Permission resolution happens at the edge in a Cloudflare Worker.
Permission rules are stored in Cloudflare D1 (a serverless SQL database at the edge). When a permission check request arrives, the Worker resolves the permission locally without making a round-trip to the backend. This delivers sub-millisecond decisions.
The same permission rules are also stored in Supabase for the dashboard and API Builder. Changes made through the API are dual-written to both D1 and Supabase to keep them in sync.