Permits (SignedPermit)

✅ Verified

Against Axowl.Auth/EndPoints/PermitEndpoints.cs (origin/main) — 2026-06-22.

A SignedPermit is a cryptographically signed authorization for a specific action. The Brain & Permit principle: Axowl issues the permit; your plugin/app performs the action and verifies the permit. Base path: /api/org/{slug}/permits (authenticated).

Method · Route	Purpose	Source
POST /issue	Issue a SignedPermit for the caller’s ConnectedId + requested scope	PermitEndpoints.cs:33

Issuance checks (in order)

POST /issue runs these before signing (PermitEndpoints.cs:16):

1. Revocation — is the ConnectedId on the revocation list?
2. Active — is the ConnectedId active?
3. Snapshot — does the ConnectedIdPermission snapshot version / ResolvedScope match?
4. Scope — does the member hold the requested scope (HashSet.Contains)?
5. Seal tier — derived from the org’s SecurityMode.
6. Sign — issue the permit, RS256-signed with the org’s signing key.

The permit is verifiable by your side against the org’s published JWKS — no shared secret. Permits draw their authority from the same sealed RBAC snapshot as everything else — see Roles & permissions and Permission scopes.