Tauri v2 uses a capability system to control which plugin commands your frontend is allowed to call. Each command exposed by tauri-plugin-configurate has a corresponding allow-* permission identifier. You list the permissions you want to grant inside a capability file (typically src-tauri/capabilities/default.json), and Tauri enforces them at the IPC boundary — a command that is not listed will be denied before it reaches Rust. This page covers every permission identifier the plugin defines and explains when to use each one.
configurate:default
The configurate:default permission set bundles every general-purpose command the plugin exposes. It is the right starting point for most applications. Add it to your capability file like this:
{
"permissions": ["configurate:default"]
}
configurate:default:
| Permission identifier | Command | Description |
|---|
configurate:allow-create | create | Create a new config file |
configurate:allow-load | load | Load an existing config file |
configurate:allow-save | save | Save (overwrite) a config file |
configurate:allow-patch | patch | Partially update a config file |
configurate:allow-delete | delete | Delete a config file |
configurate:allow-exists | exists | Check whether a config file exists |
configurate:allow-load-all | load_all | Batch-load multiple config files |
configurate:allow-save-all | save_all | Batch-save multiple config files |
configurate:allow-patch-all | patch_all | Batch-patch multiple config files |
configurate:allow-watch-file | watch_file | Watch a config file for changes |
configurate:allow-unwatch-file | unwatch_file | Stop watching a config file |
configurate:allow-list-configs | list_configs | List config files in a directory |
configurate:allow-reset | reset | Delete and re-create a config file |
configurate:allow-export-config | export_config | Export a config to a format string |
configurate:allow-import-config | import_config | Import a config from a format string |
Grant only the permissions your application actually uses. If your app never watches files, omitting configurate:allow-watch-file and configurate:allow-unwatch-file reduces the surface area available to a compromised renderer process.
configurate:allow-unlock
The allow-unlock permission gates the unlock command, which is the only command that reads keyring secrets and inlines them into config data. It is intentionally excluded from configurate:default and must be granted separately.
{
"permissions": [
"configurate:default",
"configurate:allow-unlock"
]
}
.unlock() on a Configurate instance or uses loadAll().unlock(). Without it, those calls are denied at the IPC layer before any keyring access occurs.
configurate:allow-unlock is deliberately kept out of the default permission set as a security measure. Granting keyring access is a meaningful decision — an application that never uses the keyring should not expose this command at all. Always add configurate:allow-unlock explicitly and only in capability files for windows that genuinely require it.
Granting individual permissions
Instead of using the configurate:default bundle, you can list only the specific permissions your application needs. This is useful when you want a tightly scoped capability file for a particular window or context:
{
"permissions": [
"configurate:allow-load",
"configurate:allow-save"
]
}
Full permission identifier reference
The table below lists every allow-* and deny-* identifier the plugin exposes. The deny-* variants let you explicitly block a command even when a broader permission set might otherwise include it — useful for fine-grained per-window capability rules.
| Allow identifier | Deny identifier | Command |
|---|
configurate:allow-create | configurate:deny-create | create |
configurate:allow-load | configurate:deny-load | load |
configurate:allow-save | configurate:deny-save | save |
configurate:allow-patch | configurate:deny-patch | patch |
configurate:allow-delete | configurate:deny-delete | delete |
configurate:allow-exists | configurate:deny-exists | exists |
configurate:allow-load-all | configurate:deny-load-all | load_all |
configurate:allow-save-all | configurate:deny-save-all | save_all |
configurate:allow-patch-all | configurate:deny-patch-all | patch_all |
configurate:allow-unlock | configurate:deny-unlock | unlock |
configurate:allow-watch-file | configurate:deny-watch-file | watch_file |
configurate:allow-unwatch-file | configurate:deny-unwatch-file | unwatch_file |
configurate:allow-list-configs | configurate:deny-list-configs | list_configs |
configurate:allow-reset | configurate:deny-reset | reset |
configurate:allow-export-config | configurate:deny-export-config | export_config |
configurate:allow-import-config | configurate:deny-import-config | import_config |
