Cerbos helps users separate their authorization process from their core application code, making their authorization system more scalable, more secure and easier to change as the application evolves.

  • Implement access policies for your software
  • Fine-grained access control that grows with your business
  • An order of magnitude faster than Open Policy Agent based alternatives

What is Cerbos?

It's an access control decision engine for your software that is:

  • Driven by simple API which makes every decision feel like a database call
  • Policy-driven and attribute based for maximum flexibility and scale
  • Decoupled, stateless and runs inside your stack

Why Cerbos?

  • World class, open-source, off-the-shelf authorization layer, up and running in minutes, that can prevent over-provisioning of application and data privileges
  • Collaborate easily with product management and security teams. Evolve authorization policies without having to make changes to the core application code
  • Keep track of every access decision request, result and the reason for the decision for your audit process

Where and how does Cerbos run?

  • Self-hosted: Cerbos lives in your environment where-ever it is, cloud or on-premise: VM, Kubernetes, or serverless
  • Infinite scalability via serverless functions or a sidecar deployment model
  • GitOps enabled policy development and deployment via a full testing suite for CI/CD pipelines

What does Cerbos integrate with?


APIs, SDKs and latency


Low latency APIs:


SDKs for your native environment:


API first approach:

Full audit logs

Cerbos generates audit logs of every request and action for compliance requirements.

  • Capture and log all incoming requests and responses consistently
  • Full trace of every decision made and why it was allowed or denied
  • Debug access requests with detailed information about the roles and attributes
  • Integrate into your existing audit process

Policy flexibility, storage, and version control

Flexible, developer-friendly, YAML based policy authoring to model any business requirement:

Flexible policy storage options:

Policy versioning that allows:

  • Canary deployments
  • Multiple run environments: dev, test, QA, prod, etc.

Deployment and configuration

Runs anywhere.

Meets your infrastructure requirements and business compliance policies wherever they are: Public or private cloud, or on premise.

Deploy and host based on your architecture.

Container orchestration:

  • Service: Share Cerbos among many services
  • Sidecar: Run Cerbos right next to your application
  • or anywhere a container can be run

Serverless: let your cloud provider manage it

Anywhere a binary can be run: