization
Learn how to build cloud-native authorization systems with CI/CD, thorough testing, and precise modeling and implementation.
Read MoreProtecting Your Users' Data from AI Training Crawlers
Learn how to protect user data from AI crawlers with Fine-Grained Authorization (FGA) by Identifying bots, classifying data, and empowering users with control.
Read MoreHow to Implement Role Based Access Control (RBAC) using Open Policy Agent (OPA)
The Bikini Bottom guide to RBAC authorization models and their implementation with OPA
Read MoreWhat is Relationship-Based Access Control (ReBAC)?
What is Relationship Based Access Control, when should it be used, how can you implement it in your application, and how can you provide a UI for managing it?
Read MoreConditions vs. Relationships: Choosing Between ABAC and ReBAC
Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC) - how to make the most suitable choice for your application?
Read MoreBest Practices for API Authorization
Discover best practices for authorization in REST API. Learn about API authorization layers, actors, tools like Permit.io and OPAL.
Read MoreRBAC VS ABAC: Choosing the Right Authorization Policy Model
RBAC provides a simple, intuitive authorization solution, while ABAC allows for more fine-grained, dynamic authorization. Learn how to combine the strengths of both
Read MoreWhat is Authorization as a Service?
Authorization as a Service provides a solution for managing user access and permissions in applications. Learn when you might want to consider such a service, how it can streamline your authorization implementation, and simplify permission management.
Read MoreWhat is ABAC? Implementation Methods & Code Examples
What is Attribute Based Access Control, when should it be used, how can you implement it in your application, and how can you provide a UI for managing it?
Read MoreHow Discord Built `Access!` - An Authorization Management Portal
Discover how Discord built "Access!" - a secure, user-friendly portal for managing authorization, and what should you use to cover your entire user stack.
Read MoreMAC, DAC, RBAC, and FGA: A Journey Through Access Control
A guide to the most common access control terms. Learn how to integrate MAC and DAC and RBAC, and how the rise of FGA can help your application access control.
Read MoreWhat is Google Zanzibar?
Google designed its Zanzibar authorization system to handle its complex access needs. See how you can leverage this to create fine-grained ReBAC in your app
Read MoreHow Reddit Scaled to Millions of Decisions Per Second
Scale is a challenge that every developer encounters at some point - how did Reddit approach this challenge, and what can we learn from it?
Read MoreBest Practices for Effective User Permissions and Access Delegation
Learn best practices for managing user roles and access delegation and how to implement a cascading authorization model to enhance your app's access control.
Read MoreGenerate Personalized Frontend Experiences with User Attributes and Feature Flags
Learn how to quickly create and implement custom user experiences for your application with User Attributes and Feature Flags
Read MoreHow to Use OAuth Scopes for Authorization
Learn how, when, and where to use OAuth scopes for authorization. Get a clear understanding of OAuth scopes definition and their proper usage.
Read More45 Questions to Ask Yourself Before Modeling Authorization
10 topics, 45 questions: Authorization is part of every app—here are the questions you NEED to ask yourself before you implement this critical security feature
Read MoreAn intro to Open Policy Agent (OPA)
How to Build The Right App Authorization Solution - An Intro to Open Policy Agent
Read MoreOPA, Cedar, OpenFGA: Why are Policy Languages Trending Right Now?
Policy languages and frameworks like OPA, Cedar, and OpenFGA are rising in popularity. Explore the solutions they provide, and the benefits of using them.
Read MoreHow we got our Dev Tool ‘Product of the Day’ in Product Hunt (And Survived)
We just launched our developer tool on Product Hunt and got 'Product of the Day'. Here's how we did it. Some useful growth hacking tips.
Read MoreOPA v1 is Almost Out! Here’s What You Need to Know
OPA just announced its newest version, 1.0. How does it affect you? What does it mean? What's new? Find out here -
Read MoreFrom RBAC to ReBAC and ABAC with Next.js and Permit.io
Learn how to implement fine-grained RBAC, ABAC, and ReBAC authorization in a Next.js application using a working demo of a mobile plan management application
Read MoreHow to Implement Relationship-Based Access Control (ReBAC) Using Open Policy Agent (OPA)
Learn how to implement Relationship-Based Access Control (ReBAC) with OPA - an open source policy engine for controlling access to systems and resources.
Read MoreBuilding Healthcare App Authorization in Space with Next.js and Permit.io
Learn how to implement proper authorization for a healthcare app with the help of Galactic Health Corporation - a Rick & Morty inspired healthcare application.
Read MoreHow Reddit Built Authorization with OPA
Learn how Reddit built its advanced Ad Tech authorization system with Open Policy Agent (OPA) and how you can build one yourself with OPAL!
Read MoreBuilding Immune Authorization: AppSec in Healthcare Apps
Protecting your user's personal medical information is vital in healthcare apps. Here's how to make sure you're doing everything to keep that data safe -
Read MoreBeyond RBAC: When standard models just aren’t enough
If you've worked on authorization before, you know that sometimes standard policy models just aren't enough. What can we do then? Let's find out -
Read MoreBuild Authorization Like Google
How Google built its access control with Google Zanzibar, and how you can model and build a 'Google Drive' style authorization system for your app yourself!
Read MoreAuthorization Policy Showdown: RBAC vs. ABAC vs. ReBAC
Get ready to rumble! Join us on a quest to find the best authorization policy model in an epic battle royale: RBAC vs. ABAC vs. ReBAC
Read MoreDon't Code Alone: The Best Developer Communities of 2023
Explore top developer communities like Next.js and OpenAI. Dive into knowledge-rich hubs, collaborate, learn from experts, and stay ahead in tech trends.
Read MoreDevSecOps is nothing without DevEx
"Shift-Left" is great, but often results in endless tasks and tools for devs instead of addressing the real issues. How can we avoid it? Implement good DevEx.
Read MoreAttribute-Based Access Control (ABAC) VS. Relationship-Based Access Control (ReBAC)
ABAC vs. ReBAC - A comprehensive guide to the pros, cons, use cases, and implementation of these common authorization models
Read MoreRole-Based Access Control (RBAC) VS. Relationship-Based Access Control (ReBAC)
RBAC vs. ReBAC - A comprehensive guide to the pros, cons, use cases, and implementation of these common authorization models
Read MorePolicy Engines: Open Policy Agent vs AWS Cedar vs Google Zanzibar
Choosing the right policy agent to handle your authorization is not a simple task - each offers its benefits and has its drawbacks. How to choose? Read here.
Read MoreImplementing Role-Based Access Control (RBAC) with AWS’ Cedar
How (and why) should you implement RBAC with AWS' new Cedar policy engine
Read MoreShould You Roll Your Own RBAC Authorization?
Having an authorization layer is a must. But should you build one yourself?
Read MoreBest Practices for Authorization Audit Logs
Why and how you should enhance your application's security and compliance with authorization audit logs.
Read MorePermit.io Cedar Implementation Q&A: Everything you need to know
AWS' new Cedar policy language is now open-source and live! See how you can make the best use of it with Permit.io
Read MoreMigrating from RBAC to ABAC with Permit.io
Migrating from Role-based access control (RBAC) to Attribute-based access control (ABAC) can prove quite challenging - here's how you can do it painlessly.
Read MorePlanning App Role-Based Access Control (RBAC) Implementation
When building an app, good authorization is a must, and planning it ahead is critical. How do you plan effective, secure, and scalable AuthZ? Learn here -
Read MoreBuilding App Authorization: The 5 Keys for Scalability and Compliance
5 key factors for effective & scalable app authorization: simplicity, flexibility, compliance & more.
Read MoreHow to build authorization like Netflix with Open Source?
How Netflix solved the challenge of authorizing millions of users by using OPA, how you can adopt this solution, and possibly create something even better
Read MoreThe four mistakes you make building permissions
Access control is a must in evey app, yet most developers build and rebuild it time and time again. Why? Usually, they make one of these four crucial mistakes -
Read MoreOPAL + OPA VS XACML
A view of OPAL + OPA as an alternative to XACML
Read MoreHow to Implement Attribute Based Access Control (ABAC) using Open Policy Agent (OPA)
The Bikini Bottom guide to ABAC authorization models and their implementation with OPA
Read MoreThe Case for Centralized IAM
Centralized IAM, and the benefits of implementing it in your organization.
Read MoreAuthorization still tops OWASP top 10 API Security risks for 2023
The latest OWASP "Top 10 API Security Risks" report once again lists "Broken Object Level Authorization" as its top 1 vulnerability. What can be done about it?
Read More5 steps to building NSA-level access control for your app
Access Control is a main concern when developing web applications - and the NSA has a lot to say about it, especially the biggest pitfall developers make.
Read MorePermit.io's Top 6 Dev Podcasts of 2022
Permit.io's top 6 developer podcasts of 2022 that are definitely worth your time and attention
Read More