Permit.io provides permissions for the AI era through full-stack authorisation-as-a-service, making it simple for developers to build and enforce zero-latency fine-grained permissions in any application. Their platform combines Policy-as-Code, infrastructure integrations, SDKs, APIs, and user-facing tools.

Scaling beyond in-memory limits

As adoption grew, Permit.io hit scaling bottlenecks with their internally developed solution - an in-memory graph engine for Open Policy Agent (OPA). The system stored identities and relationships in memory, which worked for early deployments but limited their ability to scale past tens of millions of relationships. Customers pushing to 10M - 100M identities were beginning to run into hard technical ceilings.

“Graph queries are central to how we enforce policies at scale. But with in-memory storage, we were constrained by memory limits and complexity,” said Omer Zuarets, Chief Architect at Permit.io.

Why SurrealDB

Permit.io turned to SurrealDB to break through those limitations. With SurrealDB’s graph-native queries and flexible deployment models, the engineering team could scale authorisation workloads far beyond what was possible in memory. SurrealDB’s concept of namespaces and databases enables true multi-tenancy, letting Permit.io isolate data for thousands of customers while maintaining performance and security. SurrealDB’s ability to embed directly into Rust services meant Permit.io could deploy lightweight PDPs (Policy Decision Points) at the edge, while keeping policy configuration and storage centralised.

“SurrealDB lets us embed graph logic directly into our PDPs, while scaling storage independently. That combination was a game-changer for supporting enterprise-scale workloads,” said Dan Yishai, Software Developer at Permit.io.

Flexible deployments

SurrealDB’s deployment flexibility was critical. Permit.io needed a solution that could run in multi-tenant cloud environments, be deployed on-premises in regulated industries, and operate in hybrid models where customer-specific PDPs sync with the Permit SaaS product. SurrealDB’s lightweight Rust binary and deployment options let Permit.io ship the same solution across all environments with minimal re-architecture.

Unlocking recursive queries

With SurrealQL, Permit.io can now execute recursive graph queries across vast identity and policy graphs - traversing users, organisations, projects, environments, and resources in milliseconds. This enables scenarios like resolving permissions across tens of thousands of folders and millions of files in a single query - something that was previously infeasible at scale. Gabriel Manor, VP of Marketing, DevRel & Growth, said: “With SurrealDB, Permit created the fastest and most comprehensive Google-Zanzibar influenced ReBAC (relationship-based access control) solution in the market. Now, Permit isn’t only leading the technology with the fastest OPA-based decisions, but also setting the standard for quality and performance in ReBAC decisions.”

Future: Centralised PDP

Looking ahead, Permit.io is building a centralised PDP service powered by SurrealDB, designed to unify policy enforcement across cloud and on-premise deployments. This evolution will let customers run hybrid models where edge PDPs sync with a central SurrealDB-backed service, unlocking new product features and more powerful policy orchestration.

“SurrealDB is enabling the next phase of our product,” said Or, Founder of Permit.io. “It gives us flexibility and graph-native capabilities we need to keep innovating for customers at every size and industry.”