Cerbos
Type: full-code · Vendor: Cerbos · Language: Go · License: Apache-2.0 · Status: active · Status in practice: mature · First released: 2021-09-01
Cerbos is an external policy decision point that an MCP server calls on every agent tool invocation, returning an allow/deny decision and controlling which tools are enabled for the user and context.
Description. Cerbos is an open-source, language-agnostic authorization policy decision point that centralizes access-control decisions outside application code. Used with an MCP server, it acts as a policy enforcement point: the MCP server asks Cerbos for a decision on each AI-agent tool invocation and abides by it. When clients connect, the server calls Cerbos to check which tools are permitted for that user and context, then enables or disables tools accordingly. Policies can incorporate attributes of the action, the user, and the environment.
Agent loop shape. An MCP server in front of an agent acts as a policy enforcement point. When a client connects, the server asks Cerbos which tools are permitted for that user and context and enables or disables tools accordingly, starting with no tools by default. On each tool invocation the server asks Cerbos for an allow/deny decision and abides by it, with policies evaluating attributes of the action, the user, and the environment.
Primary use cases
- externalized authorization for MCP servers
- allow/deny decisions on agent tool invocations
- per-user, per-context tool enablement for agents
- attribute-based access control for agent actions
Key concepts
- Policy Decision Point (PDP) → policy-gated-agent-action (docs) — Cerbos runs as a stateless service that exposes an API the application or MCP server calls to ask whether a given action is allowed for a given user right now, keeping the decision logic out of the calling code.
- ABAC / RBAC / PBAC policies → policy-as-code-gate (docs) — Cerbos policies can combine role-based, attribute-based, and policy-based access control, evaluating attributes of the action, the user, and the environment so decisions reflect context like department, account status, time of day, or request IP.
- Policy enforcement point (the MCP server) → policy-gated-agent-action (docs) — In the MCP integration the server itself is the enforcement point: it delegates the decision to Cerbos and enforces the returned verdict, so its own logic stays simple while the security team owns the rules.
Patterns this full-code implements —
- ★Policy-Gated Agent Action (KRITIS)
An MCP server acts as a policy enforcement point that calls the Cerbos policy decision point on every AI-agent tool invocation, returning an allow/deny decision so only the actions permitted for that…
- ★Policy-as-Code Gate
Authorization rules are written as declarative, machine-readable policies managed outside the MCP server: rules define under which conditions a user or workload can access a tool, and policies can be…
- ★★Tool Loadout
Cerbos drives which tools the agent session sees: the session starts with no tools enabled, and tools are selectively enabled per request based on the user's role, request context, and policies, so a…
- ★★Provenance Ledger
Cerbos records every authorization check it makes as structured audit logs, so each allow/deny decision over an agent's tool calls is captured with enough context for traceability and forensic review.
Neighbourhood
Click any neighbour to follow the lineage. Scroll to zoom, drag to pan.
Alternatives & relatives
- full-code · framework
Open Policy Agent (OPA)
Both are external, language-neutral policy decision points an application or MCP server queries for allow/deny decisions; OPA uses Rego, Cerbos uses its own declarative policy format.
- full-code · framework
Arcade
Arcade authenticates the user and scopes the OAuth-backed tool call; Cerbos can sit alongside as the policy decision point that authorizes whether that user-and-context combination is permitted to in…
Listed as alternative by (3)
References
Provenance
- Last analyzed:
- Last updated:
- Verification status: partial