Skip to content

How to Fix Deno Permission Denied Errors

DodaTech 2 min read

In this tutorial, you'll learn about How to Fix Deno Permission Denied Errors. We cover key concepts, practical examples, and best practices.

The Problem

Running a Deno script fails with error: Uncaught PermissionDenied: read access to "/etc/passwd" or network access to "api.example.com". Deno is secure by default — it runs in a sandbox with no file system, network, or environment access. You must explicitly grant each permission via command-line flags. This is a deliberate design choice to prevent malicious scripts from accessing sensitive resources without your knowledge.

Quick Fix

1. Read the error message to identify the missing permission

deno run app.ts

Expected output:

error: Uncaught PermissionDenied: read access to "./secrets.json", run again with --allow-read
    at async file: ///home/user/project/app.ts:5:20

Grant the specific permission:

deno run --allow-read=./secrets.json app.ts

2. Common permission flags and their scope

# Read access to a single file
deno run --allow-read=./config.json app.ts

# Read access to a directory tree
deno run --allow-read=./data app.ts

# Network access to a specific host
deno run --allow-net=api.example.com app.ts

# Network access to multiple hosts
deno run --allow-net=api.example.com,db.example.com app.ts

# Environment variable access
deno run --allow-env=DB_HOST,DB_PORT app.ts

# Write access to a directory
deno run --allow-write=./output app.ts

3. Combine multiple permissions

deno run \
    --allow-read=./config.json \
    --allow-net=api.example.com \
    --allow-env=DB_HOST \
    app.ts

4. Use a Deno configuration file

Create deno.json:

{
    "tasks": {
        "start": "deno run --allow-read=./data --allow-net=api.example.com app.ts"
    }
}

Then run:

deno task start

5. Prompt for permissions interactively

deno run --prompt app.ts

Each permission request shows a prompt in the terminal. This is useful during development to discover what permissions your script needs.

6. Request permissions dynamically in code

const status = await Deno.permissions.request({
    name: 'net',
    host: 'api.example.com',
});

if (status.state === 'granted') {
    const response = await fetch('https://api.example.com/data');
    console.log(await response.json());
} else {
    console.error('Permission denied — cannot fetch data');
}

7. Revoke a permission after use

await Deno.permissions.revoke({ name: 'net', host: 'api.example.com' });

8. Query current permission state without prompting

const status = await Deno.permissions.query({ name: 'read', path: './data' });
console.log(`Read permission: ${status.state}`); // "granted", "denied", or "prompt"

9. Use permission groups to enable multiple flags concisely

deno run --allow-read=/data --allow-write=/tmp --allow-net=api.example.com script.ts

For complex scripts, save permissions in a deno.json task:

{
  "tasks": {
    "start": "deno run --allow-read --allow-net main.ts"
  }
}

Prevention

  • Grant the most restrictive permissions possible — specify exact file paths and hostnames rather than opening broad access
  • Create a deno.json file with tasks that include the exact permission set needed by your script
  • Run deno run --prompt during development to discover required permissions interactively
  • Never use -A (all permissions) in production — it completely defeats Deno's security model
  • Document the required permissions in your project README so other developers know which flags to pass

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro