A Fintech CRM-style API demonstrating externalized, fine-grained authorization using Permit.io, with AI-driven decision safeguards.
- Role- and resource-based access control
- Externalized policies via Permit.io
- AI agent recommending credit limit increases
- REST API with OpenAPI documentation
- Mock in-memory dataset (no DB needed)
- Backend: Node.js + Express.js
- Authorization: Permit.io PDP (local or cloud)
- Mock Data: In-memory users, accounts, transactions
- Docs: Swagger UI (
/docs) via OpenAPI spec - Testing: Supertest, Jest
Use these headers to simulate user sessions:
# Admin
x-user-id: 1
# Sales Rep (assigned to accounts 1001, 1002)
x-user-id: 2
# Support
x-user-id: 3
# Customer (owns account 1001)
x-user-id: 4
# AI Agent
x-user-id: 999
| Method | Endpoint | Description |
|---|---|---|
| GET | /accounts/:id | View account info (authorized) |
| GET | /transactions/:ref | View transaction (authorized) |
| POST | /ai/recommend-credit-increase | Trigger AI credit review (authorized) |
Full OpenAPI docs: http://localhost:3000/docs
# 1. Install dependencies
yarn install
# 2. Create a .env file based on .env.example
cp .env.example .env
# 3. Run local Permit PDP (optional)
docker compose -f docker-compose.pdp.yml up -d
# 4. Sync roles/users/instances to Permit
node scripts/syncPermitData.js
# 5. Start the API server
yarn dev
# 6. Visit docs
open http://localhost:3000/docsThis project is part of the Permit.io Authorization Challenge, demonstrating externalized authorization in a real-world fintech scenario with an AI-driven decision flow.
