> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stardeck.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Permissions & Grants

> Control which apps can talk to each other and what they're allowed to do

Before one app can call another, you need to grant it access. This page covers how to set up and manage those permissions.

## Two Ways to Grant Access

### Allow All Apps

The quickest option. Toggle on **Allow all apps to call this project** in the app's Cross-App settings. This lets any app in the organization read data from this app.

Good for:

* Data services that any app might need (product catalog, pricing, configuration)
* Quick development and testing
* Apps that share data openly within the org

<Info>
  "Allow all apps" only permits reading data. If another app needs to create, update, or delete anything, you'll need an explicit grant.
</Info>

### Explicit Grants

For more control, create a grant between two specific apps. You choose:

* **Which app** can call this one
* **What it can do** — read only, read and write, or specific operations

Go to the app's **Settings** tab, open **Cross-App**, and add a grant under **Incoming Calls**. You can also set it up from the caller's side under **Outgoing Calls** — both create the same connection.

## Managing Grants

### Adding a Grant

1. Open the app's project settings
2. Go to the **Cross-App** tab
3. Under **Incoming Calls**, click **Add grant**
4. Select the app you want to grant access to
5. Choose what level of access to allow
6. Save

### Removing a Grant

Click the delete button next to any grant. Access is revoked immediately.

## Call Logs

The **Call Logs** section on the Cross-App tab shows recent calls involving this app, both incoming and outgoing. Each entry shows which apps were involved, what was called, whether it succeeded, and how long it took.

This is useful for debugging when a cross-app integration isn't working as expected.

## Settings

### Allow Cross-App Calls

Lets any app in the organization read data from this app without needing an explicit grant. Off by default.

### Allow Production Fallback for Sandbox Callers

During development, you might be testing in one app's sandbox while the target app's sandbox isn't running. With this enabled, the platform routes sandbox calls to the target's production deployment instead.

Useful when you don't want to keep every app's sandbox running during development.

### Allow Agent Access

Lets Starcat, your organization's agent, operate this app directly — reading and writing through its API on your behalf — independent of app-to-app grants. Off by default.

When it's on, you also choose which of this app's environments the agent may call (Production, Preview, Sandbox). See [Agent Cross-App Calling](/cross-app/agent-calling) for how the agent picks an environment and what it can do.

### Developer-Agent Callable Environments

Controls which environments the in-project developer agent may originate cross-app calls **from** when you're building inside this project:

* **Sandbox only** — keeps the agent safe during development
* **Production only** — for projects where you only want the agent querying live data
* **Both** (default) — the agent can call from either environment

This is the outbound counterpart to **Allow Agent Access** above, which controls what the org agent may call *into* this app.
