Open Source Alternatives LogoOpen Source Alternatives
AlternativesBlogAdvertise
Open Source Alternatives LogoOpen Source Alternatives

Stay Updated

Subscribe to our newsletter for the latest news and updates about Alternatives

Open Source Alternatives LogoOpen Source Alternatives

Handpicked Open Source Alternatives to Paid Softwares

Product
  • Search
  • Categories
  • Tag
  • Sign In
Resources
  • Blog
  • Collection
  • Submit
  • Advertise your tool
Company
  • Privacy Policy
  • Terms of Service
  • Refund Policy
  • Sitemap
Copyright © 2026 All Rights Reserved.
Home/Categories/Security & Monitoring/Cerbos
icon of Cerbos

Cerbos

Open source alternative to PlainID, Axiomatics and Permit.io

Cerbos is an open-source authorization service that externalizes access control policies from application code into versioned, testable YAML rules. Apache 2.0 licensed, deployable as a sidecar or standalone service.

4.4K starsGoApache-2.0Active this month
Visit websiteGitHub repo
image of Cerbos
Contents
  1. 01Who Cerbos is for
  2. 02The problem it solves
  3. 03How it solves it
  4. 04Strengths and trade-offs
  5. 05Tech stack
  6. 06FAQ
  7. 07Similar open-source tools
TL;DR

Cerbos is a self-hosted authorization service that moves access control out of application code and into versioned YAML policies. It replaces custom in-app permission checks or vendor-tied authorization modules for SaaS teams that need RBAC, ABAC, auditability, and policy testing across services.Apache-2.0 · Go · 4.4K stars · Active this month

who it's for

Who Cerbos is for#

Multi-tenant SaaS teams

Use Cerbos when tenants, roles, and resource-level rules change often and need clear policy ownership.

Skip if:

Your app only has one or two static roles and no compliance pressure.

Platform teams standardizing permissions

Use Cerbos to provide a shared authorization layer across services without forcing every team to invent permission checks.

Skip if:

Each service has unrelated authorization rules and no shared policy governance.

Compliance-heavy engineering teams

Use Cerbos when access decisions need version history, tests, and explainable policy files.

Skip if:

A managed identity platform already covers your authorization needs with acceptable audit output.

the problem

The problem it solves#

Authorization logic gets dangerous when every service implements permissions differently. Route handlers, database filters, and business logic accumulate scattered checks that are hard to audit and harder to change. Enterprise customers then ask for new roles, attributes, or compliance evidence, and each policy change becomes an application release risk.

how Cerbos solves it

How it solves it#

Policy decision point service

Cerbos runs as a PDP that receives principal, resource, and action data, then returns allow or deny decisions through APIs.

YAML policy-as-code

Access rules live in structured YAML policies that can be stored on disk, in Git, cloud object stores, or supported databases.

RBAC and ABAC support

Cerbos supports role-based rules and attribute-based conditions, allowing teams to model simple roles and more granular contextual access checks.

Deployment flexibility

Kubernetes service, sidecar, systemd service, and AWS Lambda deployment paths let teams place the PDP near the applications it protects.

strengths · trade-offs

Strengths and trade-offs#

Strengths

  • Centralizes authorization decisionsCerbos gives applications one policy decision interface instead of scattering permission logic throughout codebases.
  • Works with existing identity providersCerbos handles authorization, not authentication, so it can sit behind Auth0, Cognito, Okta, custom JWTs, or internal identity systems.
  • Good GitOps fitPolicy files can move through Git review and automated tests, which makes access control changes easier to audit.

Trade-offs

  • -Adds an authorization service to operateTeams must deploy, monitor, and version the PDP and policy store. Inline checks may be faster for small products with simple permissions.
  • -Requires policy modeling disciplineCerbos helps centralize policy, but teams still need to model resources, actions, roles, and attributes carefully to avoid confusing rules.
tech stack · detected from GitHub

What it's built on#

Languages
Go
Infrastructure
Kubernetes
frequently asked

FAQ#

What does Cerbos do?

Cerbos evaluates authorization policies outside application code and returns access decisions for principals, resources, and actions.

Does Cerbos replace authentication?

No. Cerbos handles authorization and can work with identity providers that supply user or service principal data.

Can Cerbos be self-hosted?

Yes. Cerbos supports self-hosted PDP deployment through Kubernetes, sidecar, systemd, and serverless options.

also worth a look

Similar open-source tools#

Warrant

Warrant

Add RBAC, ABAC, and ReBAC to any app via API and SDK

17GoMIT
Oso Cloud

Oso Cloud

Open source authorization with RBAC, ABAC, and ReBAC for any app

3.5KRustApache-2.0
Better Auth

Better Auth

Drop-in TypeScript auth with MFA, SSO, and multi-tenancy support

28.3KTypeScriptMIT
hysteria

hysteria

Fast and censorship-resistant proxy solution

21.2KGoMIT
Flue Framework

Flue Framework

Build powerful, autonomous agents with TypeScript.

3.4KTypeScriptApache-2.0
Local Deep Research

Local Deep Research

Your AI research assistant, fully local and encrypted.

7.5KPythonMIT

Repository

Stars
4.4K
Forks
181
License
Apache-2.0
Latest
v0.53.0
Last commit
25 days ago
Last verified
May 13, 2026
Repo
cerbos/cerbos ↗

Additional details

Language
Go
Open issues
50
Contributors
33
First release
2021

Categories

Security & MonitoringDeveloper ToolsBackend Development

Tags

AuthorizationSecurityDeveloper ToolsCloud NativeSelf HostedAPI InfrastructureKubernetes