Run Cerbos authorization at the edge with Cloudflare Workers
Embed Cerbos policy evaluation inside Cloudflare Workers for serverless authorization at the network edge with no origin round-trip.
Edge-native authorization
Authorization decisions happen at the Cloudflare edge, close to the user and before requests reach your origin
Unified policies
The same Cerbos policies govern authorization at the edge and within your backend services
No origin round-trip
Unauthorized requests are rejected at the edge, reducing origin load and response latency
What is Cerbos?
Cerbos is an open-source authorization layer that decouples access control from your application code. It runs as a stateless Policy Decision Point (PDP) that evaluates fine-grained policies at request time.
Authorization policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. They can be updated, tested, and deployed independently of your application.
Deploying Cerbos via Cloudflare Workers gives you a production-ready authorization service that scales horizontally and fits naturally into your existing infrastructure and observability stack.
How to run Cerbos with Cloudflare Workers
- Deploy the Cerbos PDP, Run a Cerbos PDP instance accessible from Cloudflare Workers, or configure access via Cerbos Hub.
- Add the Cerbos SDK to your Worker, Install the JavaScript SDK and initialize the client in your Worker script.
- Check authorization on each request, Extract identity from headers or JWTs, build the principal and resource, and call the Cerbos PDP.
- Enforce the decision at the edge, Return the response or reject the request before it reaches your origin.
FAQ
How does Cerbos run in Cloudflare Workers?
Your Worker calls the Cerbos PDP to evaluate authorization policies on every request. The PDP can run as a nearby service or be accessed via Cerbos Hub, keeping policy evaluation close to the edge.
What is the difference between this and the Cloudflare API gateway integration?
The API gateway integration treats Cloudflare as a proxy that delegates auth decisions to Cerbos. With Workers, your application logic runs at the edge and calls Cerbos directly, giving you full control over request handling and authorization flow.
How do I manage policies for Workers?
Policies are managed centrally via Cerbos Hub or a Git repository. Workers fetch the latest policy decisions from the Cerbos PDP at request time, so policy updates take effect without redeploying your Worker.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Cloudflare Workers
- Cerbos runs alongside your workloads in Cloudflare Workers
- No external databases or message queues required
- Built-in metrics, distributed tracing, and structured logging
- Stateless PDP instances scale horizontally
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.