Cerbos

Cerbos is an open source, self-hostable authorization policy engine that enables developers to define and evaluate fine-grained access control policies separately from application code.

Last updated 5/30/2026

Visit site

Quick answer

What is Cerbos?

Short answer

Cerbos addresses the authorization layer of identity — not authentication (who are you?) but authorization (what are you allowed to do?). It provides a self-hosted policy decision point (PDP) where developers define resource-level, role-based, and attribute-based access control policies in YAML or Rego. Applications query the Cerbos PDP at runtime to evaluate whether a given principal can perform a given action on a given resource. This decouples authorization logic from application code, making it easier to audit, change, and reason about. Cerbos Hub (commercial) provides policy management, testing, and deployment tooling. Verify current pricing at cerbos.dev.

Best for: Engineering teams that need fine-grained, attribute-based authorization (ABAC) in their applications and want to manage access control policies separately from application code — particularly in microservices architectures where consistent authorization across services is challenging.
When to choose: Choose Cerbos when your application needs fine-grained, attribute-based authorization logic that is complex enough to be difficult to maintain in application code, and you want a policy-as-code approach that is auditable and testable.
When not to choose: Avoid Cerbos if you only need simple role checks (basic RBAC in your application framework is sufficient), if you need a fully managed service without self-hosting, or if you expect your authorization logic to remain simple.
Related tools & categories: Developer Authentication Permit.io Run the IAM Stack Finder

Common use cases

Resource-level authorization: can this user edit this document, in this state, with these attributes?
Role-based and attribute-based access control in SaaS applications
Consistent authorization policy enforcement across microservices
Authorization for multi-tenant applications with per-tenant permission variations
Audit-ready policy evaluation with decision logging
Policy-as-code workflows with version control and testing

Strengths

Open source (Apache 2.0) and self-hostable — no vendor dependency for core functionality
Clean YAML-based policy language is approachable for developers and auditable
Separates authorization policy from application code — easier to audit and change
Policy testing capabilities for validating authorization logic
Multi-tenant support with per-tenant policy variations
Language-agnostic via gRPC and REST APIs; client libraries for major languages

Limitations & considerations

Cerbos handles authorization, not authentication — you still need a separate auth platform
Policy design requires understanding of ABAC/RBAC concepts
Self-hosting requires operational capacity for production deployments
Cerbos Hub (managed, commercial) for policy management is a separate product

Pricing model summary

Cerbos is open source (Apache 2.0) and free to self-host. Cerbos Hub (managed policy management and deployment) is a commercial product. Verify current Hub pricing at cerbos.dev.

View vendor pricing page ↗

Integrations

gRPCRESTGoJavaNode.jsPythonOpenTelemetryPrometheus

Fit

Company size

Startup, Mid-market, Enterprise

Deployment

Self-hosted, SaaS / Cloud-hosted (Cerbos Hub)

Source

Open source (Apache 2.0)

Pricing model

Free (open source self-hosted); Cerbos Hub commercial pricing available

Alternatives & comparisons

Permit.io

Permit.io provides authorization-as-a-service with a low-code policy management interface, RBAC/ABAC/ReBAC policy support, and a managed policy decision layer — enabling teams to ship fine-grained access control without building it from scratch.

Compare Cerbos vs Permit.io →

Cerbos and its logo are trademarks of their respective owner. IDSync is an independent buyer resource and does not imply endorsement unless explicitly stated.