Permission resolution happens at the edge in a Cloudflare Worker.
Permission rules are stored in Cloudflare D1, so when a permission check request arrives, the Worker can resolve it locally without making a round-trip to a separate backend. This delivers very fast decisions and keeps the policy path close to the request path.
The Cloudflare Worker owns the auth and permission surface, while the dashboard and management APIs use the same D1-backed data model, so rule changes stay in sync across the product.