Cerbos

Cerbos

Website

Context-aware authorization and access control policy engine

RepositoryWebsite
4.2kstars
171forks
Last commit: 19h ago
Repo age: 5y old

Cerbos is a language-agnostic authorization layer that externalizes permissions into context-aware policies evaluated by a stateless Policy Decision Point (PDP). It is designed to support least-privilege access control across applications, APIs, services, and modern workloads.

Key Features

  • Policy-based authorization using simple YAML policies for resources, actions, and principals
  • Context-aware decisions with conditional rules and attribute-based access control (ABAC)
  • Derived roles and principal-specific policies for dynamic and exception-driven authorization
  • Stateless PDP service exposing APIs for authorization checks and query planning
  • Multiple policy storage backends (e.g., local disk, Git-based workflows, and supported databases)
  • Designed for scalable, highly available deployments (service, sidecar, or other runtime patterns)

Use Cases

  • Centralize authorization for microservices, APIs, and web applications with consistent rules
  • Implement fine-grained RBAC/ABAC for multi-tenant or enterprise software
  • Offload authorization logic from application code to a dedicated decision service

Cerbos helps teams manage authorization as code, enabling clearer permission logic, easier auditing of intent, and safer evolution of access rules as systems grow.

Categories:

Identity & Access Management (IAM)

Tags:

# GitOps# API# IAM# Authorization# RBAC# Access Control# Access Policies# Audit Logging# Policy As Code# Kubernetes

Tech Stack:

HelmHelmGoGoKubernetesKubernetesDockerDocker
Y
YAMLgRPCgRPC
Share:

Similar Services

PocketBase

PocketBase

Lightweight open-source realtime backend with embedded SQLite

55.3k
3k
Last commit: 1d ago

Open-source Go backend providing embedded SQLite, realtime (SSE) subscriptions, auth (JWT/OAuth2), file storage, admin UI and REST-style APIs for web and mobile apps.

Alternative to:
PocketBase Cloud
PocketBase Cloud+17
Keycloak

Keycloak

Open-source identity and access management with SSO

32.3k
8k
Last commit: 21h ago

Keycloak is an open-source IAM server providing single sign-on, user federation, and centralized authentication and authorization using OIDC, OAuth 2.0, and SAML.

Alternative to:
Okta
Okta+19
Authelia

Authelia

Self-hosted IAM with SSO and multi-factor authentication

26.4k
1.3k
Last commit: 1d ago

Authelia is an open-source IAM and authentication server providing SSO, MFA, and access control for web apps, with OpenID Connect/OAuth 2.0 and reverse-proxy integration.

Alternative to:
Auth0
Auth0+16
Infisical

Infisical

Open-source platform for secrets, PKI certificates, and privileged access

24.5k
1.7k
Last commit: 20h ago

Infisical is an open-source platform to manage and deliver app secrets, certificates (PKI), SSH credentials, and encryption keys across teams and infrastructure.

Alternative to:
HashiCorp Vault
HashiCorp Vault+9
authentik

authentik

Open-source Identity Provider (IdP) for SSO, OIDC, and SAML

19.7k
1.4k
Last commit: 17h ago

Open-source IdP delivering SSO, OAuth2/OIDC, SAML2, LDAP, RADIUS, MFA, WebAuthn, conditional access and application-proxy capabilities for self-hosted deployments.

Alternative to:
Okta
Okta+19
Teleport

Teleport

Identity-aware access proxy for infrastructure and internal apps

19.7k
2k
Last commit: 17h ago

Secure access platform for servers, Kubernetes, databases, desktops, and web apps with SSO/MFA, short-lived certificates, and full session auditing.

Alternative to:
Twingate
Twingate+16