Tauri Permissions Configuration
This skill covers the Tauri v2 permission system for controlling frontend access to backend commands and system resources.
Permission System Overview
Permissions in Tauri are explicit privileges that grant or deny access to specific commands. They form the security boundary between frontend code and system resources.
Core Components
| Component |
Purpose |
| Permission |
Defines access to specific commands |
| Scope |
Restricts commands to specific paths/resources |
| Capability |
Links permissions to windows/webviews |
| Identifier |
Unique name referencing a permission |
Security Model
- Frontend code cannot access commands without explicit permission
- Deny rules always take precedence over allow rules
- Permissions must be linked to capabilities to be active
- Each window/webview can have different permissions
Permission Identifiers
Naming Convention
Format: <plugin-name>:<permission-type>
| Pattern |
Example |
Description |
<name>:default |
fs:default |
Default permission set |
<name>:allow-<command> |
fs:allow-read-file |
Allow specific command |
<name>:deny-<command> |
fs:deny-write-file |
Deny specific command |
<name>:allow-<scope> |
fs:allow-app-read |
Allow with predefined scope |
Identifier Rules
- Lowercase ASCII letters only:
[a-z]
- Maximum length: 116 characters
- Plugin prefixes (
tauri-plugin-) added automatically at compile time
Directory Structure
Application Structure
src-tauri/
βββ capabilities/
β βββ default.json # Main capability file
β βββ admin.toml # Additional capabilities
βββ permissions/
β βββ custom-permission.toml # Custom app permissions
βββ tauri.conf.json
Plugin Structure
tauri-plugin-example/
βββ permissions/
β βββ default.toml # Default permission set
β βββ autogenerated/ # Auto-generated from commands
β β βββ commands/
β βββ custom-scope.toml # Custom scopes
βββ src/
βββ commands.rs
βββ build.rs
Capability Configuration
Capabilities link permissions to windows and define what frontend contexts can access.
JSON Format (Recommended for Apps)
{
"$schema": "../gen/schemas/desktop-schema.json",
"identifier": "main-capability",
"description": "Main window permissions",
"windows": ["main"],
"permissions": [
"core:default",
"fs:default",
"fs:allow-read-text-file",
{
"identifier": "fs:allow-write-text-file",
"allow": [{ "path": "$APPDATA/*" }]
}
]
}
TOML Format
"$schema" = "../gen/schemas/desktop-schema.json"
identifier = "main-capability"
description = "Main window permissions"
windows = ["main"]
permissions = [
"core:default",
"fs:default",
"fs:allow-read-text-file"
]
[[permissions]]
identifier = "fs:allow-write-text-file"
allow = [{ path = "$APPDATA/*" }]
Window Targeting
{
"identifier": "admin-capability",
"windows": ["admin", "settings"],
"permissions": ["fs:allow-write-all"]
}
Use "*" to target all windows:
{
"windows": ["*"],
"permissions": ["core:default"]
}
Platform-Specific Capabilities
{
"identifier": "desktop-capability",
"platforms": ["linux", "macOS", "windows"],
"windows": ["main"],
"permissions": ["fs:allow-app-read-recursive"]
}
{
"identifier": "mobile-capability",
"platforms": ["iOS", "android"],
"windows": ["main"],
"permissions": ["fs:allow-app-read"]
}
Allow and Deny Lists
Basic Scope Configuration
{
"identifier": "fs:allow-read-file",
"allow": [
{ "path": "$HOME/Documents/*" },
{ "path": "$APPDATA/**" }
],
"deny": [
{ "path": "$HOME/Documents/secrets/*" }
]
}
Scope Variables
| Variable |
Description |
$APP |
Application install directory |
$APPCONFIG |
App config directory |
$APPDATA |
App data directory |
$APPLOCALDATA |
App local data directory |
$APPCACHE |
App cache directory |
$APPLOG |
App log directory |
$HOME |
User home directory |
$DESKTOP |
Desktop directory |
$DOCUMENT |
Documents directory |
$DOWNLOAD |
Downloads directory |
$RESOURCE |
App resource directory |
$TEMP |
Temporary directory |
Glob Patterns
| Pattern |
Matches |
* |
Any file in directory |
** |
Recursive (all subdirectories) |
*.txt |
Files with .txt extension |
Deny Precedence
Deny rules always override allow rules:
{
"permissions": [
{
"identifier": "fs:allow-read-file",
"allow": [{ "path": "$HOME/**" }],
"deny": [{ "path": "$HOME/.ssh/**" }]
}
]
}
Plugin Permissions
Using Default Plugin Permissions
{
"permissions": [
"fs:default",
"shell:default",
"http:default",
"dialog:default"
]
}
Common Plugin Permission Patterns
Filesystem Plugin
{
"permissions": [
"fs:default",
"fs:allow-read-text-file",
"fs:allow-write-text-file",
"fs:allow-app-read-recursive",
"fs:allow-app-write-recursive",
"fs:deny-default"
]
}
HTTP Plugin
{
"permissions": [
"http:default",
{
"identifier": "http:default",
"allow": [{ "url": "https://api.example.com/*" }],
"deny": [{ "url": "https://api.example.com/admin/*" }]
}
]
}
Shell Plugin
{
"permissions": [
"shell:allow-open",
{
"identifier": "shell:allow-execute",
"allow": [
{ "name": "git", "cmd": "git", "args": true }
]
}
]
}
Directory-Specific Filesystem Permissions
