Introduction
What is Denied Platform and how can it help you?
What is Denied Platform?
Denied Platform is an authorization policy management system that helps you control who (users, services, AI agents) can access what (resources, data, actions) in your applications.
Instead of hardcoding authorization logic into your application, you define policies in a central location and query a decision node whenever you need to make an access control decision. This separation of policy from code makes your authorization logic:
- Auditable — See exactly what rules govern access
- Testable — Validate policies before deployment
- Flexible — Update policies without redeploying your application
- Consistent — Enforce the same rules across all your services
Key Concepts
Policies
Policies are rules written in Rego, the policy language used by Open Policy Agent (OPA). A policy evaluates an authorization request and returns a decision — typically allow or deny.
# Allow users to read their own documents
input.action.name == "read"
input.resource.properties.owner == input.subject.properties.user_idYou write the conditions that must be true for the policy to match. Denied Platform handles wrapping your conditions in the proper OPA structure.
Decision Nodes
A decision node is a server that evaluates authorization requests against your policies. When your application needs to check if an action is allowed, it sends a request to the decision node and receives a decision.
Your App → Decision Node → Policy Evaluation → allow/denyDecision nodes pull policies from your Denied project automatically, so policy updates take effect without any changes to your application.
Organizations & Projects
Denied uses a multi-tenant hierarchy to organize your policies:
- Organizations — The top-level container. Invite team members and manage billing.
- Projects — Isolated policy environments within an organization. Each project has its own policies, entities, and decision node configuration.
Entities
Entities represent the subjects (users, services, agents) and resources (documents, APIs, data) in your authorization model. You can register entities in Denied and use their properties in policies.
Blueprints
Blueprints are AI-generated policy outlines based on your organizational context. Describe your access control needs in natural language, and Denied will generate a structured policy blueprint you can refine into working Rego code.
How It Works
- Define — Create policies in the Denied dashboard using Rego or AI-assisted generation
- Bundle — Denied packages your policies into an OPA-compatible bundle
- Deploy — Your decision node pulls the latest policies automatically
- Query — Your application sends authorization requests to the decision node
- Decide — The decision node evaluates the request and returns allow/deny
- Monitor — View decision logs and analytics in the dashboard
Use Cases
AI Agent Authorization
Control what AI agents can access with time-limited Agent Passports. Issue credentials that expire, and define policies based on agent identity, task type, and data sensitivity.
Multi-Tenant SaaS
Enforce tenant isolation with policies that ensure users can only access resources within their organization. Combine with role-based access control for fine-grained permissions.
API Gateway Protection
Protect your APIs by evaluating every request against your policies. Check user roles, resource ownership, rate limits, and more.
Compliance & Audit
Maintain audit trails of every authorization decision. Use analytics to understand access patterns and identify potential security issues.
Next Steps
Ready to get started?
- Create your account — Sign up and create your first organization
- Create your first policy — Write and test a simple authorization policy
- Learn Rego — Understand the policy language