Cerbos blog

Blog

Demos, implementation guides, product updates and broader takes on authorization, identity and security. Written for the engineers, architects, security, identity and product leaders shaping how their teams ship and govern access.

The incident response workflow that decides how fast you recover
Featured

The incident response workflow that decides how fast you recover

A step-by-step incident response workflow for the authorization layer, from mapping a compromised identity's blast radius to proving containment held. Covers how centralized policy and decision logs compress each phase, what makes the workflow feasible in regulated and air-gapped environments, and how AI agents change the runbook.

Guide
Anna PaykinaJuly 13, 2026
You have Auth0. What authorization capabilities do you still need?

You have Auth0. What authorization capabilities do you still need?

Auth0 covers authentication, but authorization capabilities like resource-level ABAC, per-tenant policies, and decision audit logs sit outside its model. This guide covers where Auth0 RBAC and Auth0 FGA stop, five signals you need a dedicated authorization layer, and how to evaluate solutions and run a POC.

Guide
Anna PaykinaJuly 10, 2026
What is fine-grained authorization?

What is fine-grained authorization?

Fine-grained authorization explained. Learn how fine-grained access control uses attributes and conditions to decide access per resource and action, how it differs from coarse-grained control, the RBAC, ABAC and PBAC models behind it, real use cases, and how to implement it without building your own engine.

Guide
Alex OlivierJuly 07, 2026
The authorization POC guide: What to test, who to involve, and how to decide

The authorization POC guide: What to test, who to involve, and how to decide

Most authorization POCs never reach production. This guide covers all details of a proper authorization proof of concept: scoping to one real service, measurable success criteria, stakeholder involvement, and baselines so the review produces a decision, not a debate.

Guide
Emre BaranJuly 06, 2026
Agent skill for writing authorization policies in Pi

Agent skill for writing authorization policies in Pi

Pi is the open-source self-extensible coding agent built around the Agent Skills standard from the start. This guide walks through installing the Cerbos policy skill in Pi, invoking it with /skill:cerbos-policy, drafting authorization policies in plain English, and validating against the real Cerbos compiler in Docker.

GuideEngineeringDocumentation
Alex OlivierJuly 02, 2026
You have Okta. What authorization capabilities do you still need?

You have Okta. What authorization capabilities do you still need?

You've standardized on Okta SSO for authentication. Here's where Okta falls short on authorization, and how to evaluate dedicated authorization solutions.

Guide
Anna PaykinaJuly 01, 2026
The Cerbos Hub effect matrix: read your authorization policy at a glance

The Cerbos Hub effect matrix: read your authorization policy at a glance

See how the Cerbos Hub effect matrix turns authorization policy files into a permissions grid of roles and actions, with allowed, denied, and conditional outcomes. Read what each role can do without parsing raw policy, drill into ABAC conditions, and spot over-permissive wildcard rules in review.

AnnouncementDocumentationEngineering+1
Alex OlivierJune 30, 2026
Agent skill for writing authorization policies in AWS Kiro

Agent skill for writing authorization policies in AWS Kiro

AWS Kiro is spec-driven, which means the access model is captured properly before any YAML gets written. This guide walks through installing the Cerbos policy skill in Kiro, the spec-then-policy workflow, how the skill picks up AWS Cognito attributes, and how validation runs against the real Cerbos compiler.

EngineeringGuideDocumentation
Alex OlivierJune 26, 2026
Fine grained access control: What it actually takes to get it right

Fine grained access control: What it actually takes to get it right

Fine grained access control lets you authorize based on user attributes, resource ownership, and context instead of broad roles. This guide covers RBAC, ABAC, ReBAC, PBAC models, embedded vs. externalized authorization, real policy examples, and practical implementation patterns for engineering teams.

GuideEngineering
Anna PaykinaJune 25, 2026
Identiverse 2026: Agents made authorization the story

Identiverse 2026: Agents made authorization the story

Takeaways from Identiverse 2026, where AI agents pushed authorization to the front. Delegated authorization, the Shared Signals Framework, AuthZEN agent authorization, and why prompts aren't controls. Notes from three AuthZEN sessions and the best talks of the week.

Guide
Alex OlivierJune 24, 2026
Authentication vs Authorization

Authentication vs Authorization

Authentication vs authorization explained. AuthN verifies who a user is, AuthZ decides what they can do. This guide covers ID and access tokens, OAuth 2.0, OpenID Connect, SAML, SSO, RBAC and ABAC, the key differences between the two, and the mistakes teams make building them.

EngineeringGuide
Omu InetimiJune 19, 2026
Agent skill for building Cerbos Synapse extensions

Agent skill for building Cerbos Synapse extensions

A new agent skill that builds Cerbos Synapse extensions for you. Describe what you want to enrich, map, or expose, and it picks the extension kind and runtime, scaffolds the files, wires config, and runs it against a local PDP. Covers CEL, Starlark, and WASM in Go, TypeScript, or Python.

EngineeringDocumentationGuide
Alex OlivierJune 18, 2026
Keycloak vs ZITADEL for self hosted IAM

Keycloak vs ZITADEL for self hosted IAM

Compare Keycloak and ZITADEL for self hosted IAM. See SSO, MFA, federation, multi-tenancy, operations, authorization limits, and Cerbos fit.

Guide
S. B. WriterJune 17, 2026
Mapping business requirements to authorization policy for e-commerce

Mapping business requirements to authorization policy for e-commerce

A practical walkthrough of how e-commerce business rules become authorization policy. Covers customer data access, vendor product management, and order lifecycle control using RBAC, ABAC, and PBAC in Cerbos. Includes derived roles, attribute conditions, time-based rules, and a built-in test framework to verify each policy before production.

EngineeringGuide
Norsaed H. S.June 15, 2026
How to secure microservices without creating a distributed nightmare

How to secure microservices without creating a distributed nightmare

How to secure microservices across five critical layers, from authentication and token propagation to authorization, API gateways, and Zero Trust. Covers common vulnerabilities during monolith-to-microservices migration, how Netflix secured their architecture, and how to enforce consistent access control across distributed services.

Guide
Anna PaykinaJune 14, 2026
Governing AI agents at the gateway with Cerbos and agentgateway

Governing AI agents at the gateway with Cerbos and agentgateway

How to govern AI agents at the gateway with agentgateway and Cerbos. This covers the three authorization questions on every agent hop, which model an identity can call, which MCP servers and tools it can open, and what a tool call is actually asking for, all from one policy bundle over Envoy ext_authz.

EngineeringGuideDocumentation
Alex OlivierJune 10, 2026
How to secure AI agents and MCP tools at the gateway with LiteLLM and Cerbos

How to secure AI agents and MCP tools at the gateway with LiteLLM and Cerbos

Add policy-based authorization to a LiteLLM AI gateway with Cerbos. Control which models each user or agent can call, hide tools the caller shouldn't see, and bind MCP tool arguments to caller attributes, all enforced at the proxy with no application changes.

GuideEngineering
Alex OlivierJune 09, 2026
Introducing Cerbos Hub Insights: A live view of what your authorization layer is doing

Introducing Cerbos Hub Insights: A live view of what your authorization layer is doing

Cerbos Hub Insights aggregates the decisions your PDPs make into charts and rankings, so patterns like a spike in denials become obvious without scrolling the audit log. Track allows, denies, and active principals over time, built entirely from audit data you already send to Cerbos Hub.

DocumentationGuideAnnouncement
Alex OlivierJune 08, 2026