Cerbos authorization for Firebase
Firebase Authentication handles sign-in and identity verification. Cerbos uses Firebase custom claims and user metadata to make fine-grained authorization decisions, giving you real access control beyond what Security Rules can express.
Custom claims in policies
Use Firebase custom claims like role, tier, and department as principal attributes in Cerbos authorization policies
Beyond Security Rules
Replace complex, hard-to-test Security Rules with version-controlled Cerbos policies that combine identity and resource context
Works with Cloud Functions
Verify Firebase ID tokens server-side and call Cerbos from Cloud Functions, backend APIs, or any server environment
How Cerbos works with Firebase
Firebase handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
How Cerbos works with Firebase
- Users authenticate via Firebase, Firebase Authentication handles email/password, social providers, phone auth, and anonymous sign-in. Custom claims are set on user records via the Admin SDK and embedded in the ID token.
- Verify the Firebase ID token, Your backend (Cloud Functions, Express, or any server) verifies the Firebase ID token using the Admin SDK and extracts the UID, email, and custom claims.
- Send identity and resource context to Cerbos, Pass the Firebase UID, custom claims (role, department, tier), and any user metadata as principal attributes alongside the target resource and action to the Cerbos PDP.
- Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the Firebase identity data and resource context, returning allow or deny. Your application enforces the result.
FAQ
How does Cerbos use Firebase custom claims?
Firebase lets you set custom claims on user records via the Admin SDK, such as role, department, or subscription tier. These claims are included in the Firebase ID token. Pass them to Cerbos as principal attributes, and your policies can make fine-grained decisions based on these claims combined with resource attributes and request context.
Does Cerbos replace Firebase Security Rules?
Cerbos handles application-level authorization, while Security Rules protect direct Firestore and Storage access. If your app uses server-side logic (Cloud Functions, a backend API), Cerbos replaces the need for complex Security Rules by centralizing authorization in testable, version-controlled policies. For client-side direct access, Security Rules still apply.
Can I use Firebase with Cerbos in a serverless architecture?
Yes. Verify the Firebase ID token in your Cloud Function or API endpoint, extract the custom claims, and send them to Cerbos. The Cerbos PDP can run as a sidecar, a standalone service, or via Cerbos Hub, all of which work well with serverless backends.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Firebase
- Cerbos extends Firebase roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.