Cerbos authorization for Magic
Magic provides passwordless and Web3 authentication using email magic links, social login, and wallet-based sign-in. Cerbos uses the identity tokens Magic issues to evaluate fine-grained authorization policies, so you get passwordless auth paired with resource-level access control.
Passwordless identity
Authenticate users with Magic's magic links, social login, or Web3 wallets and authorize them with Cerbos policies
Application-managed roles
Magic handles identity verification. Assign roles in your application and pass them to Cerbos for fine-grained authorization.
Web3-ready
Use wallet addresses and decentralized identity from Magic as principal attributes in Cerbos policies
How Cerbos works with Magic
Magic handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
How Cerbos works with Magic
- Users authenticate via Magic, Magic handles passwordless login through email magic links, social providers, or Web3 wallet connections. No passwords are stored or transmitted.
- Validate the Magic DID token, Your application validates the decentralized ID token issued by Magic and extracts the user's email or wallet address. Application-managed roles and attributes are fetched from your user store.
- Send identity and resource context to Cerbos, Pass the Magic-verified identity and application-managed roles as principal attributes alongside the target resource and desired action to the Cerbos PDP.
- Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the user identity and resource attributes, returning allow or deny. Your application enforces the result.
FAQ
How does Cerbos work with Magic?
Magic authenticates users via magic links, social login, or Web3 wallets and issues a decentralized ID (DID) token. Your application validates the DID token, extracts the user's identity, and passes it to Cerbos as a principal along with any application-managed roles or attributes. Cerbos evaluates your authorization policies against this data.
How do I handle roles with Magic and Cerbos?
Magic handles authentication but does not manage roles or groups. Your application assigns roles to users after authentication, stored in your database or user management system. Pass these roles to Cerbos alongside the Magic-verified identity, and your policies handle the rest.
Can I use Magic's Web3 wallet authentication with Cerbos?
Yes. When users authenticate with a Web3 wallet through Magic, you receive the wallet address as part of the identity token. Pass it to Cerbos as a principal attribute and write policies based on wallet address, associated roles, or any other application-managed attributes.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Magic
- Cerbos extends Magic roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.