Security Overview

Permiso is designed with security as a first principle. Here's a summary of the key security features and how they work together.

Passwordless authentication with passkeys

Permiso doesn't use passwords. Every user authenticates with a passkey, a cryptographic credential stored on their device. Passkeys are resistant to phishing, credential stuffing, and brute-force attacks because there's no shared secret to steal.

See Passkeys for more detail on how passkeys work and how users manage them.

Role-Based Access Control

You can restrict any connected application to specific user groups. A user who isn't in an allowed group is denied at the Permiso consent screen, so they never reach the application. This means you can have fine-grained control over who can access what without managing permissions inside each application individually.

See Groups for how to set this up.

Audit logs

Permiso keeps a full log of authentication events: sign-ins, account creations, passkey changes, and application authorizations. You can filter by user, event type, date, and IP address.

Audit log entries are retained for 90 days by default. You can adjust this with the AUDIT_LOG_RETENTION_DAYS environment variable.

See Audit Logs for more.

Session duration

You can control how long user sessions last before they need to re-authenticate. Shorter sessions are more secure for sensitive environments; longer sessions are more convenient for everyday tools.

Session duration is configured in Settings → Administration → Application Configuration.

Reauthentication per application

For sensitive applications, you can require users to actively re-authenticate on each visit instead of being silently signed in from an existing session. This is configured per OIDC client.

See Register an OIDC Client for the reauthentication option.

HTTPS

Your Permiso instance is automatically set up with a TLS certificate. This means all communication is done over HTTPS out of the box.