Cerbos Hub

Cerbos Hub is an end-to-end authorization platform comprising a policy control plane, a data enrichment layer, and a distributed policy engine. It covers the full authorization lifecycle: authoring, testing, versioning, distribution, data enrichment, decision evaluation, and audit.

Platform components

Component	Role
Cerbos Hub — Policy Administration Point	Control plane for policy authoring, testing, versioning, distribution, and audit visibility.
Cerbos Synapse — Data and integration layer	Enrichment layer that gathers identity and resource data from existing systems and delivers complete context to the policy engine. Contact the Cerbos team for access.
Cerbos PDP — Policy Decision Point	Open source authorization engine that evaluates requests against policies and returns access decisions. Stateless, high-performance, and built to scale horizontally.
Cerbos PEP SDKs — Policy Enforcement Point	Language-native client libraries that connect applications directly to PDPs to enforce real-time access decisions.

Component

Role

Cerbos Hub — Policy Administration Point

Control plane for policy authoring, testing, versioning, distribution, and audit visibility.

Cerbos Synapse — Data and integration layer

Enrichment layer that gathers identity and resource data from existing systems and delivers complete context to the policy engine. Contact the Cerbos team for access.

Cerbos PDP — Policy Decision Point

Open source authorization engine that evaluates requests against policies and returns access decisions. Stateless, high-performance, and built to scale horizontally.

Cerbos PEP SDKs — Policy Enforcement Point

Language-native client libraries that connect applications directly to PDPs to enforce real-time access decisions.

Cerbos Hub features

Collaborative policy editing: Cerbos Hub playgrounds provide private, collaborative, IDE-like development environments to help author and test policies with ease. Drag and drop policy and test files directly into the playground editor for fast loading and testing.
Managed build and release pipeline: Cerbos Hub automatically validates, tests, signs, and distributes every policy change, giving you a turnkey CI/CD pipeline without extra infrastructure. Policy execution traces are available for debugging complex authorization logic, showing a step-by-step view of how requests are evaluated.
Source agnostic policy stores: Populate policy stores from any source using any of the many integration methods available.
Coordinated rollout of policy changes: Cerbos Hub pushes new policy bundles to every connected PDP instance, ensuring fleet-wide consistency and eliminating manual polling or reload logic.
PDP monitoring: Cerbos Hub shows which policies each PDP is serving, the exact bundle version, and when the instance was last seen.
Embedded policy decision points: Evaluate policies locally in browsers, edge functions, and other JavaScript environments using WebAssembly. Configure multiple ePDP rules per deployment, each with independent policy filtering (by resource, action, scope, role, or version), authentication requirements, and IP allowlists. Dynamic scopes enable per-tenant bundles in multi-tenant applications.
Audit log aggregation: With one line of configuration you can stream PDP decision logs to Cerbos Hub, filter sensitive fields locally, and retain searchable history without running a separate log stack.
Organization usage dashboard: The organization-level usage dashboard aggregates metrics from all your workspaces, providing a unified view of request volumes, policy distribution, and usage trends across your organization.

How it works

Cerbos Hub is a cloud-hosted management control plane, while Cerbos instances and the data they process remain strictly inside your network perimeter. Switching to Cerbos Hub requires only a minor configuration change to your existing Cerbos deployment. After the switch, PDPs receive optimized policy bundles from Cerbos Hub instead of compiling policies locally.

How Cerbos Hub works

Make a change to policies and submit it to a policy store through Git, a CI pipeline, an API call, a CLI upload, or a direct drag and drop in the browser.
Cerbos Hub detects the update and starts a new build.
Validate and compile the policies.
Run all policy tests found in the store.
Generate a compact encrypted policy bundle.
Increment the deployment version and notify every PDP that is assigned to this deployment that a new bundle is available.
PDP instances download the new bundle and start serving it immediately.

Optionally, configure Cerbos Hub as an audit backend for the PDPs. Logs are streamed securely, with sensitive data removed locally before leaving your network perimeter.

Get started

Quick start guide — Create a policy store, deployment, and connect your first PDP.
Service PDPs — Production deployment patterns for server-side authorization.
Embedded PDPs — Client-side authorization for browsers and edge functions.
Synapse — Authorization data enrichment and infrastructure integrations.