4.2k

All integrations
External API
Context sources

Fetch authorization context from external APIs

Cerbos calls external services at decision time to retrieve user attributes, resource metadata, or any other state your policies need, with built-in caching and configurable TTLs.

Any external service

Any external service

Fetch user attributes, resource metadata, or external state from any API your policies need at decision time

Cached responses

Cached responses

Configurable TTLs cache responses to balance data freshness against evaluation latency

Zero application code

Zero application code

Context fetching happens inside Cerbos, your application only sends a user identifier and resource reference

How Cerbos works with External API

Authorization decisions are only as good as the data behind them. External API provides real-time context (user profiles, group memberships, or external attributes) that makes Cerbos policies richer and more accurate.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. With External API as a context source, those policies can evaluate attributes beyond what's in the initial request.

Because enrichment happens at the policy layer, your application code stays clean, no custom plumbing to fetch and merge identity data before making authorization calls.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Authorization context from any external service

Not every piece of data your policies need arrives in the authorization request. Cerbos external API context sources let you pull state into policy evaluation by calling external services directly, with no application code changes.

How it works

  1. Configure an external context source in Cerbos with the service endpoint, request template, authentication, and cache TTL.
  2. Your application sends an authorization request with a user identifier and resource reference.
  3. Cerbos calls the configured service at evaluation time, passing request parameters derived from the principal and resource.
  4. The response is mapped to policy attributes and cached for subsequent evaluations within the TTL window.

When to use external API context sources

External context sources are useful when authorization decisions depend on data that is not available in the identity token or the authorization request itself. Common patterns include fetching team or organization membership from an internal directory, retrieving resource ownership or classification from a metadata service, or checking entitlements from a licensing API.

FAQ

How does Cerbos fetch data from external APIs?

Cerbos makes requests to configured endpoints at policy evaluation time. The response payload is parsed and made available as attributes in your policies. You configure the endpoint, request format, response mapping, and caching behavior in the Cerbos configuration.

Are external API results cached?

Yes. Cerbos caches responses with configurable TTLs to avoid redundant calls on repeated evaluations. Cache keys are derived from the request parameters, so different users or resources produce separate cache entries.

What kind of services can Cerbos call?

Any service that returns structured data. Common examples include internal user profile services, resource metadata APIs, feature flag services, team membership lookups, and entitlement databases. The service must be reachable from Cerbos at runtime.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
AWS Cognito Enrichment
AWS CognitoPull Cognito custom attributes and groups into the PDP at decision time
Context sources
Data Source Extensions
Data Source ExtensionsReusable data connectors with built-in caching for the Cerbos authorization pipeline
Context sources
Entra ID Enrichment
Microsoft Entra IDResolve Entra ID security groups and directory roles for policy evaluation
Context sources
Keycloak Enrichment
KeycloakPull realm roles, client roles, and group paths from Keycloak into policies
Context sources
LDAP Enrichment
LDAPQuery any LDAPv3 directory for user attributes and group memberships
Context sourcesIdentity providers
Litestream
LitestreamRead Litestream-replicated SQLite databases as a policy data source
Context sources

Cerbos + External API

  • Authorization decisions enriched with real-time External API data
  • Context enrichment configured at the policy layer, not in application code
  • Identity attributes and business context combined in policies
  • Centrally managed authorization logic across the stack
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines