Skip to main content

The Authorization Problem

As applications grow, authorization logic becomes increasingly complex. You need to answer questions like:
  • Can this user view this resource?
  • Which resources of this type can this user access?
  • How do I implement role-based access with attribute-based conditions?
  • How do I update authorization rules without deploying code?
Cerbos solves these challenges by providing a Policy Decision Point (PDP) that separates authorization logic from your application code. Define access control rules in human-readable YAML policies, and make simple API calls to evaluate permissions in real-time.

Why Cerbos?

Policy as Code

Define authorization rules in YAML files that live in your Git repository. Update policies without changing application code or redeploying services.

Authorization as a Service

Run Cerbos as a standalone service that scales independently. Make authorization decisions from any part of your application stack.

RBAC to ABAC

Start with simple role-based access control (RBAC) and evolve to attribute-based access control (ABAC) with dynamic conditions as your needs grow.

Deploy Anywhere

Run as a Kubernetes service or sidecar, systemd service, AWS Lambda function, or Docker container. Works with your existing infrastructure.

How Cerbos Works

Cerbos integrates into your application architecture as a dedicated authorization service:
1

Define Policies

Write resource policies in YAML that define who can do what on your resources. Store policies on disk, in cloud object stores, Git repositories, or databases.
Resource Policy Example
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  resource: "album:object"
  version: "default"
  rules:
    - actions: ['*']
      effect: EFFECT_ALLOW
      derivedRoles:
        - owner
    
    - actions: ['view']
      effect: EFFECT_ALLOW
      roles:
        - user
      condition:
        match:
          expr: request.resource.attr.public == true
2

Deploy the PDP

Run the Cerbos Policy Decision Point as a service in your infrastructure. The PDP continuously monitors your policies and evaluates authorization requests.
3

Make Authorization Calls

From your application, make API calls to Cerbos to check permissions. Get simple ALLOW or DENY responses based on your policies.
SDK Example
resp, err := client.CheckResources(
  ctx,
  principal,
  cerbos.NewResourceBatch(
    cerbos.NewResource("album:object", "photo123").WithAttr("owner", "alice"),
    "view", "delete",
  ),
)
4

Query for Resources

Use the PlanResources API to get a query plan showing which resources a user can access. Convert to database queries using query plan adapters.

Core Features

Two Primary APIs

Cerbos provides two essential APIs for authorization:

CheckResources

“Can this principal access this resource?”Check permissions for specific actions on specific resources. Returns ALLOW or DENY for each action.

PlanResources

“Which resources can this principal access?”Get a query plan to filter resources by permission. Convert to SQL, Prisma, SQLAlchemy, or other query formats.

Flexible Policy Types

Define rules for who can perform actions on resource types. Support for wildcards, role-based rules, and dynamic conditions.Use for: Standard RBAC and ABAC rules per resource type
Dynamically assign roles based on context. For example, assign “owner” role when resource.owner == principal.id.Use for: Context-dependent role assignment
Override rules for specific users or principals. Provide exceptions to general authorization rules.Use for: Special cases and user-specific overrides

Key Concepts

Understand these fundamental concepts to work effectively with Cerbos:

Core Concepts

Learn about Principals, Actions, Resources, and Policies

Get Started

Run Cerbos locally and try your first authorization check

View Policies

Explore policy types and authoring guidelines

Choose Deployment

Find the right deployment option for your infrastructure

Performance & Scalability

Cerbos is designed for production workloads:
  • Fast gRPC API for low-latency authorization checks (HTTP gateway also available)
  • Sidecar deployment for minimal network latency
  • Stateless architecture scales horizontally
  • In-memory policy evaluation for sub-millisecond decisions
  • Bring your own identity - integrates with any authentication provider

Trusted by Companies Worldwide

Cerbos is used by organizations of all sizes to handle authorization at scale.
Using Cerbos? Let us know at [email protected]

Next Steps

Quickstart

Get Cerbos running in 5 minutes

Core Concepts

Learn the fundamentals

Install Cerbos

Choose your installation method
New to authorization? Start with our quickstart guide to see Cerbos in action with a working example.

Build docs developers (and LLMs) love

Get started for freeTalk to us