Integrate Cerbos with Express for powerful authorization

Implement roles and context aware access control in your application by integrating Cerbos with Express.

What is Cerbos?

Cerbos is open source, decoupled access control for your application enabling you to implement fine-grained permissions in minutes.


Define and evolve complex policies without requiring a release cycle


Meet your compliance requirements with a full audit trail of policies, permissions, access to resources


Be enterprise ready and meet your customer's organizational requirements with ease


Coming soon: SIEM integrations and anomaly detection and recommendations of policy changes


Extend Express Roles

Fine grained access controls extending the roles defined in Express


Enrich with Context

Request time attribute based authorization enables more contextual access controls


Avoid Token Bloat

Independent authorization logic avoids bloated tokens and workarounds

How to integrate Cerbos with Express

Implementing Cerbos with Express is easy. You can use the SDKs provided by Cerbos to call out to the Policy Decision Point (PDP) from a middleware or a handler, passing along context about the principal (user) making the request, the resource they are trying to access and the action they are trying to perform. Based on the policies and the context, the Cerbos will determine if the request is authorized or not - if it is, then you can continue to process the request otherwise return an error.

Express App

Cerbos and Express Code Example

Cerbos provides a convinient way to integrate with Express. You can use the SDKs provided by Cerbos to call out to the Policy Decision Point (PDP). The code below demonstrates how to setup the Cerbos SDK and check permissions inside a GET Express handler.

import express from "express";
import { GRPC as Cerbos } from "@cerbos/grpc";

// Connect to the Cerbos PDP Instance
const cerbos = new Cerbos("localhost:3592");
const app = express();

app.get("/expenses/:id", async (req, res) => {
  // Get the resource from the DB
  const result = expenses.find((expense) => ===;
  if (!result) return res.status(404).json({ error: "Expense not found" });

  // Pass the user (principal) and the resource to 
  // Cerbos along with the action to perform
  const decision = await cerbos.checkResource({
    principal: {
      roles: req.user.roles,
      attributes: req.user
    resource: {
      kind: "expense",
      attributes: {
    actions: ["view"],

  // Check whether a particular action is allowed
  if (decision.isAllowed("view")) {
    return res.json(result);
  } else {
    return res.status(401).json({ error: "Unauthorized" });

Why Cerbos?



Define access policies using human-readable YAML. No need to master a new policy language.


Super-charged Roles

Dynamically derive new roles based on contextual information. Don't be limited to what your IdP provides.



Make use of context such as IP address and time of day to make realtime access decisions


Ultrafast API

Access decisions in milliseconds.



Develop, test, and deploy policies just as you do with your source code.


Multiple Environments

Built-in policy versioning to support canary deployments and different environments.


Cloud Native

Containerised deployment as a microservice or a sidecar. REST and gRPC interfaces. Top-notch observability.


Audit Logs

Capture every decision and analyze them later.



Leverage our community for examples and help.

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team