All integrations
Cloudflare Workers
Deployment

Run Cerbos authorization at the edge with Cloudflare Workers

Embed Cerbos policy evaluation inside Cloudflare Workers for serverless authorization at the network edge with no origin round-trip.

Edge-native authorization

Edge-native authorization

Authorization decisions happen at the Cloudflare edge, close to the user and before requests reach your origin

Unified policies

Unified policies

The same Cerbos policies govern authorization at the edge and within your backend services

No origin round-trip

No origin round-trip

Unauthorized requests are rejected at the edge, reducing origin load and response latency

What is Cerbos?

Cerbos is an open-source authorization layer that decouples access control from your application code. It runs as a stateless Policy Decision Point (PDP) that evaluates fine-grained policies at request time.

Authorization policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. They can be updated, tested, and deployed independently of your application.

Deploying Cerbos via Cloudflare Workers gives you a production-ready authorization service that scales horizontally and fits naturally into your existing infrastructure and observability stack.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How to run Cerbos with Cloudflare Workers

  1. Deploy the Cerbos PDP, Run a Cerbos PDP instance accessible from Cloudflare Workers, or configure access via Cerbos Hub.
  2. Add the Cerbos SDK to your Worker, Install the JavaScript SDK and initialize the client in your Worker script.
  3. Check authorization on each request, Extract identity from headers or JWTs, build the principal and resource, and call the Cerbos PDP.
  4. Enforce the decision at the edge, Return the response or reject the request before it reaches your origin.

FAQ

How does Cerbos run in Cloudflare Workers?

Your Worker calls the Cerbos PDP to evaluate authorization policies on every request. The PDP can run as a nearby service or be accessed via Cerbos Hub, keeping policy evaluation close to the edge.

What is the difference between this and the Cloudflare API gateway integration?

The API gateway integration treats Cloudflare as a proxy that delegates auth decisions to Cerbos. With Workers, your application logic runs at the edge and calls Cerbos directly, giving you full control over request handling and authorization flow.

How do I manage policies for Workers?

Policies are managed centrally via Cerbos Hub or a Git repository. Workers fetch the latest policy decisions from the Cerbos PDP at request time, so policy updates take effect without redeploying your Worker.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Amazon EC2
Amazon EC2Standalone binary or container PDP on EC2 with full instance control
Deployment
Amazon ECS
Amazon Elastic Container ServiceStateless PDP container running as an ECS task or Fargate sidecar
Deployment
Amazon EKS
Amazon Elastic Kubernetes ServiceHelm-managed Cerbos on EKS with IRSA and Fargate support
Deployment
Amazon Elastic Beanstalk
Amazon Elastic BeanstalkMulti-container Cerbos sidecar that auto-scales with Beanstalk instances
Deployment
Amazon Lambda
AWS LambdaEmbedded in-process PDP for serverless authorization with no network hop
Deployment
AKS
Azure Kubernetes ServiceCerbos on AKS with workload identity and Helm-based lifecycle management
Deployment

Cerbos + Cloudflare Workers

  • Cerbos runs alongside your workloads in Cloudflare Workers
  • No external databases or message queues required
  • Built-in metrics, distributed tracing, and structured logging
  • Stateless PDP instances scale horizontally
Book a free policy workshopTry the Playground