Cerbos authorization with JSON Web Tokens
JWT is a token format that carries identity claims from any authentication provider. Cerbos natively understands JWTs, extracting roles, groups, and custom claims to evaluate fine-grained authorization policies without requiring your application to parse tokens or map claims manually.
Native token support
Cerbos verifies and decodes JWTs directly, extracting claims as principal attributes without application-side token parsing
Provider-agnostic
Write authorization policies once against JWT claims, regardless of whether tokens come from Auth0, Keycloak, Okta, or any OIDC provider
Claims beyond roles
Use any custom claim in the JWT payload, such as department, tenant, or subscription tier, as inputs to fine-grained authorization policies
How Cerbos works with JSON Web Tokens
JSON Web Tokens handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
How Cerbos works with JSON Web Tokens
- Your identity provider issues a JWT, Any OIDC-compliant provider, Auth0, Keycloak, Okta, or others, authenticates the user and issues a JWT containing standard and custom claims such as roles, groups, and business attributes.
- Cerbos verifies the token, Cerbos validates the JWT signature against configured JWKS endpoints or public keys, ensuring the token was issued by a trusted provider.
- Claims become principal attributes, Cerbos extracts claims from the verified JWT and maps them to principal attributes. Your policies reference these attributes directly, no application-side claim parsing required.
- Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the JWT claims and resource attributes, returning allow or deny. Your application enforces the result.
FAQ
How does Cerbos use JWT claims?
Cerbos can verify and decode JWTs directly, extracting claims such as sub, roles, groups, and any custom claims your identity provider includes. These claims become principal attributes in your policies, so you can write authorization rules based on any data carried in the token without application-side claim parsing.
Does JWT replace an identity provider?
No. JWT is a token format, not an authentication system. An identity provider such as Auth0, Keycloak, or Okta authenticates users and issues JWTs. Cerbos consumes those tokens regardless of which provider issued them. The JWT page describes how Cerbos works with the token format itself, independent of the issuing provider.
Can Cerbos verify JWT signatures?
Yes. Cerbos can be configured with JWKS endpoints or public keys to verify JWT signatures before extracting claims. This ensures that only tokens issued by trusted identity providers are accepted for policy evaluation.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + JSON Web Tokens
- Cerbos extends JSON Web Tokens roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP