Cerbos Hub (Beta)

Cerbos Hub simplifies the process of authoring authorization policies, testing changes, rolling out updates to production, and aggregating audit logs about authorization decisions. It’s a scalable solution for developers who want to save time, streamline their workflows and confidently roll out authorization updates — freeing you to focus on delivering great products to your customers.


This is a BETA release of new functionality for Cerbos. While it has been tested thoroughly during development, issues may still need to be addressed. The future of this capability will depend on the feedback received during this testing period and may result in it potentially being altered, delayed, or cancelled.


Collaborative policy editing

Cerbos Hub playgrounds provide private, collaborative, IDE-like development environments to help author and test polices with ease.

Managed CI/CD pipeline for Cerbos policies

Cerbos Hub serves as a managed CI/CD pipeline specifically designed for validating, testing, and distributing policies in a more efficient manner compared to the open-source version. With Cerbos Hub, you can automate and streamline the entire policy management process.

Coordinated rollout of policy changes

Cerbos Hub simplifies policy updates by centrally managing the rollout process to all PDP service instances. Instead of each instance handling its own update cycle, Cerbos Hub takes the proactive approach of pushing policy changes to all instances. This ensures a smoother rollout experience and reduces the time it takes for all PDPs to get in sync with each other.

Leverage your Git workflow

GitOps is a first-class citizen in the Cerbos ecosystem. Cerbos Hub is no exception with support for branches, tags and commit hashes as policy sources. You can build multiple versions of policy bundles based on Git references and distribute them to Cerbos PDP instances running in your environment(s).

PDP monitoring

Cerbos Hub provides visibility into your deployed PDP instances, including which policies are currently being served, the current version and when it was last seen.

Embeddable policies

Exclusive to Cerbos Hub is the ability to generate self-contained policy snapshots that can be embedded into any system that supports WebAssembly modules. This is a powerful solution for cases where authorization decisions have to be made locally on device or at the edge without access to a full-fledged Cerbos policy decision point.

Collaborative playgrounds

Cerbos Hub playgrounds are feature-rich policy development environments for building quick prototypes, creating training material or just experimenting with your existing policies in a private sandbox with your colleagues.

Easy audit log aggregation

With a simple line of configuration, you can start collecting audit logs from your PDPs without having to worry about configuring, deploying and tuning a separate log aggregation solution.

How it works

Cerbos Hub is a cloud-hosted management control plane. Cerbos instances and the data they process remain strictly inside your network perimeter. Switching to Cerbos Hub is as simple as pushing a minor configuration change to your existing Cerbos deployment. Everything remains the same except that Cerbos instances now receive optimized policy bundles from Cerbos Hub instead of having to poll a policy repository and compile new policies locally as they change.

Cerbos Hub handles the validation, testing, compilation and deployment of policy updates to all connected Cerbos policy decision points. Embedded bundles are published as part of the CI process as well and clients are able to retrieve the latest builds via a special URL.

How Cerbos Hub works

  1. Make a change to policies and push to GitHub

  2. Cerbos Hub detects the new commit and downloads the new policy definitions

  3. Validate the new policy definitions

  4. Run any policy tests available in the repo

  5. Generate a compact binary representation of the policies and build both an encrypted policy bundle and an embedded WebAssembly module and store on CDN

  6. Update the status of labels (symbolic references to git branches, tags or commits defined by you)

  7. Send a message to any connected PDPs watching the updated labels that a new bundle is available

  8. PDP instances download the new bundle and start serving it

  9. Client applications download latest version of embedded policy module to evaluate on device

You can optionally configure Cerbos Hub as an audit backend for the PDPs and securely send audit logs for storage in the cloud. Any sensitive data points can be filtered locally on the PDP before leaving your network perimeter.