4.2k

All integrations
Data Source Extensions
Context sources

Connect any data store to the authorization pipeline

Data source extensions are reusable connectors that retrieve data from external systems — databases, APIs, identity providers — and make it available to other Cerbos extensions with built-in caching.

Reusable connectors

Reusable connectors

Define a data source once and reuse it across route, proxy, and Envoy extensions — changes to schemas or connections are handled in one place

Cached responses

Cached responses

In-memory or Redis-backed caching with configurable TTLs reduces latency and load on upstream systems

Built-in and custom

Built-in and custom

Built-in support for PostgreSQL, MySQL, and SQLite — custom extensions connect to any data store

How Cerbos works with Data Source Extensions

Authorization decisions are only as good as the data behind them. Data Source Extensions provides real-time context (user profiles, group memberships, or external attributes) that makes Cerbos policies richer and more accurate.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. With Data Source Extensions as a context source, those policies can evaluate attributes beyond what's in the initial request.

Because enrichment happens at the policy layer, your application code stays clean, no custom plumbing to fetch and merge identity data before making authorization calls.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Centralized data source management

Authorization decisions depend on data from many systems — identity providers, databases, internal services. Without a centralized approach, data-fetching logic ends up scattered across applications, tightly coupled to upstream schemas, and duplicated across teams.

Data source extensions define these connections once, alongside the policy engine. Route, proxy, and Envoy extensions all call the same data sources to retrieve context for authorization decisions.

How data source extensions work

  1. Configure a data source — either a built-in connector (PostgreSQL, MySQL, SQLite) or a custom extension for any data store.
  2. Other extensions call the data source to retrieve context during authorization evaluation.
  3. Results are cached with configurable TTLs using an in-memory or Redis-backed cache layer.

Custom data source extensions can connect to identity providers, graph databases, internal APIs, or any system that holds authorization-relevant data.

Get started

Data source extensions are available as part of Cerbos Hub. Talk to us to learn more about connecting your data stores to the authorization pipeline.

FAQ

What are data source extensions?

Data source extensions are reusable connectors to external data stores. Other Cerbos extensions — route, proxy, and Envoy — call data source extensions to retrieve context needed for authorization decisions. Results are cached with configurable TTLs.

What data stores are supported?

Cerbos includes built-in data sources for PostgreSQL, MySQL, and SQLite (with Litestream replication support). Custom data source extensions can connect to any system — identity providers, graph databases, internal APIs, or proprietary data stores.

Is caching built in?

Yes. Lookup results are cached with configurable TTLs using an in-memory or Redis-backed cache. This reduces latency and load on upstream systems while keeping authorization data fresh.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
AWS Cognito Enrichment
AWS CognitoPull Cognito custom attributes and groups into the PDP at decision time
Context sources
Entra ID Enrichment
Microsoft Entra IDResolve Entra ID security groups and directory roles for policy evaluation
Context sources
External API
External APICall external services to fetch context data for policy evaluation
Context sources
Keycloak Enrichment
KeycloakPull realm roles, client roles, and group paths from Keycloak into policies
Context sources
LDAP Enrichment
LDAPQuery any LDAPv3 directory for user attributes and group memberships
Context sourcesIdentity providers
Litestream
LitestreamRead Litestream-replicated SQLite databases as a policy data source
Context sources

Cerbos + Data Source Extensions

  • Authorization decisions enriched with real-time Data Source Extensions data
  • Context enrichment configured at the policy layer, not in application code
  • Identity attributes and business context combined in policies
  • Centrally managed authorization logic across the stack
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines