Cerbos authorization for Descope
Descope provides authentication flows, user management, and session handling via visual workflow builders. Cerbos uses Descope's JWT claims, tenant associations, and role assignments to evaluate fine-grained authorization policies at the application layer.
JWT claims as policy inputs
Use Descope's JWT claims including roles, tenant IDs, and custom attributes as principal attributes in Cerbos authorization policies
Multi-tenant authorization
Use Descope's tenant associations and per-tenant role assignments to drive tenant-scoped Cerbos policies
Flow-based authentication
However you configure Descope's authentication flows, the same Cerbos policies govern resource-level access within your applications
How Cerbos works with Descope
Descope handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
How Cerbos works with Descope
- Users authenticate via Descope, Descope handles authentication through visual flow builders supporting passwords, social login, OTP, magic links, and biometrics. JWTs include roles, tenant associations, and custom attributes.
- Validate the Descope-issued JWT, Your application validates the JWT using Descope's SDK or a standard JWT library and extracts the user's roles, tenant ID, and custom claims.
- Send identity and resource context to Cerbos, Pass the Descope user ID, roles, tenant associations, and custom attributes as principal attributes alongside the target resource and action to the Cerbos PDP.
- Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the Descope identity data and resource context, returning allow or deny. Your application enforces the result.
FAQ
How does Cerbos work with Descope?
Descope authenticates users through configurable flows and issues JWTs containing roles, tenant associations, and custom attributes. Your application validates the JWT, extracts these claims, and passes them to Cerbos as principal attributes. Cerbos evaluates them against your policies alongside resource attributes to make authorization decisions.
Can I use Descope tenants and roles with Cerbos?
Yes. Descope supports multi-tenant configurations with per-tenant role assignments. Pass the tenant ID and tenant-scoped roles to Cerbos as principal attributes, and your policies can enforce tenant-aware access rules.
Does Cerbos replace Descope's built-in authorization?
Descope handles authentication and basic role management. Cerbos adds resource-level authorization using Descope's identity data as inputs. Descope determines who the user is. Cerbos determines what they can do with specific resources.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Descope
- Cerbos extends Descope roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.