Cerbos authorization for NestJS
Integrate Cerbos into NestJS using guards, decorators, and modules for fine-grained authorization. Enforce policy-based access control across your controllers without scattering permission logic through your application.
Authorize with guards
Build a Cerbos guard that implements CanActivate to enforce policy-based permissions on any NestJS controller or route handler
Declarative with decorators
Use custom decorators to annotate controllers and methods with resource types and actions, keeping authorization intent explicit and controller logic clean
Injectable Cerbos module
Register the Cerbos client as a NestJS module so it can be injected into guards, interceptors, and services throughout your application
How Cerbos works with NestJS
Building authorization logic inside NestJS quickly becomes a maintenance burden. Hard-coded role checks scatter across controllers and middleware, and every permission change requires a code deploy.
Cerbos replaces scattered authorization logic with a single API call. You define fine-grained policies in YAML, and the Cerbos PDP evaluates them at request time using roles, attributes, and any context you provide.
With Cerbos your NestJS application stays focused on business logic while authorization policies evolve independently, managed by product or security teams without touching code.
How Cerbos works with NestJS
- Create a Cerbos module. Register the Cerbos client as a NestJS provider so it can be injected wherever authorization is needed across your application.
- Build a Cerbos guard. Implement a custom guard that extracts the authenticated user and the target resource from the request, calls the Cerbos PDP, and returns true or false to allow or deny access.
- Define authorization policies in YAML. Write resource and principal policies that capture your access control rules, including roles, attributes, and conditions. Store them alongside your code and version them in git.
- Cerbos evaluates policies at request time. Every authorization check is evaluated against the latest policies with sub-millisecond latency. Update rules without redeploying your NestJS application.
FAQ
How do I integrate Cerbos with NestJS?
Create a Cerbos module that provides the Cerbos client as an injectable service. Then build a custom guard that extracts the authenticated user and resource from the request, calls the Cerbos PDP, and allows or denies the request. Apply the guard to controllers or individual routes using NestJS decorators.
Can I use Cerbos with NestJS guards and decorators?
Yes. The most idiomatic approach is to create a CerbosGuard that implements CanActivate and calls the Cerbos PDP. You can combine it with custom parameter decorators to specify the resource type and action being authorized, keeping your controller methods clean.
Does Cerbos work with NestJS interceptors?
Yes. While guards are the primary integration point for access control, you can also use interceptors to filter or transform response data based on Cerbos decisions, for example to redact fields the user is not authorized to see.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + NestJS
- Single API call replaces hard-coded permission checks in NestJS
- Policies updated independently of application deploys
- Authorization policies versioned and tested like source code
- Stateless PDP scales independently of the application
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.