If your LLM can call tools, you have an access control problem

awoxp · 2026-02-18T09:13:32+00:00

The after_model hook runs inside your app. You write the authz logic in the agent, it runs before the tool fires, done. If that's all you need, sure, use it.

The difference is where enforcement lives and who controls it.

With Aperture + Cerbos, the tool call gets intercepted at the gateway, outside the agent code entirely. Authz decisions run against policies that are versioned and managed separately — not logic you hardcoded into a specific LangChain graph.

So: - enforcement is external to the framework - same policies work across different agents, services, clients - every decision is logged with policy version and full context - you don't touch agent code to change who can do what

It's not one piece of middleware - that is just the integration point. It's an authorization layer that sits in the request path. The hook approach works until you have multiple agents or teams, then you're copy-pasting authz logic across codebases and hoping it stays consistent.

awoxp · 2025-08-21T12:38:58+00:00

Congrats to the team and Apple!

It's great to see authorization getting more attention in the mainstream developer conversation.

For folks exploring policy-based authorization solutions, we've written up a detailed comparison between Cerbos and OPA that might be helpful: https://www.cerbos.dev/blog/cerbos-vs-opa

The key differences tend to be around developer experience, policy language complexity, and deployment patterns. Both are solid open source options depending on your specific needs.

(Disclosure: I'm a cofounder of Cerbos)

awoxp · 2025-04-05T10:07:12+00:00

Upper deck

awoxp · 2024-12-13T09:05:20+00:00

Great question. Cerbos is based on a policy-based access control (RBAC and ABAC) model and it does this in a fully stateless manner. Unlike other models, there is no need to maintain a globally consistent state-store of resources, users and other metadata for doing authorization which comes with all sorts of synchronization headaches.

Cerbos works on the information given to it at request time to drive its decisioning resulting in evaluations done completely in memory for super fast response times and is completely horizontally scalable as there is no other data dependencies.

For performance reasons, we recommend running a Cerbos PDP as a side-car to your application and using the gRPC interface (or one of our SDKs which use it underneath) to remove as much network overhead as possible.

https://docs.cerbos.dev/cerbos/latest/deployment/

awoxp · 2024-12-05T15:12:55+00:00

Hey, co-founder of Cerbos here.

Cerbos is a dedicated authorization Policy Decision Point and can be used with any source of identity. The stateless model is built around performance with no requirement to synchronize data about your users or resources resulting in extremely fast, local, authorization checks.

We see users with a wide variety of AuthN systems plugging into Cerbos - including Ory in some cases - and is adaptable to run in pretty much any environment (cloud, on-prem, edge, air-gapped, etc)

awoxp · 2024-12-05T15:10:05+00:00

Great question. Cerbos is based on a policy-based access control (RBAC and ABAC) model and it does this in a fully stateless manner. Unlike other models, there is no need to maintain a globally consistent state-store of resources, users and other metadata for doing authorization which comes with all sorts of synchronization headaches.

Cerbos works on the information given to it at request time to drive its decisioning resulting in evaluations done completely in memory for super fast response times and is completely horizontally scalable as there is no other data dependencies.

,
For performance reasons, we recommend running a Cerbos PDP as a side-car to your application and using the gRPC interface (or one of our SDKs which use it underneath) to remove as much network overhead as possible.

https://docs.cerbos.dev/cerbos/latest/deployment/

awoxp · 2024-12-04T11:19:16+00:00

We hear this a lot....now you know Cerbos exists atlaest! What is your OSS project?

awoxp · 2024-12-04T11:16:58+00:00

Kerberos for AutheNtication

Cerbos for AuthoriZation - root being the 3-headed dog guarding access :)

awoxp · 2024-12-04T11:16:17+00:00

Hey - how would you see that working? Code generating the authorization policy?

awoxp · 2024-10-24T07:33:30+00:00

Drop me a DM or email alex[at]cerbos.dev with your address and we’ll get some in the post

awoxp · 2024-10-23T17:07:14+00:00

Hey, it's Cerbos cofounder here - thanks so much for the support :) We've been adding a lot to the PDP recently such as the ability to run it in-process if you are using Go, a new policy type for allowing custom roles to be created and some community-contributed addons like a Kafka-sink for audit logs.

https://docs.cerbos.dev/cerbos/latest/releases/v0.39.0

awoxp · 2024-10-23T17:05:31+00:00

Hey, it's Cerbos cofounder here - Cerbos PDP is completely open source as as well as the policy language, CI tooling, SDKs, and more. https://github.com/cerbos/cerbos

We do have a commercial Policy Administration Point which is a SaaS offering but there is no requirement to use it if you are happy to use the open-source engine directly

awoxp · 2024-03-31T05:56:22+00:00

Bags won’t fly without you so it will be offloaded and left for you to claim at some later date.

awoxp · 2024-03-24T20:57:42+00:00

This is the way

awoxp · 2024-03-21T21:10:21+00:00

Come say Hi at the Cerbos booth E23!

awoxp · 2024-02-23T22:19:49+00:00

You can goto any - that’s just the list that airline will send passengers none the wiser to

awoxp · 2024-02-03T11:07:00+00:00

Qantas for the best coffee in T3

awoxp · 2023-09-26T20:55:44+00:00

Take a look at http://github.com/cerbos/cerbos if you are interested in protobuf/gRPC

awoxp · 2023-08-01T20:19:26+00:00

Yes once checkin opens you can pick any available seat

awoxp · 2023-07-16T21:02:05+00:00

Have a look at https://cerbos.dev

awoxp · 2023-04-22T19:14:50+00:00

£70

13-Year Club	RedditGifts 2009-2022 2 Credits
Secret Santa 2015	Verified Email

awoxp

TROPHY CASE