Cerbos authorization management platform

Cerbos is an authorization management platform for applications, APIs, AI agents, MCP servers, services, and workloads. It works alongside your application to produce fine-grained, contextual access decisions based on policies you define.

The platform is composed of four components. Each can be adopted independently.

Platform components

Cerbos PDP

The open-source policy decision point. Evaluates authorization requests against policy definitions and returns decisions. Stateless, AuthZEN-compliant, and designed to run anywhere including container orchestrators like Kubernetes, serverless runtimes, and edge environments.

Cerbos PDP documentation →

Cerbos Hub

The control plane for Cerbos PDPs with centralised policy authoring, versioning, testing, secure distribution, and audit log aggregation. Create multiple deployments for your different environments or systems and any policy changes are automatically tested and pushed to the relevant PDPs without restarts or redeployments. All requests and decisions made by the PDPs are aggregated and stored to help with security investigations and comply with SOC 2, ISO 27001, HIPAA, PCI DSS, and GDPR audit requirements.

Cerbos Hub documentation →

Cerbos Synapse

A customisable context enrichment layer for the PDP. Intercept and enrich requests and responses to/from the PDP with identity, resource, and relationship data from identity providers, databases, graph stores, and internal APIs. Use Cerbos policies with systems that support external authorization such as Envoy, Kafka, and Trino.

Cerbos Synapse documentation →

Cerbos PEP Integrations

Client libraries and integrations for calling the PDP from application code. Available for JavaScript, Go, Python, Java, .NET, Rust, PHP, and Ruby.

PEP Integrations →

How Cerbos works

How Cerbos works