Frameworks

Authorization for Flask applications with Cerbos

Add policy-based authorization to Flask routes and request handlers using the Cerbos Python SDK. Enforce fine-grained access control via decorators or before-request hooks.

Guard routes and handlers

Add Cerbos checks as Flask decorators or before-request hooks to enforce permissions before route handlers execute

Context from request data

Pass user session data, request parameters, and resource attributes from Flask's request context to Cerbos for attribute-based decisions

Decouple policy from code

Move authorization rules out of route handlers into versioned YAML policies that can be updated without redeploying your Flask application

How Cerbos works with Flask

Building authorization logic inside Flask quickly becomes a maintenance burden. Hard-coded role checks scatter across controllers and middleware, and every permission change requires a code deploy.

Cerbos replaces scattered authorization logic with a single API call. You define fine-grained policies in YAML, and the Cerbos PDP evaluates them at request time using roles, attributes, and any context you provide.

With Cerbos your Flask application stays focused on business logic while authorization policies evolve independently, managed by product or security teams without touching code.

Policy-as-codeHuman-readable YAML policies managed like source code Scalable PDPStateless policy decision point with sub-millisecond latency Centralized managementManage, test, and deploy policies from a single control plane

How Cerbos works with Flask

Add the Cerbos Python SDK to your Flask project. Install the SDK and configure a Cerbos client, typically initialized at application startup or in a factory function.
Call Cerbos from route handlers or hooks. Extract the authenticated user from Flask's request context, build a Cerbos check request with the target resource and action, and allow or deny access based on the PDP response.
Define authorization policies in YAML. Write resource and principal policies that capture your access control rules, including roles, attributes, and conditions. Store them alongside your code and version them in git.
Cerbos evaluates policies at request time. Every authorization check is evaluated against the latest policies with sub-millisecond latency. Update rules without redeploying your Flask application.

FAQ

How do I integrate Cerbos with Flask?

Use the Cerbos Python SDK to create a client and call the Cerbos PDP from your Flask route handlers or before-request hooks. Extract the authenticated user from the request context, build a Cerbos check request, and gate access based on the PDP response.

Can I use Cerbos with Flask decorators?

Yes. Create a decorator that wraps your route handlers, extracts principal and resource information from the request, and calls the Cerbos PDP. Apply it to any route that requires authorization. The Cerbos PDP responds in sub-millisecond time.

Does Cerbos work with Flask blueprints?

Yes. You can register a before_request hook on a Flask blueprint that calls the Cerbos PDP, applying authorization checks to all routes within that blueprint. This keeps authorization logic centralized per module.