Start with Identity
Authorization

Cerbos

Founded 2021London, UKPrivate (open core, Cerbos Inc.)Score 4/5Evaluated 2026-06-19Website ↗

Capability scores

Methodology →
Authentication
1.5
SSO & Federation
1.5
Authorization
4.5
Lifecycle & Provisioning
3.0
MFA & Passwordless
1.0
Governance & Audit
3.5
Developer Experience
4.5
Deployment Flexibility
4.5
Pricing Transparency
4.0
Support & Ecosystem
3.5

Scored 0–5 against a published rubric. Independent analysis, no vendor sponsorship.

Overview

Cerbos is an open-source (Apache 2.0) authorization layer where you write access policies in YAML and run a stateless decision engine alongside your services. It is a policy-as-code tool in the same family as Open Policy Agent, but purpose-built for application authorization (attribute- and role-based access control) rather than general infrastructure policy. Founded in 2021, Cerbos Inc. follows an open-core model: the engine is free, and Cerbos Hub is the commercial control plane. It decouples access rules from application code so policy can evolve independently.

What it is good at

The model is clean policy-as-code: resource and principal policies in YAML, version-controlled and testable in CI, evaluated by a stateless policy decision point (PDP) you deploy as a sidecar or service. This keeps decisions fast and authorization logic out of your codebase, and the developer tooling is strong, including local testing, audit logs, and query plans that let you filter lists of resources rather than checking one at a time. For PBAC/ABAC across microservices it is excellent, and statelessness makes it easy to scale horizontally.

Where it falls short

Because it is stateless and attribute-driven, Cerbos is not a relationship store like Zanzibar-style engines, so deeply relational permissions (nested sharing, ownership graphs across millions of objects) need extra modeling or a different tool such as OpenFGA or AuthZed. Like other pure authorization engines it does nothing for authentication, SSO, or MFA.

Pricing

The core engine is free and open source under Apache 2.0. Cerbos Hub offers a free tier plus paid plans for policy management, distribution, and audit at scale. Model the difference with the TCO calculator.

Best for, and who should look elsewhere

Choose Cerbos if you want clean, testable policy-as-code for ABAC/PBAC across services and prefer a stateless engine you control. Compare OpenFGA vs Cerbos and Styra/OPA vs Cerbos, or the three-way OpenFGA vs AuthZed vs Cerbos. See the authorization guide.

Bottom line

Pick Cerbos for clean, testable policy-as-code ABAC/PBAC across services when you want a stateless engine you control rather than a relationship store.

By SWI Community Team · Last evaluated 2026-06-19

Independent, community-driven analysis. No vendor sponsorship. Compiled from public research and community input and verified on a best-effort basis, so details may be incomplete or out of date. Scores are opinions, not advice. Trademarks belong to their owners; mention does not imply affiliation or endorsement. See the full disclaimer, or send corrections to community@startwithidentity.com.