Skip to main content

API and Developer Terms

Effective date: April 28, 2026

Permissio, Inc.


1. Purpose

These API and Developer Terms govern use of Permissio APIs, SDKs, embed tools, sandbox environments, developer documentation, webhooks, and related developer services ("Developer Services"). These terms are incorporated into the Terms of Service. By using the Developer Services, Customer agrees to these terms.


2. API Access

Permissio may issue live and sandbox API keys. Customer is responsible for:

  • Safeguarding all API keys, personal access tokens, and webhook secrets
  • Scoping API keys to least privilege for their intended use
  • Rotating credentials promptly upon suspected compromise
  • Using keys only in server-side or securely managed environments — not in client-side code, public repositories, logs, screenshots, or support messages

Permissio may revoke, rotate, suspend, or limit API keys when necessary for security, abuse prevention, service integrity, non-payment, or breach of this Agreement.


3. Sandbox and Live Environments

Sandbox environments are provided for testing and development. Customer must not:

  • Represent sandbox output, signed records, or audit trails as production evidence unless expressly authorized in writing
  • Send live documents to actual recipients using sandbox credentials
  • Use sandbox environments as a system of record for production workflows

Customer must use live credentials only for production workflows and must ensure that test data is not sent to live recipients by mistake. Sandbox activity and data may be subject to shorter retention periods and automatic expiration.


4. Developer Responsibilities

Customer must:

  • Use the APIs only in accordance with the Documentation and this Agreement
  • Implement reasonable error handling, retry logic with back-off, idempotency, and webhook deduplication
  • Verify webhook signatures using the X-Permissio-Signature header on all inbound deliveries
  • Maintain accurate contact information for security and operational notices
  • Promptly report suspected API key or credential compromise to security@permissio.us
  • Comply with applicable privacy, security, electronic signature, and consumer protection laws in all applications built using the Developer Services

5. Rate Limits and Fair Use

Permissio may apply rate limits, quotas, concurrency limits, payload limits, timeout limits, and other technical controls. Permissio may update limits to protect security, reliability, or platform performance. Limits are published in the Documentation. Sustained use in excess of documented limits, or use designed to circumvent limits, may result in throttling or suspension.


6. Webhooks

Customer is responsible for:

  • Maintaining webhook endpoint availability and returning timely HTTP 2xx responses
  • Validating the X-Permissio-Signature HMAC-SHA256 header on all deliveries
  • Deduplicating events using the X-Permissio-Delivery delivery identifier
  • Handling retries gracefully using idempotent event processing
  • Ensuring webhook endpoint URLs do not expose API secrets or credentials in query strings or headers

Webhook delivery is an asynchronous mechanism. Customer should not rely on webhooks as the sole source of legally required notice without validating the workflow and fallback reconciliation process.


7. SDKs and Sample Code

SDKs, sample code, examples, and templates are provided for convenience under their applicable open-source licenses. Customer is responsible for testing and validating its own implementation before production use. Sample code is not intended for use in production without review, adaptation, and testing.


8. Developer Applications

Customer is responsible for all applications, integrations, and services that Customer builds using the Developer Services. Customer must:

  • Provide its own end-user notices, consents, privacy disclosures, and support
  • Ensure its applications comply with applicable privacy, security, and consumer protection law
  • Not represent that its applications are built, operated, or endorsed by Permissio without written permission

9. Monitoring and Logs

Permissio may monitor API activity for security, reliability, debugging, billing, abuse prevention, and compliance. Request logs and audit logs may include identifiers, timestamps, IP addresses, user agents, endpoint paths, status codes, response times, and operational metadata.


10. Liability

All API and developer use is subject to the liability cap and exclusions in the Terms of Service. No API, SDK, sample code, sandbox feature, webhook, or documentation creates a separate warranty or separate liability pool.


11. Contact

Developer support: support@permissio.us

Security reports: security@permissio.us