Permify not accessible when running using Docker #2800
Description
Hi!
I was following the Docker deployment guide but then testing Permify using curl http://localhost:3476/healthz failed. I repeated the test on MacOS and Linux with the same results : curl always returns:
curl: (7) Failed to connect to localhost port 3476
The docker container logs show everything is fine regarding the reports (but apparently no information about the connection attempted):
┌────────────────────────────────────────────────────────┐
│ Permify v1.6.4 │
│ Fine-grained Authorization Service │
│ │
│ docs: ............... https://docs.permify.co │
│ github: .. https://github.com/Permify/permify │
│ blog: ............... https://permify.co/blog │
│ │
└────────────────────────────────────────────────────────┘
time=2026-02-27T18:47:35.295Z level=ERROR msg="Account ID is not set. Please fill in the Account ID for better support. Get your Account ID from https://permify.co/account"
time=2026-02-27T18:47:35.295Z level=INFO msg="🚀 starting permify service..."
time=2026-02-27T18:47:35.297Z level=INFO msg="🚀 grpc server successfully started: 3478"
time=2026-02-27T18:47:35.297Z level=INFO msg="🚀 invoker grpc server successfully started: 5000"
time=2026-02-27T18:47:35.297Z level=INFO msg="🚀 http server successfully started: 3476"
The problem appears to be that Permify by default will start listening on the local interface (localhost) so despite the fact that the Docker run command contains the -p 3476:3476 publish port option the API is unreachable from the host machine, because port forwarding forwards to container IP address. Indeed the
default config here uses 127.0.0.1 as the Host.
So running inside a container makes Permify unusable outside this container (unless you do some tricks with Docker networking like attaching another container to Permify container's network.
There are 2 solutions I can think of:
- Use the host's network e.g. run
docker run --network host ghcr.io/permify/permify serve - Use a config file and pass the (undocumented!)
hostoption there with an empty value. I.e. use a config that contains the following:
server:
host: "" # IMPORTANT: bind on all interfaces, will override default 127.0.0.1 setting
http:
enabled: true
port: "3476"
and then run:
docker run -p 3476:3476 -v ./config.yaml:/config.yaml ghcr.io/permify/permify serve -c /config.yaml
I like the 2nd approach, but ideally I should be able to specify it in the command like (e.g. --server-host 0.0.0.0) or through an environment variable.
So this issue is a combination of a bug report (on the documentation side at least) and a feature request :-)