🇺🇸English
Tauri Permissions Configuration
This skill covers the Tauri v2 permission system for controlling frontend access to backend commands and system resources.
Permission System Overview
Permissions in Tauri are explicit privileges that grant or deny access to specific commands. They form the security boundary between frontend code and system resources.
Core Components
| Component | Purpose |
|---|
| Permission | Defines access to specific commands |
| Scope | Restricts commands to specific paths/resources |
| Capability | Links permissions to windows/webviews |
| Identifier | Unique name referencing a permission |
Security Model
- Frontend code cannot access commands without explicit permission
- Deny rules always take precedence over allow rules
- Permissions must be linked to capabilities to be active
- Each window/webview can have different permissions
Permission Identifiers
Naming Convention
Format: <plugin-name>:<permission-type>
| Pattern | Example | Description |
|---|
<name>:default | fs:default | Default permission set |
<name>:allow-<command> | fs:allow-read-file | Allow specific command |
<name>:deny-<command> | fs:deny-write-file | Deny specific command |
<name>:allow-<scope> |
Identifier Rules
- Lowercase ASCII letters only:
[a-z]
- Maximum length: 116 characters
- Plugin prefixes (
tauri-plugin-) added automatically at compile time
Directory Structure
Application Structure
src-tauri/
├── capabilities/
│ ├── default.json # Main capability file
│ └── admin.toml # Additional capabilities
├── permissions/
│ └── custom-permission.toml # Custom app permissions
└── tauri.conf.json
Plugin Structure
tauri-plugin-example/
├── permissions/
│ ├── default.toml # Default permission set
│ ├── autogenerated/ # Auto-generated from commands
│ │ └── commands/
│ └── custom-scope.toml # Custom scopes
└── src/
├── commands.rs
└── build.rs
Capability Configuration
Capabilities link permissions to windows and define what frontend contexts can access.
JSON Format (Recommended for Apps)
{
"$schema": "../gen/schemas/desktop-schema.json",
"identifier": "main-capability",
"description": "Main window permissions",
"windows": ["main"],
"permissions": [
"core:default",
"fs:default",
"fs:allow-read-text-file",
{
"identifier": "fs:allow-write-text-file",
"allow": [{ "path": "$APPDATA/*" }]
}
]
}
TOML Format
"$schema" = "../gen/schemas/desktop-schema.json"
identifier = "main-capability"
description = "Main window permissions"
windows = ["main"]
permissions = [
"core:default",
"fs:default",
"fs:allow-read-text-file"
]
[[permissions]]
identifier = "fs:allow-write-text-file"
allow = [{ path = "$APPDATA/*" }]
Window Targeting
{
"identifier": "admin-capability",
"windows": ["admin", "settings"],
"permissions": ["fs:allow-write-all"]
}
Use "*" to target all windows:
{
"windows": ["*"],
"permissions": ["core:default"]
}
Platform-Specific Capabilities
{
"identifier": "desktop-capability",
"platforms": ["linux", "macOS", "windows"],
"windows": ["main"],
"permissions": ["fs:allow-app-read-recursive"]
}
{
"identifier": "mobile-capability",
"platforms": ["iOS", "android"],
"windows": ["main"],
"permissions": ["fs:allow-app-read"]
}
Allow and Deny Lists
Basic Scope Configuration
{
"identifier": "fs:allow-read-file",
"allow": [
{ "path": "$HOME/Documents/*" },
{ "path": "$APPDATA/**" }
],
"deny": [
{ "path": "$HOME/Documents/secrets/*" }
]
}
Scope Variables
| Variable | Description |
|---|
$APP | Application install directory |
$APPCONFIG | App config directory |
$APPDATA | App data directory |
$APPLOCALDATA | App local data directory |
$APPCACHE | App cache directory |
$APPLOG | App log directory |
|
Glob Patterns
| Pattern | Matches |
|---|
* | Any file in directory |
** | Recursive (all subdirectories) |
*.txt | Files with .txt extension |
Deny Precedence
Deny rules always override allow rules:
{
"permissions": [
{
"identifier": "fs:allow-read-file",
"allow": [{ "path": "$HOME/**" }],
"deny": [{ "path": "$HOME/.ssh/**" }]
}
]
}
Plugin Permissions
Using Default Plugin Permissions
{
"permissions": [
"fs:default",
"shell:default",
"http:default",
"dialog:default"
]
}
Common Plugin Permission Patterns
Filesystem Plugin
{
"permissions": [
"fs:default",
"fs:allow-read-text-file",
"fs:allow-write-text-file",
"fs:allow-app-read-recursive",
"fs:allow-app-write-recursive",
"fs:deny-default"
]
}
HTTP Plugin
{
"permissions": [
"http:default",
{
"identifier": "http:default",
"allow": [{ "url": "https://api.example.com/*" }],
"deny": [{ "url": "https://api.example.com/admin/*" }]
}
]
}
Shell Plugin
{
"permissions": [
"shell:allow-open",
{
"identifier": "shell:allow-execute",
"allow": [
{ "name": "git", "cmd": "git", "args": true }
]
}
]
}
Directory-Specific Filesystem Permissions
| Permission | Access |
|---|
fs:allow-appdata-read | Read $APPDATA (non-recursive) |
fs:allow-appdata-read-recursive | Read $APPDATA (recursive) |
fs:allow-appdata-write | Write $APPDATA (non-recursive) |
fs:allow-appdata-write-recursive | Write $APPDATA (recursive) |
fs:allow-home-read-recursive | Read $HOME (recursive) |
fs:allow-temp-write |
Custom Permission Definition
TOML Permission File
Create src-tauri/permissions/my-permission.toml:
[[permission]]
identifier = "my-app:config-access"
description = "Access to app configuration files"
commands.allow = ["read_config", "write_config"]
[[scope.allow]]
path = "$APPCONFIG/*"
[[scope.deny]]
path = "$APPCONFIG/secrets.json"
Permission Sets
Group multiple permissions:
[[set]]
identifier = "my-app:full-access"
description = "Full application access"
permissions = [
"my-app:config-access",
"fs:allow-app-read-recursive",
"fs:allow-app-write-recursive"
]
Auto-Generated Command Permissions
In plugin src/build.rs:
const COMMANDS: &[&str] = &["get_user", "save_user", "delete_user"];
fn main() {
tauri_plugin::Builder::new(COMMANDS)
.build();
}
This generates:
allow-get-user / deny-get-userallow-save-user / deny-save-userallow-delete-user / deny-delete-user
Default Permission Set
Create permissions/default.toml:
[default]
description = "Default permissions for my-plugin"
permissions = [
"allow-get-user",
"allow-save-user"
]
Remote Access Configuration
Allow remote URLs to access Tauri APIs (use with caution):
{
"identifier": "remote-capability",
"windows": ["main"],
"remote": {
"urls": ["https://*.myapp.com"]
},
"permissions": [
"core:default"
]
}
Security Warning : Linux and Android cannot distinguish iframe requests from window requests.
Configuration in tauri.conf.json
Reference capabilities by identifier:
{
"app": {
"security": {
"capabilities": ["main-capability", "admin-capability"]
}
}
}
Or inline capabilities directly:
{
"app": {
"security": {
"capabilities": [
{
"identifier": "inline-capability",
"windows": ["*"],
"permissions": ["core:default"]
}
]
}
}
}
Troubleshooting
Common Errors
"Not allowed on this command"
- Verify command permission is in capability
- Check scope includes the target path
- Ensure capability targets correct window
Permission not found
- Check identifier spelling (lowercase only)
- Verify plugin is installed
- Run
cargo build to regenerate permissions
Debugging Permissions
- Check generated schema:
src-tauri/gen/schemas/
- Review capability files load correctly
- Verify window names match capability targets
- Check deny rules are not blocking access
Best Practices
- Principle of Least Privilege : Only grant permissions actually needed
- Use Specific Scopes : Prefer
$APPDATA/* over $HOME/**
- Deny Sensitive Paths : Always deny access to
.ssh, credentials, etc.
- Separate Capabilities : Use different capabilities for different window types
- Document Custom Permissions : Include clear descriptions
- Review Plugin Defaults : Understand what default permissions grant
- Platform-Specific Config : Use platform targeting for OS-specific needs
Weekly Installs
91
Repository
dchuk/claude-co…i-skills
GitHub Stars
10
First Seen
Jan 24, 2026
Security Audits
Gen Agent Trust HubPassSocketPassSnykPass
Installed on
opencode77
gemini-cli76
codex72
claude-code65
github-copilot64
cursor63
