Skip to main content


The Authorizer is an open source authorization engine which uses the Open Policy Agent (OPA) to compute a decision based on a policy, user context, and data.

An application can interact with the Authorizer through a set of gRPC or HTTPS REST APIs.

Hosted Authorizer vs Edge Authorizer

Creating an Aserto tenant automatically creates a corresponding Authorizer instance in the multi-tenant hosted Authorizer. Since it's a multi-tenant service, the hosted Authorizer requires authorization headers to disambiguate the tenant and provide the tenant secret (API key).

The Aserto authorizer can also be deployed as a sidecar (or as a local service), right next to your application. Since this Authorizer is a single-tenant service, it does not require authentication, besides the certificate validation mandated by HTTPS mutual TLS.


Any API call to the hosted Authorizer requires two HTTP headers:

  • Aserto-Tenant-ID: <Tenant-ID>
  • Authorization: basic <Authorizer-API-Key>

You can find these values in the Policy settings in the Aserto Console.

Authorizer API categories

The Authorizer provides the following API categories to calling applications:


The v1 Directory (dir) namespace is now deprecated in favor of the v2 Directory graphQL APIs.

The v1 System (sys) namespace is now removed from v2.