Server block

Listen addresses

By default the server will start an HTTP server on port 3592 and a gRPC server on 3593 that will listen on all available interfaces.

Listen on all available interfaces (default)
  httpListenAddr: ":3592"
  grpcListenAddr: ":3593"
Listen on a specific interface
  httpListenAddr: ""
  grpcListenAddr: ""
Listen on a Unix domain socket
  httpListenAddr: "unix:/var/sock/cerbos.http"
  grpcListenAddr: "unix:/var/sock/cerbos.grpc"


By default, Prometheus metrics are available to scrape from the /_cerbos/metrics HTTP endpoint. If you want to disable metrics reporting, set metricsEnabled to false.

  metricsEnabled: false

Payload logging

For debugging or auditing purposes, you can enable request and response payload logging for each request.

Enabling this setting affects server performance and could expose potentially sensitive data contained in the requests to anyone with access to the server logs.
  logRequestPayloads: true

Transport layer security (TLS)

You can enable transport layer security (TLS) by defining the paths to the certificate and key file in the TLS section.

    cert: /path/to/certificate
    key: /path/to/private_key
For production use cases that require automatic certificate reloading, workload identities and other advanced features, we recommend running a proxy server such as Envoy, Ghostunnel or Traefik in front of the Cerbos server.


By default, CORS is enabled on the HTTP service with all origins allowed. You can disable CORS by setting server.cors.disabled to true. You can also restrict the list of allowed origins and headers by setting server.cors.allowedOrigins and server.cors.allowedHeaders respectively.

      - X-CUSTOM

Enable Admin API

The Cerbos Admin API provides administration functions such as adding or updating policies (if the underlying storage engine supports it) to the running Cerbos instance. It is disabled by default.

Authentication is mandatory for the Admin API. See Cerbos Admin API documentation for more details.

TLS should be enabled to ensure that credentials are transmitted securely over the network. We also highly recommend changing the default username and password when deploying Cerbos.
    enabled: true
      username: cerbos
      passwordHash: JDJ5JDEwJE5HYnk4cTY3VTE1bFV1NlR2bmp3ME9QOXdXQXFROGtBb2lWREdEY2xXbzR6WnoxYWtSNWNDCgo=

Generating a password hash

Cerbos expects the password to be hashed with bcrypt and encoded with base64. This can be achieved using the htpasswd and base64 utilities available on most operating systems.

echo "cerbosAdmin" | htpasswd -niBC 10 cerbos | cut -d ':' -f 2 | base64 -w0

Enable Playground

The Cerbos playground API is disabled by default. To enable it, set playgroundEnabled to true.

  playgroundEnabled: true