← Back to Permissions & Approvals
Permissions & Approvals

How does permission resolution work?

oakallow resolves every tool call from most specific to least specific, and the first match wins. There are three stages.

Gates (checked first)
  • The tool must exist in your catalog, be enabled for the org, and meet the tool's required tier. Fail any gate and the result is disabled — the walk never starts.
Specificity walk (8 levels, first match wins)
  • resource + tool + method, then resource + tool, resource + method, resource, tool + method, tool, method, and finally a tag match.
  • If the request names a tenant and tenant-scoped rules exist, the tenant set is walked first, then the org set. If there are no tenant rules, the org set is the only set.
Fallbacks (when no rule matches)
  • The tool's default permission, then its category default, then "allowed" if the tool itself is approved, and finally the fail-safe: requires_approval.

Nothing is cached — every call is re-evaluated. If nothing matches and the tool is not pre-approved, the fail-safe is always requires_approval. Resolution runs at the edge in a Cloudflare Worker with single-digit millisecond latency.

Next What are the three permission levels?

More in Permissions & Approvals

Browse other topicsGetting StartedTokens & AuditUser SecurityIdentity & AccessBilling & Account