4.2k

All integrations
Route Extensions
Authorization extensions

Authorize requests from any infrastructure component

Route extensions expose HTTP endpoints that gateways, proxies, data platforms, and queues call to delegate access control to Cerbos policies — translating each system's native protocol into a policy evaluation.

Protocol translation

Protocol translation

Accept requests in any format and translate them into Cerbos policy evaluations with declarative CEL or programmable extensions

Any infrastructure component

Any infrastructure component

API gateways, service meshes, data platforms, queues, and internal tooling can all delegate authorization to Cerbos

Single policy surface

Single policy surface

Infrastructure and application layers enforce the same policies, same attribute vocabulary, same audit trail

How Cerbos works with Route Extensions

Route Extensions provides a native integration point for Cerbos, extending policy-driven authorization to another layer of your stack without custom glue code.

Cerbos policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. The same policies that govern your application layer now extend to Route Extensions, enforced consistently everywhere.

A unified control plane means one set of policies, one audit trail, and one management workflow, regardless of how many services and infrastructure layers your system spans.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Protocol translation for infrastructure authorization

Many infrastructure components — API gateways, service meshes, data platforms, message queues — have hooks for delegating access control to an external service. Each speaks a different protocol. Route extensions accept these requests, translate them into Cerbos policy evaluations, and return responses in the format the calling system expects.

This creates a single policy surface across your entire stack. The same policies and attribute vocabulary that govern your application layer extend to your infrastructure, with a unified audit trail.

How route extensions work

  1. An infrastructure component sends a request to a route extension endpoint using its native authorization protocol.
  2. The extension translates the request into a Cerbos policy evaluation using declarative CEL expressions or a programmable Starlark/Wasm extension.
  3. Policies are evaluated and the decision is translated back into the response format the calling system expects.

Declarative CEL mapping handles straightforward protocol translations as configuration. Programmable extensions in Starlark or Wasm handle complex transformation logic.

Get started

Route extensions are available as part of Cerbos Hub. Talk to us to learn more about extending Cerbos authorization to your infrastructure.

FAQ

What are route extensions?

Route extensions expose HTTP endpoints on Cerbos that accept requests in any format, translate them into Cerbos policy evaluations, and return responses in the format the calling system expects. This enables any infrastructure component with an external authorization hook to delegate decisions to Cerbos.

What systems can use route extensions?

Any system that supports delegating access control via HTTP or gRPC. Common examples include API gateways, service meshes, data platforms like Kafka and Trino, message queues, and internal tooling with ad-hoc authorization logic.

What is the difference between declarative and programmatic mapping?

Declarative mapping uses CEL expressions to define the protocol translation as configuration. Programmatic mapping uses Starlark scripts or Wasm modules when the transformation logic is more complex than CEL can express.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
AWS App Mesh
AWS App MeshCerbos authorization via Envoy ext_authz within AWS App Mesh sidecars
Authorization extensions
Consul Connect
Consul ConnectCerbos authorization via Envoy ext_authz within Consul Connect sidecars
Authorization extensions
Contour
ContourCerbos authorization via Envoy ext_authz at the Contour ingress controller
Authorization extensionsAPI gateways
Emissary-Ingress
Emissary-Ingress (Ambassador)Cerbos authorization via Envoy ext_authz at the Emissary-Ingress API gateway
Authorization extensionsAPI gateways
Envoy
Envoy External AuthorizationCerbos as a native ext_authz gRPC service for Envoy proxies
Authorization extensionsAPI gateways
Gloo Gateway
Gloo GatewayCerbos authorization via Envoy ext_authz at the Gloo Gateway edge
Authorization extensionsAPI gateways

Cerbos + Route Extensions

  • Route Extensions delegates authorization to Cerbos via native integration
  • One set of policies enforced across the entire stack
  • Unified audit trail for all authorization decisions
  • Policies managed without code changes or redeployments
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines