Introducing the New Permit.io CLI: A New Era of Access Control Developer Experience

Bringing Authorization to the Developer Workflow

The CLI is a basic part of any developer’s toolkit - it’s where speed, automation, and developer control meet. When it comes to access control, however, developers are often left with slow, manual, or disconnected workflows. Considering fine-grained authorization is one of the most complex and sensitive parts of any application - that’s a huge problem.

This is why we decided that authorization should be no different from any other part of your software development lifecycle—you should be able to comfortably manage it in the same manner you handle any other part of your software development lifecycle.

That’s why we built the Permit.io CLI: a command-line tool that puts full fine-grained authorization control directly into your hands—fast, testable, automatable, and built for real-world production apps.

The CLI enables developers to define, test, deploy, and enforce complex authorization policies using natural language, AI-powered tools, infrastructure-as-code, and API-first integrations.

It supports managing RBAC, ABAC, ReBAC, or even custom logic with Rego. It also supports GitOps and gives you everything you need to integrate policy management into your CI/CD pipelines and developer environments.

In this post, we’ll introduce the Permit.io CLI through five of the main aspects it allows you to handle—each one designed to help developers simplify how they build, manage, and scale authorization.

TL;DR: What is the Permit CLI?

The Permit CLI is a developer-first tool for managing fine-grained authorization from the terminal. It’s designed to bring the full power of Permit.io—policy creation, testing, deployment, and enforcement—into the CLI, allowing developers to easily automate and scale their access control.

npm i -g @permitio/cli

A full list of the CLI’s commands is available in the CLI Documentation.

Who is it for?

The CLI is intended to fit seamlessly into the workflow of anyone who is accustomed to using their terminal, whether you are a frontend or backend developer, a DevOps engineer, or part of a platform team.

It’s especially valuable if you’re looking to integrate authorization into CI/CD pipelines, write policies as code, or automate complex permission models.

How does it fit in?

The CLI complements Permit’s UI, SDKs, and Terraform provider. While the UI remains great for visual modeling and collaboration, and the SDKs help enforce permissions in code, the CLI is ideal for automating, testing, and deploying policies in structured, repeatable ways.

Some key benefits:

• Fast policy setup with natural language and AI-powered tools
• Built-in policy testing (unit, integration, and E2E)
• Full automation via CI/CD, Terraform, and GitOps
• API-first integration with OpenAPI-based policy mapping
• Rego & custom logic support for advanced use cases

The CLI gives developers a powerful way to build and operate secure, scalable authorization without leaving the terminal.

Fine-Grained Authorization Redefined

Use natural language commands with AI to instantly set up and enforce fine-grained authorization policies.

Writing access control policies used to require knowing your resource model inside and out—and translating business logic into technical rules with painstaking accuracy. But what if you could just describe your permissions model in plain English, and have it turned into code?

The Permit CLI introduces a new way to model and apply fine-grained authorization through AI-assisted workflows, an interactive policy generation wizard, and framework-specific integrations—all directly from the command line.

At its core, this feature set is about lowering the barrier to defining secure, maintainable policies by combining automation with developer-friendly tooling. Here’s how:

AI-Powered Policy Generation: Write a sentence, get a working policy.

Generate customized, ready-to-use policy structures using natural language.

The CLI introduces a command that lets you generate baseline policies using natural language. Just describe what your app does and what kind of access rules you need, and the CLI will generate a structured policy in Permit’s format. For example:

permit policy create ai

Under the hood, this command uses Vercel’s AI SDK and a prompt-tuned GPT model to generate valid Role-Based Access Control (RBAC) policies tailored to your application context. You can immediately review and apply the policy to your environment, or tweak it further via CLI, UI, or Terraform.

Interactive Policy Wizard -

Define resources, generate test users, and assign roles through a simple step-by-step flow.

If you prefer a more guided experience, the permit init command walks you through the full policy modeling process: defining resources, actions, roles, and users.

permit init

From modeling a CMS or banking app to spinning up mock users for testing, the CLI helps you:

• Define your authorization model (posts, comments, tenants, etc.)
• Set up RBAC, ABAC, or ReBAC-style role permissions
• Generate realistic users (e.g., gmanor, mbarak) with roles and tenants
• Run a local PDP and test decisions in real-time

Template-Based Policy Setup -

Use pre-built policy templates to automate rule creation for different industries.

The CLI allows you to speed things up even more with industry-ready templates by providing you with the ability to quickly scaffold a policy using predefined structures.

List all existing policy templates using (we add new ones all the time):

permit env template list

And apply them using the following command:

permit env template apply <template-name>

This saves you a bunch of time when modeling and deploying your policy architecture, and prevents you from having to reinvent the wheel.

A full demonstration of these features is available here:

CI/CD-Friendly Authorization Setup

Most engineering teams today manage environments and deployments through automated pipelines, but authorization is often left behind.

The Permit CLI changes that by giving you powerful tooling to manage fine-grained authorization as part of your software delivery lifecycle.

With just a few commands, you can spin up environments, copy policies across stages, export infrastructure as code, and integrate seamlessly into CI pipelines.

Create and Manage Environments with Code

The Permit CLI allows you to manage multiple environments, like dev, staging, and prod, as isolated authorization contexts:

Creating a new environment is as simple as:

permit env create --api-key permit_key --name "Staging" --description "Staging environment for testing"

Want to promote your policies from one environment to another? Use:

permit env copy --api-key permit_key --from staging --to production

Integrate with GitOps and IaC

The CLI supports full export of your policy schema as Terraform configurations:

permit env export terraform --file permit-policies.tf

This allows you to version-control your authorization logic alongside the rest of your infrastructure - ideal for platform teams practicing GitOps.

Automate Environment Selection and Access

Use permit env select to switch contexts locally or in CI jobs:

permit env select --api-key permit_key_xyz

You can also assign access to team members:

permit env member \\
  --environment staging \\
  --project my-project \\
  --email maya@permit.io \\
  --role Editor

This command is CI-friendly and supports token-based authentication.

Perfect for CI/CD Pipelines

These commands are designed to work well inside CI jobs:

• Use permit login to authenticate non-interactively.
• Automate policy promotion on pull request merges.
• Copy staging → prod on successful integration test runs.
• Manage policy templates, user roles, and environment access—all via scripts.

No need to click through a dashboard. No risk of drift between environments.

The Permit CLI makes authorization fully programmable and pipeline-ready.

Watch a full demo of these features here:

Zero-Effort Policy Testing

Validate your authorization policies with unit, integration, and end-to-end tests.

A misconfigured role or forgotten permission can break critical flows—or worse, expose sensitive data. The Permit CLI allows you to put testability at the core of your authorization workflow:

Generate Realistic End-to-End Tests

The CLI can automatically simulate real-world user behavior and generate comprehensive end-to-end (E2E) policy tests using:

permit test generate e2e --models=RBAC --path=tests.json

Need to preview the test config before applying it?

permit test generate e2e --models=RBAC --path=tests.json --dry-run

You’ll get structured test cases with mock users, roles, and permission checks tailored to your current policy setup. These can be used to validate policy integrity, train your team, or even serve as compliance evidence.

Replay Authorization Logs to Catch Regressions

Already deployed policies? Use your own historical decision logs to verify they still behave as expected:

permit test run audit --pdp-url <http://localhost:7766>

You can filter by time frame, user, resource, or action:

permit test run audit --time-frame 48 --decision allow

This lets you run regression tests on production data before rolling out policy updates, like test coverage for your access control layer.

Unit + Integration = Confidence

Beyond E2E and audit testing, the CLI also supports:

• Unit tests for individual policy components, enabling quick validation of individual rules and conditions
• Integration tests to see how your policies interact with other parts of your system, external services, databases, or APIs
• Custom CI scripts with filtered audit replay

All tests can run locally or be built into your CI pipeline, giving you peace of mind at every stage of deployment.

Watch a full demo of how these work here:

API-First Authorization

Define and enforce API authorization policies using OpenAPI specifications for a smooth API integration.

Most modern applications are API-driven, but enforcing access control at the API layer often becomes a tangled mess of route-level logic and security filters. The Permit CLI introduces a clean, declarative way to model and enforce API-first authorization that maps directly to your real-world routes.

Map Endpoints to Policies with permit api create proxy

With a single command, you can define how HTTP methods and API paths relate to your existing policy:

permit api create proxy \\
  --name "blog-api" \\
  --mapping-rule-method get \\
  --mapping-rule-url <https://api.example.com/posts> \\
  --mapping-rule-resource post \\
  --mapping-rule-action list

Want to support pattern matching or custom headers? You can also specify:

• -mapping-rule-url-type regex
• -mapping-rule-headers "Authorization:Bearer abc"

These mappings let Permit understand that calling GET /posts means the user is trying to list the post resource.

Enforce Policies with URL-Based Checks

Once mappings are defined, you can start checking access for any API call using permit pdp check-url:

permit pdp check-url \\
  --user alice@example.com \\
  --url <https://api.example.com/posts> \\
  --method GET \\
  --tenant acme-org

This command verifies whether the user has permission to access a specific URL, based on your policy—no need to manually translate between routes and resources.

Generate Policies from OpenAPI

The env apply openapi command lets you generate a full policy schema from your existing OpenAPI spec, turning your API structure into enforceable access control rules—without writing a single line of policy by hand.

Generate policy schema from a local OpenAPI file:

$ permit env apply openapi --spec-file ./api-spec.json

Generate from a remote file using an API key:

$ permit env apply openapi \\
  --key permit_key_abc123 \\
  --spec-file <https://raw.githubusercontent.com/daveads/openapispec/main/blog-api.json>

A full list of all OpenAPI extensions is available here.

A full demo of these features is available here:

Why This Matters

• Unified source of truth
  Keep API and policy in sync with a single declarative file.
• Faster policy authoring
  No need to re-specify resources or actions—define once, enforce everywhere.
• CI/CD-ready
  Drop the command into your deployment pipeline and manage policies as code.
• Supports real-world complexity
  With support for derived roles, relationships, and granular roles per resource.

A Better Rego Experience

Extend and customize authorization policies with GitOps flows and custom Rego logic.

Permit.io’s CLI isn’t just for point-and-click users or simple RBAC configurations — it fully supports advanced users who want to harness the power of Open Policy Agent (OPA) and Rego in a GitOps workflow.

GitOps: Manage Authorization as Code

With the CLI, you can now sync Permit environments to GitHub and manage policy configuration just like you would infrastructure or application code.

Use this command to set up a GitOps integration:

$ permit gitops create github

You can also clone a policy-managed environment from your GitOps repo:

$ permit gitops env clone

GitOps ensures reproducibility, code review, and version control for your authorization logic, which is critical for high-assurance environments.

Custom Logic with Rego

Need to extend Permit’s auto-generated policies? Use the CLI to inspect live policies from a running OPA instance:

$ permit opa policy --server-url <http://localhost:8181>

This is useful when:

• You need to debug existing Rego code
• You’re injecting custom PBAC (Policy-Based Access Control) logic
• You're mixing RBAC/ABAC/ReBAC rules with finer-grained constraints

Permit CLI makes it seamless to evolve from UI-driven policy modeling to advanced custom logic without throwing away your existing setup.

Why This Matters?

With Rego + GitOps support, the Permit CLI allows you to:

• Build core access models visually or via AI
• Customize edge cases with Rego
• Validate with CI-compatible tests
• Deploy through version-controlled automation

Watch a full demo here:

The Permit.io CLI - How to Get Started

Getting started with the Permit CLI takes just a few minutes:

Install the CLI

You’ll need Node.js installed. Then simply run:

npm install -g @permitio/cli

This gives you access to all Permit CLI commands via the permit command in your terminal.

Learn More

• Full Documentation: github.com/permitio/permit-cli
• Full command list: https://github.com/permitio/permit-cli?tab=readme-ov-file#full-command-list

Join the Community

We’d love to hear from you:

• 💬 Join us on Slack
• ⭐ Star the GitHub repo
• 🐛 File issues, contribute features, and explore open source

🔧 Try It, Star It, Contribute

The Permit CLI is open source and built with developers in mind. Your feedback and contributions directly shape the roadmap — and the growing community of authorization engineers.

Thank You ❤️

The Permit CLI is more than just a command-line utility—it’s the foundation of a developer-first authorization workflow. It integrates UI, SDKs, CI/CD, AI, Rego, and GitOps into one cohesive toolchain.

As apps grow more dynamic and teams become more distributed, managing fine-grained access shouldn’t be a bottleneck. The CLI ensures it never is.

Thank you to everyone who participated in the CLI Launch Week. Your questions, feedback, and contributions have been essential in shaping the Permit developer experience.

Whether you’re building for five users or five million, the CLI is here to help you ship secure access control at scale.

Try it, break it, tell us what you need — and let’s keep building together.