Identity providers

Cerbos authorization for Stytch

Use Stytch session data, organization memberships, and RBAC roles to power fine-grained authorization decisions in Cerbos policies.

B2B organization context

Use Stytch organization memberships and member roles as attributes in Cerbos policies for multi-tenant authorization

Beyond Stytch RBAC

Extend Stytch's built-in role checks with resource-level, attribute-based policies that account for ownership and context

Auth-method agnostic

Works the same regardless of Stytch auth method: magic links, OTPs, WebAuthn, OAuth, or SSO

How Cerbos works with Stytch

Stytch handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.

Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.

Policy-as-codeHuman-readable YAML policies managed like source code Scalable PDPStateless policy decision point with sub-millisecond latency Centralized managementManage, test, and deploy policies from a single control plane

Authorization for Stytch-powered applications

Stytch provides modern authentication with passwordless flows, B2B organization management, and built-in RBAC. Cerbos extends that foundation with fine-grained authorization at the resource level, using Stytch session data and organization context to make access decisions.

How it works

Users authenticate through Stytch, your application validates the session and retrieves member roles, organization membership, and custom metadata.
Your application passes session data to Cerbos as principal attributes, along with the target resource and action.
Cerbos evaluates policies that reference Stytch organization roles, member metadata, and resource properties.
Your application enforces the decision, authorization rules are defined in policies, not scattered across application code.

Multi-tenant authorization with Stytch B2B

Stytch B2B organizations give you per-tenant user management and role assignments. Cerbos adds the authorization layer that makes those organization boundaries meaningful at the resource level: restricting data access to the correct organization, enforcing role-specific permissions within an org, and applying cross-tenant policies for platform administrators.

Get started

Follow our tutorial on integrating Stytch with Cerbos or explore the Python + Stytch + Cerbos example project.

FAQ

How does Cerbos work with Stytch B2B organizations?

Stytch B2B provides organization-scoped authentication with member roles. After authentication, your application passes the organization ID, member roles, and custom metadata to Cerbos as principal attributes. Policies can then enforce organization-scoped access rules at the resource level.

Can I use Stytch's RBAC alongside Cerbos?

Yes. Stytch's built-in RBAC provides coarse-grained role checks. Cerbos extends this by using Stytch roles as input to more granular policies that consider resource ownership, attributes, and contextual data. You get the simplicity of Stytch roles with the expressiveness of Cerbos policies.

Does Cerbos work with Stytch passwordless authentication?

Yes. Cerbos is authentication-method agnostic. Whether users authenticate via magic links, OTPs, WebAuthn, or OAuth, Cerbos receives the same session data and makes authorization decisions based on user attributes, not how they logged in.