Cerbos website screenshot

Cerbos

Cerbos is an open-core, language-agnostic, scalable authorization platform that decouples access control from application code by externalizing fine-grained, context-aware permission decisions into policy-as-code. Authorization is expressed in YAML policies supporting RBAC, ABAC, PBAC, and ReBAC, evaluated by a stateless Policy Decision Point (PDP) that delivers sub-millisecond decisions at scale. The platform consists of the open-source Cerbos PDP (Apache 2.0), Cerbos Hub control plane (PAP), Cerbos Synapse enrichment layer, and PEP SDKs for Go, Java, JavaScript / TypeScript, .NET, PHP, Python, Ruby, and Rust. The PDP exposes both REST (port 3592) and gRPC (port 3593) interfaces, an Admin API, and standards- compliant OpenID AuthZEN endpoints, with query-plan adapters for Prisma and SQLAlchemy.

6 APIs 19 Features
ABACAccess ControlAuthorizationAuthZENOpen SourcePBACPDPPermissionsPolicy as CodeRBACReBACZero Trust

APIs

Cerbos PDP REST API

The Cerbos PDP REST API is the HTTP/JSON interface for sending authorization requests to a running Cerbos Policy Decision Point. It exposes CheckResources for evaluating princip...

Cerbos PDP gRPC API

The Cerbos PDP gRPC API exposes the cerbos.svc.v1.CerbosService and related management services on port 3593, with server reflection enabled. The gRPC interface is the highest-p...

Cerbos AuthZEN API

Cerbos implements the OpenID AuthZEN authorization API specification, exposing standards-compliant single-evaluation, batch-evaluations, and well-known metadata endpoints so tha...

Cerbos PDP Admin API

The Cerbos Admin API provides management capabilities such as policy add/get/list, schema management, and audit log access on the running PDP. It is intended for administrative ...

Cerbos Hub API

Cerbos Hub is the cloud-hosted Policy Administration Point (PAP) that manages policy authoring, versioning, validation, and distribution to Cerbos PDPs across environments. It a...

Cerbos Synapse

Cerbos Synapse is the enrichment and orchestration component that fetches identity, resource, and relationship attributes from external systems and translates infrastructure pro...

Agent Skills

cerbos-policy

AGENT SKILL

Collections

GraphQL

Pricing Plans

Cerbos Plans Pricing

3 plans

PLANS

Rate Limits

Cerbos Rate Limits

5 limits

RATE LIMITS

FinOps

Cerbos Finops

FINOPS

Features

Policy as Code
YAML Policies
RBAC
ABAC
PBAC
ReBAC
Derived Roles
Sub-Millisecond Decisions
Stateless PDP
REST and gRPC APIs
AuthZEN Standard
Query Plan Generation
Audit Logs
Policy Versioning
Schema Validation
Multiple Storage Backends
Sidecar Deployment
Embedded PDP
Apache 2.0 License

Use Cases

Multi-Tenant SaaS Authorization
API Authorization
AI Agent Access Control
MCP Server Security
RAG Access Control
Non-Human Identity Authorization
Zero Trust Enforcement
Compliance (SOC 2, HIPAA, GDPR, FedRAMP, PCI DSS)
Fintech Permissions
Healthcare Permissions

Resources

🔗
Website
Website
🔗
Documentation
Documentation
🚀
GettingStarted
GettingStarted
🔗
API
API
🔗
OpenAPI
OpenAPI
🔗
Hub
Hub
👥
GitHub
GitHub
👥
GitHubOrganization
GitHubOrganization
💻
SourceCode
SourceCode
🔗
IssueTracker
IssueTracker
📄
ReleaseNotes
ReleaseNotes
📰
Blog
Blog
💰
Pricing
Pricing
🔗
CaseStudies
CaseStudies
🔗
Customers
Customers
🔗
Slack
Slack
🔗
X
X
🔗
LinkedIn
LinkedIn
👥
YouTube
YouTube
🔗
License
License
🔗
SecurityPolicy
SecurityPolicy
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
🔗
Playground
Playground
🔗
DockerHub
DockerHub
🔗
AgentSkills
AgentSkills
🔗
LlmsText
LlmsText

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: Cerbos PDP REST API
  version: 0.x
items:
- info:
    name: Check
    type: folder
  items:
  - info:
      name: Check resources
      type: http
    http:
      method: POST
      url: http://localhost:3592/api/check/resources
      body:
        type: json
        data: '{}'
    docs: Evaluate authorization for a principal against one or more resources and actions.
- info:
    name: Plan
    type: folder
  items:
  - info:
      name: Plan resources
      type: http
    http:
      method: POST
      url: http://localhost:3592/api/plan/resources
      body:
        type: json
        data: '{}'
    docs: Returns a query plan describing the conditions under which a principal may perform an action on resources matching
      a kind.
- info:
    name: Server
    type: folder
  items:
  - info:
      name: Server information
      type: http
    http:
      method: GET
      url: http://localhost:3592/api/server_info
    docs: Returns Cerbos PDP version, commit hash, and build date.
  - info:
      name: OpenAPI specification
      type: http
    http:
      method: GET
      url: http://localhost:3592/schema/swagger.json
    docs: Returns the OpenAPI/Swagger specification served by the PDP.
- info:
    name: AuthZEN
    type: folder
  items:
  - info:
      name: AuthZEN discovery
      type: http
    http:
      method: GET
      url: http://localhost:3592/.well-known/authzen-configuration
    docs: OpenID AuthZEN configuration discovery document.
  - info:
      name: AuthZEN single evaluation
      type: http
    http:
      method: POST
      url: http://localhost:3592/access/v1/evaluation
      body:
        type: json
        data: '{}'
    docs: Single access evaluation request per OpenID AuthZEN.
  - info:
      name: AuthZEN batch evaluations
      type: http
    http:
      method: POST
      url: http://localhost:3592/access/v1/evaluations
      body:
        type: json
        data: '{}'
    docs: Batch access evaluations per OpenID AuthZEN.
- info:
    name: Admin Policies
    type: folder
  items:
  - info:
      name: Get policy by id
      type: http
    http:
      method: GET
      url: http://localhost:3592/admin/policy
      params:
      - name: id
        value: ''
        type: query
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Get policy by id
  - info:
      name: Add or update policies
      type: http
    http:
      method: POST
      url: http://localhost:3592/admin/policy
      body:
        type: json
        data: '{}'
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Add or update policies
  - info:
      name: Add or update policies (PUT)
      type: http
    http:
      method: PUT
      url: http://localhost:3592/admin/policy
      body:
        type: json
        data: '{}'
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Add or update policies (PUT)
  - info:
      name: List policies
      type: http
    http:
      method: GET
      url: http://localhost:3592/admin/policies
      params:
      - name: include_disabled
        value: ''
        type: query
      - name: name_regexp
        value: ''
        type: query
      - name: scope_regexp
        value: ''
        type: query
      - name: version_regexp
        value: ''
        type: query
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: List policies
  - info:
      name: Inspect policies
      type: http
    http:
      method: GET
      url: http://localhost:3592/admin/policies/inspect
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Inspect policies
  - info:
      name: Delete a policy
      type: http
    http:
      method: POST
      url: http://localhost:3592/admin/policy/delete
      params:
      - name: id
        value: ''
        type: query
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Delete a policy
  - info:
      name: Disable a policy
      type: http
    http:
      method: POST
      url: http://localhost:3592/admin/policy/disable
      params:
      - name: id
        value: ''
        type: query
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Disable a policy
  - info:
      name: Enable a policy
      type: http
    http:
      method: POST
      url: http://localhost:3592/admin/policy/enable
      params:
      - name: id
        value: ''
        type: query
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Enable a policy
- info:
    name: Admin Schemas
    type: folder
  items:
  - info:
      name: Get schema by id
      type: http
    http:
      method: GET
      url: http://localhost:3592/admin/schema
      params:
      - name: id
        value: ''
        type: query
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Get schema by id
  - info:
      name: Add or update JSON schemas
      type: http
    http:
      method: POST
      url: http://localhost:3592/admin/schema
      body:
        type: json
        data: '{}'
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Add or update JSON schemas
  - info:
      name: Delete schemas
      type: http
    http:
      method: DELETE
      url: http://localhost:3592/admin/schema
      params:
      - name: id
        value: ''
        type: query
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Delete schemas
  - info:
      name: List schemas
      type: http
    http:
      method: GET
      url: http://localhost:3592/admin/schemas
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: List schemas
- info:
    name: Admin Audit
    type: folder
  items:
  - info:
      name: List audit log entries
      type: http
    http:
      method: GET
      url: http://localhost:3592/admin/auditlog/list/:kind
      params:
      - name: kind
        value: ''
        type: path
      - name: tail
        value: ''
        type: query
      - name: between.start
        value: ''
        type: query
      - name: between.end
        value: ''
        type: query
      - name: since
        value: ''
        type: query
      - name: lookup
        value: ''
        type: query
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: List audit log entries
- info:
    name: Admin Store
    type: folder
  items:
  - info:
      name: Purge policy revision history
      type: http
    http:
      method: DELETE
      url: http://localhost:3592/admin/store/revisions
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Purge policy revision history
  - info:
      name: Reload the policy store
      type: http
    http:
      method: GET
      url: http://localhost:3592/admin/store/reload
      auth:
        type: basic
        username: '{{username}}'
        password: '{{password}}'
    docs: Reload the policy store
bundled: true