How to Fix Deno Permission Denied Errors
In this tutorial, you'll learn about How to Fix Deno Permission Denied Errors. We cover key concepts, practical examples, and best practices.
The Problem
Running a Deno script fails with error: Uncaught PermissionDenied: read access to "/etc/passwd" or network access to "api.example.com". Deno is secure by default — it runs in a sandbox with no file system, network, or environment access. You must explicitly grant each permission via command-line flags. This is a deliberate design choice to prevent malicious scripts from accessing sensitive resources without your knowledge.
Quick Fix
1. Read the error message to identify the missing permission
deno run app.ts
Expected output:
error: Uncaught PermissionDenied: read access to "./secrets.json", run again with --allow-read
at async file: ///home/user/project/app.ts:5:20
Grant the specific permission:
deno run --allow-read=./secrets.json app.ts
2. Common permission flags and their scope
# Read access to a single file
deno run --allow-read=./config.json app.ts
# Read access to a directory tree
deno run --allow-read=./data app.ts
# Network access to a specific host
deno run --allow-net=api.example.com app.ts
# Network access to multiple hosts
deno run --allow-net=api.example.com,db.example.com app.ts
# Environment variable access
deno run --allow-env=DB_HOST,DB_PORT app.ts
# Write access to a directory
deno run --allow-write=./output app.ts
3. Combine multiple permissions
deno run \
--allow-read=./config.json \
--allow-net=api.example.com \
--allow-env=DB_HOST \
app.ts
4. Use a Deno configuration file
Create deno.json:
{
"tasks": {
"start": "deno run --allow-read=./data --allow-net=api.example.com app.ts"
}
}
Then run:
deno task start
5. Prompt for permissions interactively
deno run --prompt app.ts
Each permission request shows a prompt in the terminal. This is useful during development to discover what permissions your script needs.
6. Request permissions dynamically in code
const status = await Deno.permissions.request({
name: 'net',
host: 'api.example.com',
});
if (status.state === 'granted') {
const response = await fetch('https://api.example.com/data');
console.log(await response.json());
} else {
console.error('Permission denied — cannot fetch data');
}
7. Revoke a permission after use
await Deno.permissions.revoke({ name: 'net', host: 'api.example.com' });
8. Query current permission state without prompting
const status = await Deno.permissions.query({ name: 'read', path: './data' });
console.log(`Read permission: ${status.state}`); // "granted", "denied", or "prompt"
9. Use permission groups to enable multiple flags concisely
deno run --allow-read=/data --allow-write=/tmp --allow-net=api.example.com script.ts
For complex scripts, save permissions in a deno.json task:
{
"tasks": {
"start": "deno run --allow-read --allow-net main.ts"
}
}
Prevention
- Grant the most restrictive permissions possible — specify exact file paths and hostnames rather than opening broad access
- Create a
deno.jsonfile with tasks that include the exact permission set needed by your script - Run
deno run --promptduring development to discover required permissions interactively - Never use
-A(all permissions) in production — it completely defeats Deno's security model - Document the required permissions in your project README so other developers know which flags to pass
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro