Identity providers

Cerbos authorization for Magic

Magic provides passwordless and Web3 authentication using email magic links, social login, and wallet-based sign-in. Cerbos uses the identity tokens Magic issues to evaluate fine-grained authorization policies, so you get passwordless auth paired with resource-level access control.

Passwordless identity

Authenticate users with Magic's magic links, social login, or Web3 wallets and authorize them with Cerbos policies

Application-managed roles

Magic handles identity verification. Assign roles in your application and pass them to Cerbos for fine-grained authorization.

Web3-ready

Use wallet addresses and decentralized identity from Magic as principal attributes in Cerbos policies

How Cerbos works with Magic

Magic handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.

Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.

Policy-as-codeHuman-readable YAML policies managed like source code Scalable PDPStateless policy decision point with sub-millisecond latency Centralized managementManage, test, and deploy policies from a single control plane

How Cerbos works with Magic

Users authenticate via Magic, Magic handles passwordless login through email magic links, social providers, or Web3 wallet connections. No passwords are stored or transmitted.
Validate the Magic DID token, Your application validates the decentralized ID token issued by Magic and extracts the user's email or wallet address. Application-managed roles and attributes are fetched from your user store.
Send identity and resource context to Cerbos, Pass the Magic-verified identity and application-managed roles as principal attributes alongside the target resource and desired action to the Cerbos PDP.
Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the user identity and resource attributes, returning allow or deny. Your application enforces the result.

FAQ

How does Cerbos work with Magic?

Magic authenticates users via magic links, social login, or Web3 wallets and issues a decentralized ID (DID) token. Your application validates the DID token, extracts the user's identity, and passes it to Cerbos as a principal along with any application-managed roles or attributes. Cerbos evaluates your authorization policies against this data.

How do I handle roles with Magic and Cerbos?

Magic handles authentication but does not manage roles or groups. Your application assigns roles to users after authentication, stored in your database or user management system. Pass these roles to Cerbos alongside the Magic-verified identity, and your policies handle the rest.

Can I use Magic's Web3 wallet authentication with Cerbos?

Yes. When users authenticate with a Web3 wallet through Magic, you receive the wallet address as part of the identity token. Pass it to Cerbos as a principal attribute and write policies based on wallet address, associated roles, or any other application-managed attributes.