4.2k

All integrations
Envoy
Authorization extensions

Policy-driven authorization for Envoy

Cerbos acts as an Envoy external authorization service, enforcing fine-grained access control at the proxy layer before requests reach your application.

Native Envoy support

Native Envoy support

Cerbos speaks Envoy's native protocol, no custom glue code required

Unified policies

Unified policies

The same CEL-based policies that govern your application layer extend to your infrastructure

Defense in depth

Defense in depth

Authorization at every layer of your stack, managed from a single control plane

How Cerbos works with Envoy External Authorization

Envoy External Authorization provides a native integration point for Cerbos, extending policy-driven authorization to another layer of your stack without custom glue code.

Cerbos policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. The same policies that govern your application layer now extend to Envoy External Authorization, enforced consistently everywhere.

A unified control plane means one set of policies, one audit trail, and one management workflow, regardless of how many services and infrastructure layers your system spans.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Authorization at the edge with Envoy and Cerbos

Modern service architectures increasingly rely on Envoy as the front proxy or sidecar handling ingress traffic. Moving authorization to this layer means every request is evaluated against your access policies before it reaches your application, reducing your attack surface and simplifying service-level code.

Cerbos plugs into Envoy's external authorization filter as a native gRPC service. Envoy sends request metadata, headers, path, method, and any JWT claims, to Cerbos, which evaluates your YAML policies and returns an authorization decision in milliseconds.

How it works

  1. Envoy receives a request and extracts identity and request metadata from headers, JWTs, or mTLS certificates.
  2. Envoy calls Cerbos via the ext_authz gRPC protocol, passing the principal, resource, and action.
  3. Cerbos evaluates your policies, the same YAML policies used across your entire stack, and returns ALLOW or DENY.
  4. Envoy enforces the decision, forwarding authorized requests to your upstream service or returning a 403.

Unified policies across proxy and application

With Cerbos, the policies that govern API-level access in your Express or FastAPI service are the same policies evaluated at the Envoy proxy. Write once, enforce everywhere, with a full audit trail of every decision.

Get started

Cerbos authorization for Envoy is available as part of Cerbos enterprise. Talk to us to learn more about deploying Cerbos as your Envoy external authorization service.

FAQ

How does Cerbos integrate with Envoy?

Cerbos implements the Envoy external authorization (ext_authz) gRPC protocol. Envoy forwards every incoming request to Cerbos, which evaluates your policies and returns an allow or deny decision, all without any changes to your upstream services.

Do I need to change my application code?

No. Authorization decisions happen at the proxy layer. Your application receives only pre-authorized traffic, so you can remove authorization logic from your services entirely or keep it as defense in depth.

Can I use the same policies for Envoy and my application?

Yes. Cerbos uses a single policy language across every integration point. Policies you write for your application layer work identically when evaluated at the Envoy proxy.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Apigee
ApigeeCerbos policy checks via Apigee service callout policies on API proxy requests
API gateways
AWS API Gateway
AWS API GatewayLambda authorizer that evaluates Cerbos policies for API Gateway
API gateways
AWS App Mesh
AWS App MeshCerbos authorization via Envoy ext_authz within AWS App Mesh sidecars
Authorization extensions
Azure API Management
Azure API ManagementCerbos policy evaluation via Azure API Management inbound policies on each request
API gateways
Cloudflare
CloudflareCerbos policy checks within Cloudflare Workers at the network edge
API gateways
Consul Connect
Consul ConnectCerbos authorization via Envoy ext_authz within Consul Connect sidecars
Authorization extensions

Cerbos + Envoy External Authorization

  • Envoy External Authorization delegates authorization to Cerbos via native integration
  • One set of policies enforced across the entire stack
  • Unified audit trail for all authorization decisions
  • Policies managed without code changes or redeployments
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines