Cerbos authorization for Zitadel
Use Zitadel projects, granted organizations, and user metadata to power fine-grained authorization decisions in Cerbos policies.
Project-scoped roles
Reference Zitadel project roles and organization grants directly in Cerbos policies for per-project authorization
B2B organization grants
Write authorization rules that account for Zitadel's organization grant model, enabling cross-org access control
Cloud-native and self-hosted
Both Zitadel and Cerbos can run self-hosted or in the cloud, giving you deployment flexibility without architecture changes
How Cerbos works with Zitadel
Zitadel handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
Authorization built on Zitadel's project and organization model
Zitadel structures identity around projects, organizations, and grants, a model designed for B2B and multi-tenant applications. Cerbos uses that structure to make fine-grained authorization decisions, going beyond what Zitadel's built-in role checks can express.
How it works
- Users authenticate through Zitadel, your application receives OIDC tokens containing project roles, organization membership, granted organization data, and custom metadata.
- Your application passes identity data to Cerbos as principal attributes, alongside the target resource and action.
- Cerbos evaluates policies that reference Zitadel project roles, organization grants, user metadata, and resource properties.
- Your application enforces the decision, authorization rules live in policies, not in application code.
Multi-tenant authorization with organization grants
Zitadel's organization grant model lets one organization grant another access to its projects with specific roles. Cerbos policies can use this grant context to enforce fine-grained access rules: different permissions for users from the owning organization versus granted organizations, resource-level restrictions based on organization membership, and conditional rules based on project-specific roles.
Get started
Check out the Cerbos documentation to learn how to pass Zitadel token claims to Cerbos for policy evaluation.
FAQ
Can Cerbos use Zitadel project roles and grants?
Yes. Zitadel's project roles and organization grants are included in OIDC token claims. Your application passes these to Cerbos as principal attributes, where policies can reference project-scoped roles and granted organization context for authorization decisions.
How does Cerbos handle Zitadel's multi-organization model?
Zitadel supports B2B scenarios where organizations grant access to other organizations' projects. The granting organization ID and project roles can be passed to Cerbos, enabling policies that enforce different access rules depending on which organization the user belongs to and which project they are accessing.
Can I use Zitadel user metadata in Cerbos policies?
Yes. Zitadel allows custom key-value metadata on users and organizations. When included in token claims via actions, this metadata can be passed to Cerbos as principal attributes and used in policy conditions.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Zitadel
- Cerbos extends Zitadel roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.