Skip to main content
Version: 2.0.0

Kong API Gateway x Permit


Kong is one of the most popular API gateways out there; but managing access to API and services behind it can be quite a bit of work especially as the application evolves requiring more and more advanced permissions models such as RBAC, ABAC & ReBAC.

With a recent update - Permit can now seamlessly integrate with Kong Gateway. And you can add permissions to your API within minutes without having to write a single line of code.

Connect your Kong Gateway to

If you have Kong Gateway properly configured to relay requests from your users to your backend, you can easily use to authorize requests as they go in, with a real time administration layer. This layer that has a nice user interface that is easy to understand for everybody in your organization, while still remaining policy-as-code behind the scenes.

Installing the PDP sidecar

Since uses OPA internally, you can use the standard Kong OPA plugin.


This guide assumes that you already have Kong configured, and your authentication is done through Kong.

First, you will need to set up your Policy Decision Point, or PDP, next to your Kong Gateway. In the architecture, the PDP is a small container that makes authorization decisions. You configure it through's cloud service, but once it is running - it's completely independent (so it keeps running even if disconnected from the Internet) and can continue to make decisions extremely quickly, on the order of 1-5 ms.

To run the PDP, you can use the following command:

docker run \
⁠ -p 7766:7000 \
--env PDP_DEBUG=True
⁠ permitio/pdp-v2:latest

To get your API key, go to the App and click “Copy SDK secret key” from your user profile.

Copy API Key

Adding the OPA plugin to Kong

Once the PDP container is running, you can configure your runtime instance to authorize requests through the PDP. In your Kong Route configuration, add a plugin. The option is located in the bottom right of the screenshot below.


If you changed any of the below values in the PDP configuration, they will need to be changed to match in the Kong's configuration as well.

Add Kong OPA plugin

In the plugin configuration, set the following values:

Consume OPA Input

Config.include Consumer In Opa Input - this should be checked.

Config.Opa Host

This is the PDP IP address - e.g.

Config.Opa Path


Config.Opa Port


Config.Opa Protocol


Please use the image below for extra reference:

Input the OPA plugin values to connect it to Kong

By default, / will be mapped to the "index" resource, and other routes to the first element in their paths.


/repo will be mapped to the repo resource.

Wrapping Up

Finally, go to the route you configured to see the outcome of the permission check.

As you see, makes it easy to add permissions to Kong-based applications. You can easily configure Kong Gateway to use Permit's powerful permission engine to decide whether requests are allowed, and empower non technical people in your organization to manage permissions themselves.

For more information, such as how to customize the resource mapping table, see our blog post about Kong integration.