The acquisition of Permify by FusionAuth might be like the great buddy movie you never saw coming. Two different products meeting, coming together and bonding over a shared mission to spread the word about using the right authorization method at the right time.
Authorization is hard. However, many teams still underestimate just how hard it becomes once products scale, requirements change, and real-world relationships enter the picture.
I sat down with Ufuk Civan, one of the lead engineers at Permify, to talk about FusionAuth's recent acquisition of Permify. It was a good discussion about why this merger matters and why it's good news for builders.
What Is Permify?#
Permify is a centralized authorization service based on Google's Zanzibar authorization model, a battle-tested approach used internally by some of the largest technology companies in the world.
Ufuk says Permify answers one critical question:
Does this user have permission to perform this action on this resource?
Instead of hardcoding authorization logic throughout your application, Permify:
- Centralizes authorization logic.
- Defines fine-grained permissions based on relationships.
- Allows you to change authorization rules dynamically, without redeploying your app.
- Maintains version history for both authorization schemas and authorization data.
As Ufuk put it, authorization is inherently dynamic. Business rules evolve, products grow, and access models change. Permify is designed to evolve with you.
Authorization Is Often Done Wrong; How Can Permify Help?#
When I asked Ufuk what mistakes he has seen people make and how Permify can help, he said this:
The biggest mistake teams make is underestimating authorization and delaying the decisions.
Early on, it's tempting to hardcode checks into application logic, defer authorization design until later, and assume current requirements won't change (hint: they always do). Then "later" shows up with edge cases, new features, enterprise customers, role explosions, and compliance requirements.
Six months down the line, what started as a simple role check becomes a tangled web of conditionals that are difficult to update, test, or roll back. Suddenly, you're refactoring half your codebase. Versioning becomes painful. Reverting changes becomes risky.
Permify addresses this by separating authorization from business logic entirely. You can update your permissions without touching your business logic. Permify also version controls your authorization changes. That's the kind of thing you only appreciate after you've been burned once. Hopefully, with Permify, you will not have to experience that.
Why Should Permify Users Be Excited About the Acquisition?#
One thing Ufuk highlighted was how much FusionAuth's experience with large-scale deployments will accelerate Permify's growth. Permify already had a product guided and built with the community. Now it gets to add FusionAuth's enterprise experience.
As Ufuk explains, Permify has already benefited from this acquisition:
- In addition to the great community support already offered, FusionAuth provides professional support.
- FusionAuth's experience has helped fully automate the build process for Permify and make it more robust.
- FusionAuth has helped speed up SDK releases and documentation.
It is important to note that Permify will remain flexible. You can use Permify with any authentication system, including homegrown solutions or third-party providers. However, with FusionAuth, the integration becomes tighter, more seamless, and fully supported by the same team.
Why Should FusionAuth Users Be Excited About the Acquisition?#
FusionAuth already provides authentication and identity management. Permify completes the picture with Fine-Grained Authorization (FGA).
Together, FusionAuth and Permify provide a full solution to Customer Identity and Access Management (CIAM):
- Authentication (AuthN): Who is the user?
- Authorization (AuthZ): What can the user do?
While FusionAuth has had support for group-level permissions, Permify adds support for the granular permission policies required by a Relationship-Based Access Control (ReBAC) system. FusionAuth users now have the tools to implement complicated permission requirements.
Let's Talk Open Source#
Permify began and will continue to be an open source project. For Ufuk, open source goes far beyond just publishing code.
We have a really good amount of contributions from community members.
The codebase is not just public. The public can create pull requests and contribute to the code as well. The team always reviews pull requests before merge. The support issues are visible for people to read, comment on and learn from. The roadmaps, decisions, and discussions about them are also visible to the community.
Even after the acquisition, Permify remains open, with continued community involvement and faster development velocity. In fact, one of Permify's newer APIs was implemented entirely by a community contributor.
That openness is part of what attracted FusionAuth in the first place.
Any Concerns?#
Ufuk raised one major concern, and it's a good one: people constantly confuse authentication and authorization.
We need to be crystal clear about:
- What FusionAuth does.
- What Permify does.
- When to use which.
- How they work together.
That's on us.
These concerns are top of mind for engineers at both Permify and FusionAuth. This acquisition should make developers more confident about designing secure systems, not more confused.
My Favorite Moment: The One Piece Analogy#
Just for fun, I asked Ufuk what characters FusionAuth and Permify would be if they were in a movie. Ufuk went to anime. He chose characters from One Piece:
- FusionAuth as Luffy — the ambitious, energetic leader pulling the team together.
- Permify as Roronoa Zoro — strong, powerful specialist filling in Luffy's gaps.
- Together, they form a stronger crew, built for the long haul. Most importantly, they like to have fun while doing great work.
If this partnership leads to the same longevity as the One Piece series, I'll take it.
Conclusion#
Authorization isn't optional. And it's not something you want to rebuild every time your product evolves. With FusionAuth handling authentication and Permify handling authorization, developers get:
- Clear separation of concerns
- Proven, scalable models
- Flexibility without chaos
- A unified platform backed by one team
If you're already using FusionAuth, Permify unlocks the next level of access control.
If you're already using Permify, FusionAuth offers enterprise-level support.
This is the foundation you want if you're building something complex, dynamic, and relationship-driven.
Coming soon to a theater near you. Just kidding. It's already here! And we're going to continue making it even better.
