API gateways

Policy-driven authorization at the Gravitee API Gateway

Enforce fine-grained Cerbos authorization policies at the Gravitee API Gateway edge — before requests reach your services.

HTTP callout integration

Cerbos integrates via Gravitee's built-in HTTP Callout policy with Expression Language templates, no custom plugins required

Unified policies

The same CEL-based policies that govern your application layer extend to your API gateway

Defense in depth

Authorization at every layer of your stack, managed from a single control plane

How Cerbos works with Gravitee API Gateway

Enforcing authorization at the Gravitee API Gateway gateway means unauthorized requests are rejected before they reach your services, reducing load, improving security posture, and simplifying backend code.

Cerbos provides fine-grained, context-aware authorization policies written in human-readable YAML. When integrated with Gravitee API Gateway, these policies are evaluated at the edge for every incoming request.

The same Cerbos policies govern authorization at the gateway and within your services, one source of truth, one audit trail, and consistent enforcement across every layer.

Policy-as-codeHuman-readable YAML policies managed like source code Scalable PDPStateless policy decision point with sub-millisecond latency Centralized managementManage, test, and deploy policies from a single control plane

How Cerbos works with Gravitee API Gateway

Deploy Cerbos alongside Gravitee, Run the Cerbos PDP as a sidecar or service accessible from your Gravitee API Gateway.
Add an HTTP Callout policy to your API flow, Configure the policy to POST to the Cerbos /api/check/resources endpoint. Use Gravitee's Expression Language to inject JWT claims, request path, method, and headers into the request body.
Define authorization policies in YAML, Write Cerbos policies that control access based on routes, methods, roles, and request attributes.
Requests are authorized at the edge, The callout response is evaluated using exitOnError or errorCondition. Unauthorized requests are rejected before reaching your services.

FAQ

How does Cerbos work with Gravitee API Gateway?

Gravitee's HTTP Callout policy sends a request to the Cerbos PDP during API request processing. Using Gravitee's Expression Language, the callout injects JWT claims, request path, method, and headers into the Cerbos check request. Cerbos evaluates your authorization policies and returns an allow or deny decision at the gateway edge.

Does this replace backend authorization?

Gateway-level authorization provides defense in depth. You can enforce coarse-grained policies at the edge and fine-grained policies within your services, both managed by Cerbos.

Can I use Gravitee's identity features with Cerbos?

Yes. Gravitee's JWT policy runs before the HTTP callout, making authenticated claims available via Expression Language. The callout templates inject these claims into the Cerbos check request, so authorization decisions are based on the full authenticated identity.