diff --git a/bk-plugin-framework/bk_plugin_framework/services/bpf_service/management/commands/data/api-definition.yml b/bk-plugin-framework/bk_plugin_framework/services/bpf_service/management/commands/data/api-definition.yml
index aa271f3..3bfdd5d 100644
--- a/bk-plugin-framework/bk_plugin_framework/services/bpf_service/management/commands/data/api-definition.yml
+++ b/bk-plugin-framework/bk_plugin_framework/services/bpf_service/management/commands/data/api-definition.yml
@@ -23,5 +23,13 @@ stage:
       max_age: 86400
       allow_credential: true
 
+{% if settings.BK_APIGW_GRANTED_APPS %}
+grant_permissions:
+  {% for app_code in settings.BK_APIGW_GRANTED_APPS %}
+  - bk_app_code: {{ app_code }}
+    grant_dimension: "gateway"
+  {% endfor %}
+{% endif %}
+
 release:
   comment: "auto release by bk-plugin-runtime"
diff --git a/bk-plugin-framework/bk_plugin_framework/services/bpf_service/management/commands/sync_plugin_apigw.py b/bk-plugin-framework/bk_plugin_framework/services/bpf_service/management/commands/sync_plugin_apigw.py
index d4594b8..eb224ab 100644
--- a/bk-plugin-framework/bk_plugin_framework/services/bpf_service/management/commands/sync_plugin_apigw.py
+++ b/bk-plugin-framework/bk_plugin_framework/services/bpf_service/management/commands/sync_plugin_apigw.py
@@ -27,6 +27,8 @@ def handle(self, *args, **kwargs):
         call_command("sync_apigw_resources", file=resources_file_path)
         print("[bk-plugin-framework]call sync_apigw_strategies with definition: %s" % definition_file_path)
         call_command("sync_apigw_strategies", file=definition_file_path)
+        print("[bk-plugin-framework]call grant_apigw_permissions with definition: %s" % definition_file_path)
+        call_command("grant_apigw_permissions", file=definition_file_path)
 
         # if getattr(settings, "BK_APIGW_CORS_ALLOW_ORIGINS"):
         #     strategy_cors_file_path = os.path.join(__file__.rsplit("/", 1)[0], "data/api-strategy-cors.yml")
diff --git a/runtime/bk-plugin-runtime/bk_plugin_runtime/config/default.py b/runtime/bk-plugin-runtime/bk_plugin_runtime/config/default.py
index ed03fe5..5a60cde 100644
--- a/runtime/bk-plugin-runtime/bk_plugin_runtime/config/default.py
+++ b/runtime/bk-plugin-runtime/bk_plugin_runtime/config/default.py
@@ -253,3 +253,7 @@ def logging_addition_settings(logging_dict):
 BK_APIGW_CORS_ALLOW_METHODS = os.getenv("BK_APIGW_CORS_ALLOW_METHODS", "")
 BK_APIGW_CORS_ALLOW_HEADERS = os.getenv("BK_APIGW_CORS_ALLOW_HEADERS", "")
 BK_APIGW_DEFAULT_TIMEOUT = int(os.getenv("BK_APIGW_DEFAULT_TIMEOUT", "60"))
+BK_APIGW_GRANTED_APPS = [BK_APP_CODE] + [
+    each.strip() for each in os.getenv("BK_APIGW_GRANTED_APPS", "").split(",") 
+    if each.strip()
+]