Introduction to Permguard
PermGuard is a modern, open-source authorization provider designed to follow Zero Trust principles.
It uses the Zero Trust Auth* (ZTAuth*) architecture to ensure that every access request is continuously verified, regardless of application boundaries or context.
The main idea is to ensure that trust is never assumed but always validated at the application boundary. Integrating PermGuard to handle incoming requests ensures that every request is verified before access is granted.
This applies not only to APIs but also to any type of incoming request, including async messages, WebSocket connections, and more.
Each incoming request generates an authorization request that is evaluated by the PermGuard Authorization Server. The server responds with a decision to either allow or deny the request.

Designed for cloud-native
, edge
, and multi-tenant
environments, PermGuard can be used in any context, including IoT, AI agents, and more. It allows you to update authorization policies without modifying your application code, saving time and effort.
These policies are centrally managed, allowing organizations to enforce consistent security rules across multiple applications without changing each service individually. This ensures compliance with corporate governance by providing a single point of control for defining, updating, and auditing authorization policies in real time.
PermGuard is powerful yet easy to use. Its advanced architecture ensures security and flexibility, while integration remains simple—whether for a basic app or a complex enterprise system. Just run the server, define your policy, and integrate it seamlessly.
PermGuard can be deployed anywhere: public or private clouds
, managed infrastructure
, Kubernetes
, serverless
systems, or even in partially connected
environments where stable connectivity is limited. It is also a great fit for edge nodes
and IoT
ecosystems, providing secure and consistent permission management across different environments.

It follows a Bring Your Own Identity (BYOI)
approach, meaning it integrates with your existing authentication system instead of replacing it.
You can configure identity sources to sync identities from your current identity provider
, ensuring that all permissions are managed consistently and centrally, regardless of where you use PermGuard.
The main goal of PermGuard is to provide a strong authorization system with built-in administrative tools. It connects to identity sources through ingestion APIs, but these must be integrated with custom solutions. This keeps PermGuard flexible and easy to manage without unnecessary complexity.
The solution is language-agnostic
, supporting multiple policy languages, starting with Cedar Policy Language.
Developers can choose their preferred language from the supported options while ensuring that all federated PermGuard servers work smoothly together, even if they use different languages internally.

A schema
in PermGuard defines Namespaces
, Resources
, and Actions
, ensuring consistency.
Each language is integrated with a lightweight abstraction layer, providing flexibility while reserving only a few keywords.
To enforce access control, the application can use an SDK or directly integrate with the native APIs.

This approach allows precise control over who or what can access resources while keeping the system flexible and easy to use.
Who
: Identities (Users and Actors)Can Access
: Permissions granted by attaching policiesResources
: Resources targeted by permissions
