SaaS-Ready Web Scraping with Tiered Permissions using Permit.io

This is a submission for the Permit.io Authorization Challenge: Permissions Redefined

What I Built

I built Scrapebase - a web scraping service that redefines how we think about permissions in modern SaaS applications. Instead of treating authorization as an afterthought, Scrapebase demonstrates how to build with permissions as a first-class concern from day one.

The project solves several common authorization challenges:

1. Tiered Access Control: Managing different permission levels for free vs paid users
2. Resource-Level Restrictions: Controlling access to sensitive domains
3. Feature-Based Permissions: Gating advanced features behind proper authorization

Key Features

• Tiered Service Levels: Free, Pro, and Admin tiers with different capabilities
• API Key Authentication: Simple authentication using API keys
• Role-Based Access Control: Permissions managed through Permit.io
• Domain Blacklist System: Resource-level restrictions for sensitive domains
• Text Processing: Basic and advanced text processing with role-based restrictions

Permission Structure

Demo

Try it live at: https://scrapebase-permit.up.railway.app/

Screenshot: Demo page showing tiered access control in action

Test it yourself:

• Free User: newuser / 2025DEVChallenge
• Admin: admin / 2025DEVChallenge

Project Repo

Repository: github.com/0xtamizh/scrapebase-permit-IO

The repository includes:

• Complete source code with TypeScript
• Detailed setup instructions
• API documentation
• Example environment configuration

My Journey

The Challenge

Traditional approaches to authorization often result in:

• Permission checks scattered throughout code
• Security vulnerabilities from inconsistent enforcement
• Technical debt from hard-coded rules
• Difficulty in updating permission logic

The Solution

I used Permit.io to create an externalized authorization system that:

1. Separates business logic from authorization code
2. Enables policy changes without code deployment
3. Provides consistent permission enforcement
4. Allows non-developers to manage permissions

Challenges Faced

The main challenge was implementing attribute-based access control (ABAC):

// Initially tried ABAC (didn't work with cloud PDP)
const resource = {
  type: 'website',
  attributes: {
    is_blacklisted: isBlacklistedDomain
  }
};

// Had to simplify to RBAC
const permissionCheck = await permit.check(user.key, action, 'website');

Key Learnings

1. Technical Benefits

   • Clean separation of concerns
   • Externalized policy management
   • Consistent enforcement

2. Business Benefits

   • Non-technical policy management
   • Flexible permission updates
   • Better security compliance

3. Developer Experience

   • Reduced complexity
   • Better maintainability
   • Focus on core features

Using Permit.io for Authorization

Implementation

The core authorization flow:

// permitAuth middleware
const permitAuth = async (req, res, next) => {
  const apiKey = req.headers['x-api-key'];

  // Map API key to user role
  const user = mapApiKeyToUser(apiKey);

  // Sync with Permit.io
  await permit.api.syncUser({
    key: user.key,
    email: user.email,
    attributes: { tier: user.tier }
  });

  // Check permission
  const allowed = await permit.check(user.key, req.action, 'website');
  if (!allowed) {
    return res.status(403).json({
      error: 'Access denied',
      details: `User ${user.key} cannot perform ${req.action}`
    });
  }

  next();
};

Dashboard Configuration

Configuring resource types and actions in Permit.io dashboard

Setting up role-based permissions for different user tiers

Managing users and their role assignments

Future Improvements

1. Set up local PDP for ABAC support
2. Implement tenant isolation
3. Add permission audit logging UI
4. Create more granular roles
5. Add user management interface

Scrapebase demonstrates how modern applications can redefine permissions by treating authorization as a first-class concern, enabling better security, maintainability, and user experience.