Blog
Demos, implementation guides, product updates and broader takes on authorization, identity and security. Written for the engineers, architects, security, identity and product leaders shaping how their teams ship and govern access.

The incident response workflow that decides how fast you recover
A step-by-step incident response workflow for the authorization layer, from mapping a compromised identity's blast radius to proving containment held. Covers how centralized policy and decision logs compress each phase, what makes the workflow feasible in regulated and air-gapped environments, and how AI agents change the runbook.

You have Auth0. What authorization capabilities do you still need?
Auth0 covers authentication, but authorization capabilities like resource-level ABAC, per-tenant policies, and decision audit logs sit outside its model. This guide covers where Auth0 RBAC and Auth0 FGA stop, five signals you need a dedicated authorization layer, and how to evaluate solutions and run a POC.

What is fine-grained authorization?
Fine-grained authorization explained. Learn how fine-grained access control uses attributes and conditions to decide access per resource and action, how it differs from coarse-grained control, the RBAC, ABAC and PBAC models behind it, real use cases, and how to implement it without building your own engine.

The authorization POC guide: What to test, who to involve, and how to decide
Most authorization POCs never reach production. This guide covers all details of a proper authorization proof of concept: scoping to one real service, measurable success criteria, stakeholder involvement, and baselines so the review produces a decision, not a debate.

Agent skill for writing authorization policies in Pi
Pi is the open-source self-extensible coding agent built around the Agent Skills standard from the start. This guide walks through installing the Cerbos policy skill in Pi, invoking it with /skill:cerbos-policy, drafting authorization policies in plain English, and validating against the real Cerbos compiler in Docker.

You have Okta. What authorization capabilities do you still need?
You've standardized on Okta SSO for authentication. Here's where Okta falls short on authorization, and how to evaluate dedicated authorization solutions.

The Cerbos Hub effect matrix: read your authorization policy at a glance
See how the Cerbos Hub effect matrix turns authorization policy files into a permissions grid of roles and actions, with allowed, denied, and conditional outcomes. Read what each role can do without parsing raw policy, drill into ABAC conditions, and spot over-permissive wildcard rules in review.

Agent skill for writing authorization policies in AWS Kiro
AWS Kiro is spec-driven, which means the access model is captured properly before any YAML gets written. This guide walks through installing the Cerbos policy skill in Kiro, the spec-then-policy workflow, how the skill picks up AWS Cognito attributes, and how validation runs against the real Cerbos compiler.

Fine grained access control: What it actually takes to get it right
Fine grained access control lets you authorize based on user attributes, resource ownership, and context instead of broad roles. This guide covers RBAC, ABAC, ReBAC, PBAC models, embedded vs. externalized authorization, real policy examples, and practical implementation patterns for engineering teams.

Identiverse 2026: Agents made authorization the story
Takeaways from Identiverse 2026, where AI agents pushed authorization to the front. Delegated authorization, the Shared Signals Framework, AuthZEN agent authorization, and why prompts aren't controls. Notes from three AuthZEN sessions and the best talks of the week.

Authentication vs Authorization
Authentication vs authorization explained. AuthN verifies who a user is, AuthZ decides what they can do. This guide covers ID and access tokens, OAuth 2.0, OpenID Connect, SAML, SSO, RBAC and ABAC, the key differences between the two, and the mistakes teams make building them.

Agent skill for building Cerbos Synapse extensions
A new agent skill that builds Cerbos Synapse extensions for you. Describe what you want to enrich, map, or expose, and it picks the extension kind and runtime, scaffolds the files, wires config, and runs it against a local PDP. Covers CEL, Starlark, and WASM in Go, TypeScript, or Python.

Keycloak vs ZITADEL for self hosted IAM
Compare Keycloak and ZITADEL for self hosted IAM. See SSO, MFA, federation, multi-tenancy, operations, authorization limits, and Cerbos fit.

Mapping business requirements to authorization policy for e-commerce
A practical walkthrough of how e-commerce business rules become authorization policy. Covers customer data access, vendor product management, and order lifecycle control using RBAC, ABAC, and PBAC in Cerbos. Includes derived roles, attribute conditions, time-based rules, and a built-in test framework to verify each policy before production.

How to secure microservices without creating a distributed nightmare
How to secure microservices across five critical layers, from authentication and token propagation to authorization, API gateways, and Zero Trust. Covers common vulnerabilities during monolith-to-microservices migration, how Netflix secured their architecture, and how to enforce consistent access control across distributed services.

Governing AI agents at the gateway with Cerbos and agentgateway
How to govern AI agents at the gateway with agentgateway and Cerbos. This covers the three authorization questions on every agent hop, which model an identity can call, which MCP servers and tools it can open, and what a tool call is actually asking for, all from one policy bundle over Envoy ext_authz.

How to secure AI agents and MCP tools at the gateway with LiteLLM and Cerbos
Add policy-based authorization to a LiteLLM AI gateway with Cerbos. Control which models each user or agent can call, hide tools the caller shouldn't see, and bind MCP tool arguments to caller attributes, all enforced at the proxy with no application changes.

Introducing Cerbos Hub Insights: A live view of what your authorization layer is doing
Cerbos Hub Insights aggregates the decisions your PDPs make into charts and rankings, so patterns like a spike in denials become obvious without scrolling the audit log. Track allows, denies, and active principals over time, built entirely from audit data you already send to Cerbos Hub.
Recommended content

Mapping business requirements to authorization policy
eBook: Zero Trust for AI, securing MCP servers

Experiment, learn, and prototype with Cerbos Playground
eBook: How to adopt externalized authorization

Framework for evaluating authorization providers and solutions
