4.2k

All integrations
Curity
Identity providers

Cerbos authorization for Curity Identity Server

Curity Identity Server delivers API-first authentication with advanced token customization and claims procedures. Cerbos uses the rich token claims Curity produces to evaluate fine-grained authorization policies, keeping access control out of your API gateway and application code.

Token procedure claims

Token procedure claims

Map Curity's custom token claims and transformed attributes directly into Cerbos policy evaluations

Beyond API scopes

Beyond API scopes

Layer resource-level authorization on top of Curity's OAuth 2.0 scopes using policies that combine identity, resource, and request context

API-first authorization

API-first authorization

Both Curity and Cerbos are API-first, making integration straightforward across any language or framework

How Cerbos works with Curity Identity Server

Curity Identity Server handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.

Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How Cerbos works with Curity Identity Server

  1. Users authenticate via Curity Identity Server, Curity handles login flows, MFA, and token issuance. Token procedures customize claims with data from external systems, user stores, or business logic.
  2. Extract claims from the Curity-issued token, Your application validates the Curity-issued access token or ID token and extracts scopes, roles, and any custom claims added by token procedures.
  3. Send identity and resource context to Cerbos, Pass the Curity user attributes as principal attributes alongside the target resource and desired action to the Cerbos PDP.
  4. Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the Curity identity data and resource attributes, returning allow or deny. Your application enforces the result.

FAQ

How does Cerbos use Curity token claims?

Curity Identity Server issues OAuth 2.0 and OpenID Connect tokens with claims shaped by its token procedures and claims transformations. Your application extracts these claims and passes them to Cerbos as principal attributes. Cerbos evaluates them against your policies alongside resource attributes and request context.

Can I use Curity's token procedures to enrich Cerbos policies?

Yes. Curity's token procedures let you pull data from external sources, transform claims, and add custom attributes to tokens during issuance. These enriched claims flow directly into Cerbos as principal attributes, giving your policies access to business context like subscription tier, department, or account status.

Does Cerbos replace Curity's scope-based authorization?

No. Curity's scope-based access control governs API-level access. Cerbos adds resource-level and attribute-based authorization on top. A user might have the right OAuth scope to reach an API endpoint, but Cerbos policies determine whether they can access a specific resource within that endpoint.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Auth0
Auth0Map Auth0 Actions, Organizations, and roles to Cerbos policy inputs
Identity providers
Authentik
AuthentikAuthentik property mappings shape token claims for Cerbos policy inputs
Identity providers
AWS Cognito
AWS CognitoCognito user pool groups and custom attributes as Cerbos policy inputs
Identity providers
Clerk
ClerkClerk session claims and Organizations drive Cerbos policy evaluation
Identity providers
Descope
DescopeDescope JWT claims, tenant data, and role assignments feed into Cerbos policy evaluation
Identity providers
Duende
Duende IdentityServerDuende IdentityServer claims and scopes evaluated by Cerbos in .NET apps
Identity providers

Cerbos + Curity Identity Server

  • Cerbos extends Curity Identity Server roles with fine-grained, attribute-based permissions
  • Policies defined in human-readable YAML, managed as code
  • Authorization logic decoupled from application code
  • Sub-millisecond policy evaluation via stateless PDP
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines