Cerbos is an open-source authorization service for teams that need to separate access control logic from application code, making permissions auditable, testable, and changeable without deploying new application releases.
The Problem
Most applications handle authorization inline: permission checks are scattered through route handlers, service methods, and database queries. When requirements change (GDPR audit, new enterprise tier, compliance review), teams have to locate every check and ship new code. Managed auth services like Auth0 handle authentication well but bundle authorization tightly to their platform.
How Cerbos Solves It
Cerbos externalizes authorization into a standalone service that evaluates requests against YAML policies. Application code calls the Cerbos API with the principal (user), resource, and desired action; Cerbos evaluates the relevant policy and returns allow or deny. Policies live in a repository, enabling code review, version history, and automated testing. Runs as a Docker container or sidecar. Apache 2.0 licensed.
Key Features
- Policy-as-code: access rules in YAML with Git-based versioning and code review
- Language-agnostic: SDKs for Node.js, Python, Go, Java, .NET, and a REST/gRPC API
- Audit log of every authorization decision for compliance reporting
- Local policy testing via the cerbos command-line test runner
- Deploy as a sidecar, standalone service, or embedded in any stack
- Apache 2.0 licensed with a hosted Cerbos Hub cloud option
Who It's For
Cerbos is best for engineering teams building multi-tenant SaaS products with complex, role-based access control who want to centralize and test authorization logic without locking into a specific auth vendor.
Compared to Auth0 Authorization
Unlike Auth0's authorization features, Cerbos is fully open source and self-hostable with no per-request cost at the self-hosted tier. Auth0 provides a broader managed identity platform; Cerbos handles only authorization, making it composable with any identity provider.
