4.2k

All integrations
Ory
Identity providers

Cerbos authorization for Ory

Use Ory Kratos identity schemas, session data, and traits to drive fine-grained authorization decisions in Cerbos policies.

Schema-driven identity

Schema-driven identity

Use Ory Kratos identity traits defined in your JSON schemas as first-class attributes in Cerbos policies

Works with the Ory stack

Works with the Ory stack

Integrates alongside Ory Kratos, Oathkeeper, and Hydra without replacing any component in your identity infrastructure

Open source pairing

Open source pairing

Both Ory and Cerbos are open source, giving you full transparency and control over your authentication and authorization stack

How Cerbos works with Ory

Ory handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.

Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Authorization powered by Ory identity schemas

Ory Kratos lets you define identity through JSON schemas, giving you full control over what traits each identity carries (department, subscription tier, organization, custom fields). Cerbos uses those traits to make fine-grained authorization decisions, turning your identity schema into an authorization data source.

How it works

  1. Users authenticate through Ory Kratos, your application validates the session and retrieves identity traits from the Kratos session endpoint.
  2. Your application passes identity traits to Cerbos as principal attributes, along with the target resource and action.
  3. Cerbos evaluates policies that reference Ory identity traits, session data, and resource properties.
  4. Your application enforces the result, authorization logic stays in Cerbos policies, decoupled from your application code.

Your identity schema, your authorization rules

Because Ory Kratos identity schemas are fully customizable, you can design your identity data model to include exactly the attributes your authorization policies need. Cerbos policies reference these traits directly, so adding a new trait to your identity schema immediately makes it available for authorization decisions, no code changes required.

Get started

Check out the Cerbos documentation to learn how to pass Ory Kratos session traits to Cerbos for policy evaluation.

FAQ

How does Cerbos work with Ory Kratos identity schemas?

Ory Kratos uses JSON schemas to define identity traits (department, tier, role, organization, etc.). After authentication, your application retrieves the session and passes these traits to Cerbos as principal attributes. Policies can reference any trait defined in your schema.

Can I use Ory Oathkeeper with Cerbos?

Yes. Ory Oathkeeper can act as a reverse proxy that validates sessions and injects identity data into request headers. Your application or API gateway reads these headers and passes the identity data to Cerbos for authorization. Oathkeeper handles authentication enforcement, Cerbos handles authorization.

Does Cerbos work with Ory's self-hosted and cloud offerings?

Yes. Cerbos integrates at the application layer using session data from Ory. Whether you run Ory Kratos self-hosted or use Ory Network (their managed cloud), the integration pattern is the same: extract identity traits from the session and pass them to Cerbos.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Auth0
Auth0Map Auth0 Actions, Organizations, and roles to Cerbos policy inputs
Identity providers
Authentik
AuthentikAuthentik property mappings shape token claims for Cerbos policy inputs
Identity providers
AWS Cognito
AWS CognitoCognito user pool groups and custom attributes as Cerbos policy inputs
Identity providers
Clerk
ClerkClerk session claims and Organizations drive Cerbos policy evaluation
Identity providers
Curity
Curity Identity ServerCurity token procedure claims as principal attributes in Cerbos
Identity providers
Descope
DescopeDescope JWT claims, tenant data, and role assignments feed into Cerbos policy evaluation
Identity providers

Cerbos + Ory

  • Cerbos extends Ory roles with fine-grained, attribute-based permissions
  • Policies defined in human-readable YAML, managed as code
  • Authorization logic decoupled from application code
  • Sub-millisecond policy evaluation via stateless PDP
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines