---
title: "Permit Deny"
slug: "permit-deny"
updated: 2026-03-22T16:44:21Z
published: 2026-03-22T16:44:21Z
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.plainid.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Permit Deny

Post/api/runtime/permit-deny/v3

The Permit/Deny API call is a Yes/No Authorization question. It returns a response to Access Decision-related responses to a specific question detailed in the API Request. It can also optionally return additional information.

### Notice

When accessing the Authorization APIs, the URL base/prefix, according to your PlainID PDP Location**United States Cloud PDP** - `https://tenant-name.us1.plainid.io`**Canadian Cloud PDP** - `https://tenant-name.ca1.plainid.io`**European Cloud PDP** - `https://tenant-name.eu1.plainid.io`**Local PAA** - `https://your-paa.acme.local`   
 For more information on which Asset Types to use with your PAA or Cloud PDP, refer to [Managing Asset Types](https://docs.plainid.io/docs/managing-asset-types).
  
   
 

### Important note about headers

 

Refer to the headers below to modify your cURL sample. Check if the following headers are in the sample, if not, ensure you add it to your cURL sample before pasting into your API tool.

 

### Headers

 *Required 

| Header | Value | cURL Line |
| --- | --- | --- |
| Accept | `application/json` | `'accept: application/json'` |
| Content-Type | `application/json` | `'content-type: application/json'` |

  
 

### cURL Sample Guidelines

 

In order for the relevant parameters to appear in the cURL sample, you can input the values in the interactive API console on the right under the Try It\* or the Code Sample tabs. They will then appear in the cURL sample in the correct format to use in your API tool. *\*Try It function coming soon.*

Header parametersX-Client-Idstring

Client ID of the Scope The clientId is **required**, ensure that it is defined either in the header as `X-Client-Id` or in the body as `clientId` under the `runtimeFinetune` parameter. Refer to [Setting up an Authentication Method](https://docs.plainid.io/v1/docs/managing-scope-authentication#setting-up-an-authentication-method-in-the-scope) for more information.

X-Client-Secretstring

Client Secret ID of the Scope. You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body as clientSecret under the `runtimeFinetune` parameter. Refer to [Setting up an Authentication Method](https://docs.plainid.io/v1/docs/managing-scope-authentication#setting-up-an-authentication-method-in-the-scope) for more information.

Body parameters<select class='api-response-data' aria-label='Media type'><option value='ba1df568-45af-41f3-b1ee-9076e9050c6d'>application/json</option>
</select><select class='select-example' aria-label='Media type'><option value='075f2ad9-b3d1-4ef1-aa68-320300ac43c8'>PermitDeny</option>
</select>PermitDeny

```json
{
  "entityId": "uid838277",
  "clientId": "PDASDASDASDASDASDF40",
  "clientSecret": "k3DSBn5vTJuNzcar0Cpb0wICar34QwYQCat4OMay",
  "entityAttributes": {
    "user_organization": [
      "Acme Finance"
    ],
    "user_title": [
      "Branch Clerk"
    ],
    "user_business_unit": [
      "LOB1"
    ],
    "User_Location": [
      "US"
    ]
  },
  "combinedMultiValue": false,
  "listOfResources": [
    {
      "resourceType": "Client Profiles",
      "prefetch": true,
      "resources": [
        {
          "action": "Read",
          "path": "P4",
          "assetAttributes": {
            "order_type": [
              "credit_card"
            ],
            "customer_type": [
              "regular"
            ]
          }
        }
      ]
    }
  ],
  "entityTypeId": "User",
  "contextData": {
    "field1": [
      "field1Value1",
      "field1Value2"
    ],
    "field2": [
      "field2Value1",
      "field2Value2"
    ]
  },
  "environment": {
    "table": [
      "accounts"
    ]
  },
  "additionalIdentities": [
    {
      "entityId": "agentA",
      "entityTypeId": "Agents",
      "entityAttributes": {
        "agent_classification": [
          "Sensitive"
        ]
      }
    },
    {
      "entityId": "appA",
      "entityTypeId": "Applications",
      "entityAttributes": {
        "app_classification": [
          "Confidential"
        ]
      }
    }
  ],
  "remoteIp": "192.168.0.1",
  "timeZoneOffset": 0.0,
  "includeDetails": false,
  "includeContext": false,
  "includeIdentity": false,
  "includeAccessPolicy": false,
  "includeAccessPolicyId": false,
  "includeAssetAttributes": false,
  "includeDenyReason": false,
  "accessTokenFormat": "JSON",
  "useCache": true,
  "assetContext": [
    {
      "key": "",
      "resourceType": "Account",
      "path": "",
      "action": "ACCESS",
      "assetAttributes": {
        "accountCategory": [
          "Premium"
        ]
      }
    }
  ],
  "useOptimizedAssetContextResponse": false,
  "operationalFilters": [
    {
      "filterType": "identitySourcesFilterByIDs",
      "filterProperties": {
        "filterAction": "INCLUDE",
        "objectsList": [
          "sourceID_123",
          "sourceID_456"
        ]
      }
    },
    {
      "filterType": "identitySourcesFilterByIDs",
      "filterProperties": {
        "filterAction": "EXCLUDE",
        "objectsList": [
          "sourceID_789"
        ]
      }
    }
  ],
  "skipUnneededOrUnavailableIdentitySources": false,
  "includePartialIdentitySourcesIndication": false,
  "failOnCalculatedAttributesErrors": true
}
```

Expand Allobject  entityIdstring    Required

Unique identifier of the Identity (e.g. UID)

clientIdstring    Required

Client ID of the Scope The Client ID is **required**, ensure that it is defined either in the header as `X-Client-Id` or in the body as `clientId`.

clientSecretstring    

Client Secret ID of the Scope. You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to [Setting up an Authentication Method](https://docs.plainid.io/v1/docs/managing-scope-authentication#setting-up-an-authentication-method-in-the-scope) for more information.

listOfResources Array of object   Required

Contains a list of the Asset's unique identifiers:

· Resource type (required) · Prefetch

· Resources - Action (optional), Path (required), and Asset Attributes (optional)

object  resourceTypestring    

Asset Template ID

prefetchboolean    

Fetches the Asset Attribute based on the Asset ID at the beginning of the Access Decision calculation.

Defaultfalse
resources Array of object   object  actionstring    

Name of the Action

pathstring    Required

Unique Identifier of the Asset

assetAttributesobject  attribute_1 Array of string   string    
attribute_2 Array of string   string    

entityTypeIdstring    

Identity Template ID

entityAttributesobject  user_organization Array of string   string    
user_title Array of string   string    
user_business_unit Array of string   string    
User_Location Array of string   string    

contextDataobject  

Identity Context data for this request.

When specifying this parameter, you are requesting information based on a specific parameter and its value.

For example: Location where the contextData equals a specific branch.

If not defined, Dynamic Groups based on context data will not be considered in the Access Decision.

string Array  

environmentobject  

Environmental parameters need to be defined in Policies as a request (in Asset Rules or Conditions) and sent in the authorization request. Only the Assets that match the parameters in request will be returned.

If not defined, parameters based on Environmental data will not be considered in the Access Decision.

string Array  

additionalIdentities Array of object   

A list of additional Identities to be considered in the Access Decision. If all identities are defined in this parameter, the root-level `entityId`, `entityTypeId`, and `entityAttributes` parameters can be omitted.

object  entityIdstring    

Unique identifier of the Identity (e.g. UID)

entityTypeIdstring    

Identity Template ID

entityAttributesobject  

List of Identity Attributes and their values.

string Array  

remoteIpstring    

IP address to be used when validating a Policy. Ensure that your IP Ranges are correct based on an [IP calculator](https://www.ipaddressguide.com/cidr). If not defined, the IP considered in the calculation is taken from the X-Forwarded-For (Request header).

Min length1
timeZoneOffsetnumber    

To define the offset from UTC time zone. Used in Time Condition.

Default0.0
includeDetailsboolean    

Show/hide a detailed list of Resources that are allowed, denied, and not applicable.

Defaultfalse
includeContextboolean    

Show/hide the context data in the response.

Defaultfalse
includeAccessPolicyboolean    

Show/hide the name of the Policy in the response that granted the specified access.

Defaultfalse
includeAccessPolicyIdboolean    

Show/hide the external id of the Policy in the response that granted the specified access.

Defaultfalse
includeAssetAttributesboolean    

Show/hide the Asset Attribute of the Assets in the response.

Defaultfalse
includeDenyReasonboolean    

Include/exclude the reason for denying access to an Asset. Uses prefetch logic the evaluate the reasons. For more details on Deny Reason, click [here](https://docs.plainid.io/apidocs/working-with-deny-reason)

Defaultfalse
includeIdentityboolean    

Show/hide the Identity Attribute of the Identity in the response.

Defaultfalse
accessTokenFormatstring    

Determines the format of the response – whether `JSON`, `JWT`, or `StandardJWT`.

Default"JSON/JWT"
useCacheboolean    

The Attribute will determine if the response is going to consider the cache settings or override the cache and perform a full calculation.

Defaulttrue
combinedMultiValueboolean    

Determines the evaluation of Identity Attributes relationship in access decision.

Defaultfalse
assetContext Array of object (assetContextRequestItem)   

Specifies contextual asset data (e.g., resourceType, path, action) to refine authorization decisions based on asset relationships and classifications.See our article on [Working with Asset Context](https://docs.plainid.io/apidocs/working-with-assetcontext) for more information.

object  keystring    

An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.

resourceTypestring    Required
pathstring    
actionstring    
assetAttributesobject  attribute_1 Array of string   string    
attribute_2 Array of string   string    

useOptimizedAssetContextResponseboolean    

Determines the Asset Context response structure. See our article on [Working with Asset Context](https://docs.plainid.io/apidocs/working-with-assetcontext) for more information.

Defaultfalse
operationalFilters Array of object   

These operational filters should affect the Runtime behavior and results by applying additional filtering which is not directly related to Authorization logic.

object  #content#OneOfidentitySourcesFilterByIDsobject (identitySourcesFilterByIDs)filterTypestring    Required
filterPropertiesobject  filterActionstring    RequiredValid values[
  "INCLUDE",
  "EXCLUDE"
]
objectsList Array of string   Requiredstring    

Input your sourceID/s here. For information on the sourceID parameter and where to locate it, check out [Managing Attribute Sources](https://docs.plainid.io/v1/docs/managing-attribute-sources) in the PlainID documentation.

skipUnneededOrUnavailableIdentitySourcesboolean    

The Attribute will determine if the calculation will skip unneeded or unavailable Identity sources. Refer to the [Authorization API](https://docs.plainid.io/v1-api/apidocs/authorization-apis) article for more information.

Defaultfalse
includePartialIdentitySourcesIndicationboolean    

Show/hide additionalResponseInfo in the response.

Defaultfalse
failOnCalculatedAttributesErrorsboolean    

Fail request when Attribute calculation fails.

Defaulttrue

Responses200

User gets a Permit decision

<select class='api-response-data' aria-label='Media type'><option value='ea69a9c4-665d-4c93-a984-3e423d3f2fd2'>application/json</option>
</select><select class='select-example' aria-label='Media type'><option value='560ff6d1-7423-4ffa-b526-152644988ef9'>Permit</option>
<option value='4db18d9d-51db-4cbe-9d59-68e56d56da1d'>Deny</option>
<option value='c114079a-76b1-47e0-abb5-569afa33175e'>Permit with details</option>
<option value='9be69c41-c9dd-436e-9a3b-7c34ea97f3da'>Deny with details</option>
<option value='f0d2ff1b-4412-4f95-9861-e40a7ca63b3e'>Combined permit deny</option>
</select>Permit

```json
{
  "data": {
    "result": "PERMIT"
  }
}
```

Deny

```json
{
  "data": {
    "result": "DENY"
  }
}
```

Permit with details

```json
{
  "data": {
    "result": "PERMIT",
    "response": [
      {
        "allowed": [
          {
            "path": "AS-XX-12575",
            "action": "Access",
            "template": "Accounts"
          }
        ],
        "denied": [],
        "not_applicable": []
      }
    ]
  }
}
```

Deny with details

```json
{
  "data": {
    "result": "DENY",
    "response": [
      {
        "allowed": [],
        "denied": [
          {
            "path": "AS-XX-12575",
            "action": "Access1",
            "template": "Accounts"
          }
        ],
        "not_applicable": []
      }
    ]
  }
}
```

Combined permit deny

```json
{
  "data": {
    "result": "DENY",
    "response": [
      {
        "allowed": [
          {
            "path": "AS-XX-12575",
            "action": "Access",
            "template": "Accounts"
          }
        ],
        "denied": [
          {
            "path": "AS-XX-1257566",
            "action": "Access",
            "template": "Accounts"
          }
        ],
        "not_applicable": []
      }
    ]
  }
}
```

Expand AllAnyOfpermitDenyResponseobject (permitDenyResponse)resultstring    
response Array of object   object  allowed Array of object   object  pathstring    
actionstring    
templatestring    
permissions Array of object   object  permissionstring    
permissionIdstring    
permissionMetadataobject (permissionMetadata)  

Additional response metadata. This response is only returned when the `includeAccessPolicy` is set to true, and when the `permissionMetadata` object contains one or more properties.

denied Array of object   object  pathstring    
actionstring    
templatestring    

not_applicable Array of object   object  

identityobject (identityResponse)  typestring    
typeNamestring    
attributesobject  

additionalIdentities Array of object (identityResponse)   object  typestring    
typeNamestring    
attributesobject  

additionalResponseInfoobject (additionalResponseInfoResponse)  identitySourcesobject  skipped Array of object (identitySourceInfo)   object  sourceIdstring    
sourceNamestring    
messagestring    
attributes Array of string   string    

failed Array of object (identitySourceInfo)   object  sourceIdstring    
sourceNamestring    
messagestring    
attributes Array of string   string    

assetContextPermitDenyResponseobject (assetContextPermitDenyResponse)data Array of object   object  assetContextobject  AnyOfassetContextResponseItemobject (assetContextResponseItem)
assetContextMergedResponseItemobject (assetContextMergedResponseItem)resources Array of object (assetContextResponseItem)   object  AnyOfobjectobjectkeystring    

An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.

objectobjectresourceTypestring    
pathstring    
actionstring    
assetAttributesobject  attribute_1 Array of string   string    
attribute_2 Array of string   string    

outputobject  accessResponseobject (permitDenyResponse)  resultstring    
response Array of object   object  allowed Array of object   object  pathstring    
actionstring    
templatestring    
permissions Array of object   object  permissionstring    
permissionIdstring    
permissionMetadataobject (permissionMetadata)  

Additional response metadata. This response is only returned when the `includeAccessPolicy` is set to true, and when the `permissionMetadata` object contains one or more properties.

denied Array of object   object  pathstring    
actionstring    
templatestring    

not_applicable Array of object   object  

identityobject (identityResponse)  typestring    
typeNamestring    
attributesobject  

additionalIdentities Array of object (identityResponse)   object  typestring    
typeNamestring    
attributesobject  

additionalResponseInfoobject (additionalResponseInfoResponse)  identitySourcesobject  skipped Array of object (identitySourceInfo)   object  sourceIdstring    
sourceNamestring    
messagestring    
attributes Array of string   string    

failed Array of object (identitySourceInfo)   object  sourceIdstring    
sourceNamestring    
messagestring    
attributes Array of string   string    

errorstring    

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

500

Internal Server Error

501

Not Implemented