Fetch authorization context from external APIs
Cerbos calls external services at decision time to retrieve user attributes, resource metadata, or any other state your policies need, with built-in caching and configurable TTLs.
Any external service
Fetch user attributes, resource metadata, or external state from any API your policies need at decision time
Cached responses
Configurable TTLs cache responses to balance data freshness against evaluation latency
Zero application code
Context fetching happens inside Cerbos, your application only sends a user identifier and resource reference
How Cerbos works with External API
Authorization decisions are only as good as the data behind them. External API provides real-time context (user profiles, group memberships, or external attributes) that makes Cerbos policies richer and more accurate.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. With External API as a context source, those policies can evaluate attributes beyond what's in the initial request.
Because enrichment happens at the policy layer, your application code stays clean, no custom plumbing to fetch and merge identity data before making authorization calls.
Authorization context from any external service
Not every piece of data your policies need arrives in the authorization request. Cerbos external API context sources let you pull state into policy evaluation by calling external services directly, with no application code changes.
How it works
External API context sources are available as data sources in Cerbos Synapse, the data integration and enrichment layer that sits in front of the Cerbos PDP.
- Configure an external context source in Synapse with the service endpoint, request template, authentication, and cache TTL.
- Your application sends an authorization request with a user identifier and resource reference.
- Synapse calls the configured service at evaluation time, passing request parameters derived from the principal and resource.
- The response is mapped to policy attributes and cached for subsequent evaluations within the TTL window.
When to use external API context sources
External context sources are useful when authorization decisions depend on data that is not available in the identity token or the authorization request itself. Common patterns include fetching team or organization membership from an internal directory, retrieving resource ownership or classification from a metadata service, or checking entitlements from a licensing API.
FAQ
How does Cerbos fetch data from external APIs?
Cerbos makes requests to configured endpoints at policy evaluation time. The response payload is parsed and made available as attributes in your policies. You configure the endpoint, request format, response mapping, and caching behavior in the Cerbos configuration.
Are external API results cached?
Yes. Cerbos caches responses with configurable TTLs to avoid redundant calls on repeated evaluations. Cache keys are derived from the request parameters, so different users or resources produce separate cache entries.
What kind of services can Cerbos call?
Any service that returns structured data. Common examples include internal user profile services, resource metadata APIs, feature flag services, team membership lookups, and entitlement databases. The service must be reachable from Cerbos at runtime.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + External API
- Authorization decisions enriched with real-time External API data
- Context enrichment configured at the policy layer, not in application code
- Identity attributes and business context combined in policies
- Centrally managed authorization logic across the stack