API and Developer Terms
Effective date: April 28, 2026
Permissio, Inc.
1. Purpose
These API and Developer Terms govern use of Permissio APIs, SDKs, embed tools, sandbox environments, developer documentation, webhooks, and related developer services ("Developer Services"). These terms are incorporated into the Terms of Service. By using the Developer Services, Customer agrees to these terms.
2. API Access
Permissio may issue live and sandbox API keys. Customer is responsible for:
- Safeguarding all API keys, personal access tokens, and webhook secrets
- Scoping API keys to least privilege for their intended use
- Rotating credentials promptly upon suspected compromise
- Using keys only in server-side or securely managed environments — not in client-side code, public repositories, logs, screenshots, or support messages
Permissio may revoke, rotate, suspend, or limit API keys when necessary for security, abuse prevention, service integrity, non-payment, or breach of this Agreement.
3. Sandbox and Live Environments
Sandbox environments are provided for testing and development. Customer must not:
- Represent sandbox output, signed records, or audit trails as production evidence unless expressly authorized in writing
- Send live documents to actual recipients using sandbox credentials
- Use sandbox environments as a system of record for production workflows
Customer must use live credentials only for production workflows and must ensure that test data is not sent to live recipients by mistake. Sandbox activity and data may be subject to shorter retention periods and automatic expiration.
4. Developer Responsibilities
Customer must:
- Use the APIs only in accordance with the Documentation and this Agreement
- Implement reasonable error handling, retry logic with back-off, idempotency, and webhook deduplication
- Verify webhook signatures using the
X-Permissio-Signatureheader on all inbound deliveries - Maintain accurate contact information for security and operational notices
- Promptly report suspected API key or credential compromise to security@permissio.us
- Comply with applicable privacy, security, electronic signature, and consumer protection laws in all applications built using the Developer Services
5. Rate Limits and Fair Use
Permissio may apply rate limits, quotas, concurrency limits, payload limits, timeout limits, and other technical controls. Permissio may update limits to protect security, reliability, or platform performance. Limits are published in the Documentation. Sustained use in excess of documented limits, or use designed to circumvent limits, may result in throttling or suspension.
6. Webhooks
Customer is responsible for:
- Maintaining webhook endpoint availability and returning timely HTTP 2xx responses
- Validating the
X-Permissio-SignatureHMAC-SHA256 header on all deliveries - Deduplicating events using the
X-Permissio-Deliverydelivery identifier - Handling retries gracefully using idempotent event processing
- Ensuring webhook endpoint URLs do not expose API secrets or credentials in query strings or headers
Webhook delivery is an asynchronous mechanism. Customer should not rely on webhooks as the sole source of legally required notice without validating the workflow and fallback reconciliation process.
7. SDKs and Sample Code
SDKs, sample code, examples, and templates are provided for convenience under their applicable open-source licenses. Customer is responsible for testing and validating its own implementation before production use. Sample code is not intended for use in production without review, adaptation, and testing.
8. Developer Applications
Customer is responsible for all applications, integrations, and services that Customer builds using the Developer Services. Customer must:
- Provide its own end-user notices, consents, privacy disclosures, and support
- Ensure its applications comply with applicable privacy, security, and consumer protection law
- Not represent that its applications are built, operated, or endorsed by Permissio without written permission
9. Monitoring and Logs
Permissio may monitor API activity for security, reliability, debugging, billing, abuse prevention, and compliance. Request logs and audit logs may include identifiers, timestamps, IP addresses, user agents, endpoint paths, status codes, response times, and operational metadata.
10. Liability
All API and developer use is subject to the liability cap and exclusions in the Terms of Service. No API, SDK, sample code, sandbox feature, webhook, or documentation creates a separate warranty or separate liability pool.
11. Contact
Developer support: support@permissio.us
Security reports: security@permissio.us