OpenID AuthZEN is official, and Cerbos is ready

The OpenID AuthZEN specification has now been formally ratified. This is a real milestone for the authorization ecosystem and one that has been a long time coming.

For years, authentication has benefited from widely adopted standards like OAuth and OpenID Connect. Authorization, by contrast, has been left fragmented, implemented differently in every application, and tightly coupled to business logic. AuthZEN changes that by standardising how applications, gateways, identity providers, and policy engines ask and answer authorization questions.

Cerbos has supported AuthZEN throughout its development, and we are proud to see the specification reach this point.

What AuthZEN actually solves

AuthZEN defines a standard, interoperable API between a Policy Enforcement Point and a Policy Decision Point. In practice, that means any compliant application, API gateway, or identity system can delegate fine-grained authorization decisions to any compliant policy engine.

Instead of every service inventing its own authorization protocol, teams get a common language for questions like:

• Can this principal perform this action on this resource, right now
• What actions are permitted across a set of resources
• Which resources are visible to a given user or service

This is the missing counterpart to OAuth and OIDC. It turns authorization from bespoke application code into shared infrastructure.

Cerbos and AuthZEN

Cerbos has supported the AuthZEN APIs for some time, including the binary evaluation and batch evaluation endpoints. Our implementation maps naturally onto Cerbos' core concepts, with applications acting as PEPs and Cerbos as the PDP, evaluating decisions against centrally managed policies and real-time context.

If you want to see how this works in practice, our documentation walks through the AuthZEN-compatible endpoints exposed by Cerbos and how to integrate them into your systems.

Looking ahead, continued leadership in AuthZEN

Alongside the ratification of the specification, we are also happy to share that Alex Olivier, co-founder of Cerbos, has been appointed co-chair of the AuthZEN working group.

This reflects the role Cerbos has played in shaping the standard from early drafts through interop events and into a final specification. It also signals our ongoing commitment to where AuthZEN goes next, including profiles for API gateways and identity providers, search and partial evaluation, and deeper integration across the identity stack.

Why this matters now

Authorization is no longer just about users clicking buttons in applications. It governs API access, data access, service-to-service communication, and increasingly AI agents and automated workflows.

As systems become more distributed and more autonomous, hard-coded authorization logic simply does not scale. Standards like AuthZEN are what allow organizations to build consistent, auditable, and adaptable authorization across their entire estate.

The ratification of AuthZEN is not the end of that journey, but it is a clear signal that authorization is finally getting the same level of standardisation and maturity that authentication achieved years ago.

If you are already using Cerbos, you are ready for AuthZEN today. If you are not, now is a good time to start externalising authorization and treating it as a first-class part of your architecture.

We are excited to keep building, contributing, and helping push the ecosystem forward.

Learn more about AuthZEN + Cerbos here.