Denied Logo

Introduction

What is Denied and how can it help you?

What is Denied?

Denied is an authorization policy management platform that helps you control who (users, services, agents) can access what (resources, data, tools) in your applications.

Instead of hardcoding authorization logic into your application, you define policies in a central location and query a Policy Decision Point (PDP) whenever you need to make an access control decision. This separation of policy from code makes your authorization logic:

  • Auditable — See exactly what rules govern access
  • Testable — Validate policies before deployment
  • Flexible — Update policies without redeploying your application
  • Consistent — Enforce the same rules across all your services

Denied is specifically designed to define runtime boundaries for AI agents.

Key Concepts

Policies

Policies are rules written in Rego, the policy language used by Open Policy Agent (OPA). A policy evaluates an authorization request and returns a decision — allow or deny.

# Allow users to read their own documents
input.action.name == "read"
input.resource.properties.owner == input.subject.properties.user_id

You write the conditions that must be true for the policy to match. Denied handles wrapping your conditions in the proper OPA structure.

Policy Decision Points (PDP)

A PDP (also called a Decision Node) is the runtime component that evaluates authorization requests against your policies. When your application needs to check if an action is allowed, it sends a request to the PDP and receives a decision.

Your App  →  PDP  →  Policy Evaluation  →  allow/deny

The PDP pulls policies from your Denied project automatically, so policy updates take effect without any changes to your application.

Organizations & Projects

Denied uses a multi-tenant hierarchy to organize your policies:

  • Organizations — The top-level container. Invite team members and manage access.
  • Projects — Isolated policy environments within an organization. Each project has its own policies, entities, and PDP configuration.

Entities

Entities represent the subjects (users, services, agents) and resources (documents, APIs, data) in your authorization model. You can register entities in Denied and use their properties in policies via the built-in Registry provider.

How It Works

  1. Define — Create policies in the Denied dashboard using Rego or AI-assisted generation
  2. Bundle — Denied packages your policies into an OPA-compatible bundle
  3. Deploy — Your PDP pulls the latest policies automatically
  4. Query — Your application sends authorization requests to the PDP
  5. Decide — The PDP evaluates the request and returns allow/deny
  6. Monitor — View decision logs and analytics in the dashboard

Next Steps

  1. Quickstart — Set up your PDP and create your first policy

Denied Platform

Learn how to manage authorization policies with Denied

Quickstart

Get your API key, connect your agent and start authorizing requests

On this page

What is Denied?Key ConceptsPoliciesPolicy Decision Points (PDP)Organizations & ProjectsEntitiesHow It WorksNext Steps