Cerbos authorization for Clerk
Clerk provides drop-in authentication with session management, Organizations, and custom session claims. Cerbos uses Clerk's session data to make fine-grained authorization decisions, so your Next.js or React app gets real access control without hardcoded permission checks.
Session claims as policy inputs
Map Clerk's custom session claims directly to Cerbos principal attributes for use in authorization policies
Organization-scoped access
Use Clerk Organization memberships and roles to drive multi-tenant authorization policies in Cerbos
Built for modern frontends
Works with Clerk's Next.js, React, and Remix SDKs, call Cerbos from middleware, server components, or API routes
How Cerbos works with Clerk
Clerk handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
How Cerbos works with Clerk
- Users authenticate via Clerk, Clerk handles sign-up, sign-in, MFA, and session management. Custom session claims are embedded in the session token with user metadata like role, team, or organization.
- Read session data from Clerk, Your application reads the Clerk session using
auth()in server components,getAuth()in API routes, oruseAuth()client-side. This gives you the user ID, active organization, roles, and custom claims. - Send session data and resource context to Cerbos, Pass the Clerk user ID, organization ID, organization role, and custom claims as principal attributes alongside the target resource and action to the Cerbos PDP.
- Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the Clerk session data and resource context, returning allow or deny. Your application enforces the result.
FAQ
How does Cerbos use Clerk session claims?
Clerk lets you add custom claims to session tokens via the session token customization feature. These claims, such as role, team, or subscription plan, are available to your application on every request. Pass them to Cerbos as principal attributes, and your policies can use them for fine-grained authorization decisions.
Can I use Clerk Organizations with Cerbos?
Yes. Clerk Organizations provide multi-tenancy with per-organization roles and membership management. Pass the active organization ID and the user's organization role to Cerbos, and your policies can enforce organization-scoped access rules like "admins of organization X can manage billing, members can only view."
Does this work with Next.js middleware?
Yes. Clerk's Next.js SDK provides session data in middleware, server components, and API routes. You can call Cerbos from any of these contexts using the Clerk session data as the principal, keeping authorization checks close to your route handlers or server components.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Clerk
- Cerbos extends Clerk roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.