4.2k

All integrations
FusionAuth
Identity providers

Cerbos authorization for FusionAuth

Use FusionAuth's flexible user data model, application roles, and custom data fields to drive fine-grained authorization decisions in Cerbos.

Per-app role policies

Per-app role policies

Use FusionAuth's per-application role assignments to write authorization rules scoped to each application registration

Custom data in policies

Custom data in policies

Reference FusionAuth user.data and registration.data fields directly in Cerbos policy conditions

Multi-tenant ready

Multi-tenant ready

Combine FusionAuth tenant isolation with Cerbos scoped policies for per-tenant authorization logic

How Cerbos works with FusionAuth

FusionAuth handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.

Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Authorization powered by FusionAuth's flexible data model

FusionAuth gives developers full control over their user data model: per-application role assignments, custom data fields on users and registrations, multi-tenant isolation, and JWT lambdas for claim customization. Cerbos uses that rich identity data to make fine-grained authorization decisions at the resource level.

How it works

  1. Users authenticate through FusionAuth, your application receives a JWT containing application roles, group memberships, and custom claims populated by lambdas.
  2. Your application extracts identity data and passes it to Cerbos as principal attributes, alongside the target resource and action.
  3. Cerbos evaluates policies that reference FusionAuth roles, custom user data, tenant context, and resource properties.
  4. Your application enforces the result, keeping authorization logic in declarative policies rather than application code.

Beyond simple role checks

FusionAuth's role system is application-scoped, which is a good starting point. But many applications need authorization decisions that depend on the specific resource being accessed, the relationship between the user and the resource, or contextual data like time or location. Cerbos policies express these rules using the identity data FusionAuth provides.

Get started

Watch our demo video or explore the Express + FusionAuth + Cerbos example project to see the integration in action.

FAQ

Can Cerbos use FusionAuth application registrations?

Yes. FusionAuth assigns roles per application registration, so a user can have different roles in different applications. Your application passes the registration-specific roles to Cerbos, and policies can scope authorization decisions to the correct application context.

How does Cerbos work with FusionAuth's user.data fields?

FusionAuth lets you store arbitrary key-value data on user objects and application registrations. When included in JWT claims via lambdas, this custom data can be passed to Cerbos as principal attributes and used in policy conditions.

Does Cerbos support FusionAuth multi-tenant setups?

Yes. FusionAuth's tenant ID and tenant-specific user data can be passed as principal attributes to Cerbos. Policies can then enforce different access rules per tenant without duplicating policy logic.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Auth0
Auth0Map Auth0 Actions, Organizations, and roles to Cerbos policy inputs
Identity providers
Authentik
AuthentikAuthentik property mappings shape token claims for Cerbos policy inputs
Identity providers
AWS Cognito
AWS CognitoCognito user pool groups and custom attributes as Cerbos policy inputs
Identity providers
Clerk
ClerkClerk session claims and Organizations drive Cerbos policy evaluation
Identity providers
Curity
Curity Identity ServerCurity token procedure claims as principal attributes in Cerbos
Identity providers
Descope
DescopeDescope JWT claims, tenant data, and role assignments feed into Cerbos policy evaluation
Identity providers

Cerbos + FusionAuth

  • Cerbos extends FusionAuth roles with fine-grained, attribute-based permissions
  • Policies defined in human-readable YAML, managed as code
  • Authorization logic decoupled from application code
  • Sub-millisecond policy evaluation via stateless PDP
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines