4.3k

All integrations
Stytch
Identity providers

Cerbos authorization for Stytch

Use Stytch session data, organization memberships, and RBAC roles to power fine-grained authorization decisions in Cerbos policies.

B2B organization context

B2B organization context

Use Stytch organization memberships and member roles as attributes in Cerbos policies for multi-tenant authorization

Beyond Stytch RBAC

Beyond Stytch RBAC

Extend Stytch's built-in role checks with resource-level, attribute-based policies that account for ownership and context

Auth-method agnostic

Auth-method agnostic

Works the same regardless of Stytch auth method: magic links, OTPs, WebAuthn, OAuth, or SSO

How Cerbos works with Stytch

Stytch handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.

Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Authorization for Stytch-powered applications

Stytch provides modern authentication with passwordless flows, B2B organization management, and built-in RBAC. Cerbos extends that foundation with fine-grained authorization at the resource level, using Stytch session data and organization context to make access decisions.

How it works

  1. Users authenticate through Stytch, your application validates the session and retrieves member roles, organization membership, and custom metadata.
  2. Your application passes session data to Cerbos as principal attributes, along with the target resource and action.
  3. Cerbos evaluates policies that reference Stytch organization roles, member metadata, and resource properties.
  4. Your application enforces the decision, authorization rules are defined in policies, not scattered across application code.

Multi-tenant authorization with Stytch B2B

Stytch B2B organizations give you per-tenant user management and role assignments. Cerbos adds the authorization layer that makes those organization boundaries meaningful at the resource level: restricting data access to the correct organization, enforcing role-specific permissions within an org, and applying cross-tenant policies for platform administrators.

Get started

Follow our tutorial on integrating Stytch with Cerbos or explore the Python + Stytch + Cerbos example project.

FAQ

How does Cerbos work with Stytch B2B organizations?

Stytch B2B provides organization-scoped authentication with member roles. After authentication, your application passes the organization ID, member roles, and custom metadata to Cerbos as principal attributes. Policies can then enforce organization-scoped access rules at the resource level.

Can I use Stytch's RBAC alongside Cerbos?

Yes. Stytch's built-in RBAC provides coarse-grained role checks. Cerbos extends this by using Stytch roles as input to more granular policies that consider resource ownership, attributes, and contextual data. You get the simplicity of Stytch roles with the expressiveness of Cerbos policies.

Does Cerbos work with Stytch passwordless authentication?

Yes. Cerbos is authentication-method agnostic. Whether users authenticate via magic links, OTPs, WebAuthn, or OAuth, Cerbos receives the same session data and makes authorization decisions based on user attributes, not how they logged in.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Auth0
Auth0Map Auth0 Actions, Organizations, and roles to Cerbos policy inputs
Identity providers
Authentik
AuthentikAuthentik property mappings shape token claims for Cerbos policy inputs
Identity providers
AWS Cognito
AWS CognitoCognito user pool groups and custom attributes as Cerbos policy inputs
Identity providers
Clerk
ClerkClerk session claims and Organizations drive Cerbos policy evaluation
Identity providers
Curity
Curity Identity ServerCurity token procedure claims as principal attributes in Cerbos
Identity providers
Descope
DescopeDescope JWT claims, tenant data, and role assignments feed into Cerbos policy evaluation
Identity providers

Cerbos + Stytch

  • Cerbos extends Stytch roles with fine-grained, attribute-based permissions
  • Policies defined in human-readable YAML, managed as code
  • Authorization logic decoupled from application code
  • Sub-millisecond policy evaluation via stateless PDP
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines