{
  "slug": "code/app-permissions",
  "title": "App Permissions",
  "description": "How Cuitty Code Apps request, receive, and use granular permissions.",
  "url": "https://cuitty.com/docs/code/app-permissions",
  "markdown_url": "https://cuitty.com/docs/code/app-permissions.md",
  "json_url": "https://cuitty.com/docs/code/app-permissions.json",
  "frontmatter": {
    "title": "App Permissions",
    "description": "How Cuitty Code Apps request, receive, and use granular permissions.",
    "order": 12,
    "section": "Code",
    "updatedAt": "2026-05-21"
  },
  "headings": [
    {
      "depth": 2,
      "slug": "upgrade-behavior",
      "text": "Upgrade behavior"
    },
    {
      "depth": 2,
      "slug": "denied-operations",
      "text": "Denied operations"
    }
  ],
  "body_markdown": "Cuitty Code Apps use least-privilege grants. The app manifest declares requested resources, actions, and reasons. The installer approves those permissions for a specific target.\n\nAt runtime, the app uses an installation token. Cuitty maps that token to the installation and checks the requested operation against SpiceDB before doing any work.\n\n## Upgrade behavior\n\nWhen a new app version asks for more access, Cuitty shows a permission diff before upgrade. Existing installs do not silently receive new privileges.\n\n## Denied operations\n\nIf an app installed to one repository tries to publish a package or change an organization registry policy, the request is denied unless that grant was explicitly approved for the install.",
  "body_html": "<p>Cuitty Code Apps use least-privilege grants. The app manifest declares requested resources, actions, and reasons. The installer approves those permissions for a specific target.</p>\n<p>At runtime, the app uses an installation token. Cuitty maps that token to the installation and checks the requested operation against SpiceDB before doing any work.</p>\n<h2 id=\"upgrade-behavior\">Upgrade behavior</h2>\n<p>When a new app version asks for more access, Cuitty shows a permission diff before upgrade. Existing installs do not silently receive new privileges.</p>\n<h2 id=\"denied-operations\">Denied operations</h2>\n<p>If an app installed to one repository tries to publish a package or change an organization registry policy, the request is denied unless that grant was explicitly approved for the install.</p>",
  "links_out": []
}