Skip to main content

Introduction

Permission Mongo is a high-performance Backend-as-a-Service that sits between your application and MongoDB, providing a complete REST API with fine-grained access control.

What is Permission Mongo?

Permission Mongo transforms your MongoDB database into a secure, production-ready API by combining:
  • REST API - Full CRUD operations with batch support
  • Fine-grained RBAC - Role-based access with hierarchical permissions
  • Schema validation - Types, constraints, computed fields
  • Document versioning - Track changes, diff, and restore
  • Hooks - Pre/post triggers with HTTP webhook support
  • Prometheus metrics - Full observability with Grafana dashboards
  • 50K+ QPS - Optimized for high throughput
Define your schema and policies in YAML, and get a complete API with authentication, authorization, validation, and audit logging - no backend code required.

Key benefits

Zero backend code

Define schema + policy in YAML files, get a complete REST API with all CRUD operations

Works with existing data

No schema migration required - Permission Mongo adapts to your current MongoDB collections

Hierarchical RBAC

Managers automatically see subordinates’ data using org chart relationships

High performance

Redis caching, connection pooling, and async audit logging for sub-20ms response times

Use cases

Permission Mongo is ideal for:
  • SaaS applications - Multi-tenant systems with complex permission requirements
  • Internal tools - Quick API generation for admin dashboards and back-office systems
  • Mobile backends - Secure REST API for iOS and Android applications
  • Microservices - Centralized data access layer with consistent authorization
  • Rapid prototyping - Schema to API in minutes for MVPs and proof-of-concepts

Core features

REST API endpoints

Permission Mongo provides 10+ REST endpoints covering all data operations:
Endpoint TypeDescription
CRUDCreate, read, update, delete documents
BatchBatch create, update, delete operations
QueryList with filters, count, aggregation pipelines
VersioningList versions, get version, diff, restore
HealthHealth checks, readiness, Prometheus metrics
See the full API Reference for details.

Schema validation

Define your data structure with rich type support:
config/schema.yml
colections:
  orders:
    fields:
      customer_id:
        type: string
        required: true
        ref: customers
      
      status:
        type: string
        enum: [draft, pending, shipped, delivered]
        default: draft
      
      items:
        type: array
        min_items: 1
        items:
          type: object
          properties:
            product_id: { type: string, ref: products }
            quantity: { type: integer, min: 1 }
            price: { type: number, min: 0 }
      
      # Computed field - calculated automatically
      total:
        type: number
        computed:
          expr:
            $sum:
              $map:
                input: "$items"
                as: "item"
                in: { $multiply: ["$$item.price", "$$item.quantity"] }
          store: true
          recompute_on: [items]
See Schema Definition for the complete field type reference.

Fine-grained RBAC

Define role-based policies with document-level and field-level permissions:
config/policy.yml
policies:
  orders:
    admin:
      actions: [create, read, update, delete]
      when: doc.company_id == user.tenant_id
    
    manager:
      actions: [create, read, update]
      when: |
        doc.company_id == user.tenant_id &&
        (doc.created_by == user.id || doc.created_by in user.$subordinates)
      fields:
        deny: [internal_notes]
    
    employee:
      actions: [create, read]
      when: doc.company_id == user.tenant_id && doc.created_by == user.id
      fields:
        deny: [internal_notes]
        deny_write: [status]
The user.$subordinates variable automatically includes all users reporting to the current user (directly or indirectly) based on your org chart defined in the users collection. See Policy Definition for the complete RBAC syntax.

Document versioning

Track complete change history for any collection:
config/schema.yml
collections:
  orders:
    versioning:
      enabled: true
      mode: full              # Store complete snapshots
      max_versions: 100       # Keep last 100 versions
      retention_days: 365     # Or keep for 1 year
Every update creates a new version in the _pm_versions collection. Use the versioning API to:
  • List all versions: GET /orders/{id}/versions
  • Get specific version: GET /orders/{id}/versions/3
  • Compare versions: GET /orders/{id}/diff/2/4
  • Restore to version: POST /orders/{id}/restore/2
See Versioning for implementation details.

Hooks and webhooks

Trigger actions before or after operations:
config/hooks.yml
hooks:
  orders:
    pre_create:
      - action: set_field
        field: created_by
        value: $user.id
      
      - action: validate
        condition: $doc.total > 0
        error: "Order total must be positive"
    
    post_update:
      - action: http
        method: POST
        url: "https://hooks.example.com/order-updated"
        body:
          order_id: $doc._id
          status: $doc.status
          updated_by: $user.id
        async: true
See Hooks for all available actions.

Technology stack

ComponentTechnologyPurpose
LanguageGo 1.21+High performance, single binary deployment
HTTP Serverfasthttp10x faster than net/http for high-throughput APIs
DatabaseMongoDB 6.0+Document storage, versioning, audit logs
CacheRedis 7.0+Policy caching, hierarchy lookups
AuthJWT (RS256/HS256)Industry standard token-based authentication
ConfigYAMLHuman-readable, version-controllable configuration
MetricsPrometheusObservability with pre-built Grafana dashboards

Architecture overview

┌─────────────────┐     ┌─────────────────────────────────┐
│  Your App /     │────▶│    Permission Mongo Service     │
│  Mobile / Web   │     │                                 │
└─────────────────┘     │  ┌───────────┐ ┌─────────────┐  │
                        │  │ Schema    │ │ Policy      │  │
                        │  └───────────┘ └─────────────┘  │
                        │                                 │
                        │  CRUD + RBAC + Hooks + Metrics  │
                        └────────────────┬────────────────┘

                         ┌───────────────┴───────────────┐
                         ▼                               ▼
                    ┌─────────┐                   ┌─────────┐
                    │  Redis  │                   │ MongoDB │
                    │ (cache) │                   │ (data)  │
                    └─────────┘                   └─────────┘


                    ┌──────────┐     ┌─────────┐
                    │Prometheus│────▶│ Grafana │
                    └──────────┘     └─────────┘
See Architecture for detailed component breakdown.

Performance characteristics

Permission Mongo is optimized for high throughput:
  • 50K+ QPS - Sustained queries per second on standard hardware
  • Sub-10ms - Average read latency with Redis caching
  • Sub-25ms - Average write latency including validation and versioning
  • 256K - Concurrent connections with fasthttp tuning

Optimizations

  • Lock-free router using atomic operations
  • Connection pooling (MongoDB: 100 conns, Redis: 500 conns)
  • Async audit logging with batched inserts
  • AST caching for RBAC expression parsing
  • Computed field memoization
See the 50K QPS Optimization Plan for implementation details.

Next steps

Quickstart

Get up and running in 5 minutes

Installation

Detailed installation options: binary, Docker, or from source

Configuration

Learn how to configure schema, policies, and hooks

API Reference

Complete REST API documentation with examples

Build docs developers (and LLMs) love

Get started for freeTalk to us