4.3k

All integrations
SuperTokens
Identity providers

Cerbos authorization for SuperTokens

Pair SuperTokens' self-hosted authentication with Cerbos for fine-grained authorization, keeping both identity and access control within your infrastructure.

Self-hosted stack

Self-hosted stack

Run both SuperTokens and Cerbos within your own infrastructure for full control over authentication and authorization data

Session claims in policies

Session claims in policies

Use SuperTokens custom session claims and user metadata as attributes in Cerbos policy conditions

Recipe-based flexibility

Recipe-based flexibility

Works with any SuperTokens recipe (email/password, passwordless, social login, third-party) without changes to your authorization layer

How Cerbos works with SuperTokens

SuperTokens handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.

Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Authorization for self-hosted authentication

SuperTokens is designed for teams that want to own their authentication infrastructure. Cerbos adds fine-grained authorization to that self-hosted stack, so both identity verification and access control decisions happen within your environment.

How it works

  1. Users authenticate through SuperTokens, your application validates the session and extracts user roles, custom session claims, and metadata.
  2. Your application passes session data to Cerbos as principal attributes, along with the target resource and action.
  3. Cerbos evaluates policies that reference SuperTokens roles, session claims, tenant context, and resource properties.
  4. Your application enforces the result, authorization decisions are made by policies, not hardcoded in application logic.

Full-stack self-hosted authorization

Teams choosing SuperTokens often do so because they want to avoid third-party dependencies for authentication. Cerbos follows the same philosophy for authorization: it runs as a sidecar or service within your infrastructure, evaluating policies locally with no external API calls. Together, they provide a fully self-hosted identity and access control stack.

Get started

Check out the Cerbos documentation to learn how to pass SuperTokens session data to Cerbos for policy evaluation.

FAQ

Can Cerbos use SuperTokens session claims?

Yes. SuperTokens lets you attach custom claims to sessions via the session claim system. Your application reads these claims from the validated session and passes them to Cerbos as principal attributes, where policies can reference them for authorization decisions.

Does the self-hosted model matter for Cerbos integration?

Both SuperTokens and Cerbos can run self-hosted, which means authentication and authorization stay entirely within your infrastructure. No identity data or authorization requests leave your network, which simplifies compliance for regulated environments.

How does Cerbos work with SuperTokens multi-tenancy?

SuperTokens supports multi-tenancy with per-tenant login methods and user pools. The tenant ID and tenant-specific user metadata can be passed to Cerbos as principal attributes, allowing policies to enforce tenant-scoped access rules.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Auth0
Auth0Map Auth0 Actions, Organizations, and roles to Cerbos policy inputs
Identity providers
Authentik
AuthentikAuthentik property mappings shape token claims for Cerbos policy inputs
Identity providers
AWS Cognito
AWS CognitoCognito user pool groups and custom attributes as Cerbos policy inputs
Identity providers
Clerk
ClerkClerk session claims and Organizations drive Cerbos policy evaluation
Identity providers
Curity
Curity Identity ServerCurity token procedure claims as principal attributes in Cerbos
Identity providers
Descope
DescopeDescope JWT claims, tenant data, and role assignments feed into Cerbos policy evaluation
Identity providers

Cerbos + SuperTokens

  • Cerbos extends SuperTokens roles with fine-grained, attribute-based permissions
  • Policies defined in human-readable YAML, managed as code
  • Authorization logic decoupled from application code
  • Sub-millisecond policy evaluation via stateless PDP
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines