Skip to main content


The Authorizer is an open source authorization engine which uses the Open Policy Agent (OPA) to compute a decision based on a policy, user context, and data.

An application can interact with the Authorizer through a set of gRPC or HTTPS REST APIs.

gRPC API documentation

The gRPC APIs are described here.

REST API documentation

The Aserto Authorizer APIs are documented here. They are generated from the OpenAPI specification of each of the APIs, and and are meant to be used as the definitive reference for the Authorizer API surface.


If you have an Aserto account, sign in to the console, and select the API Docs menu item. This will bring up an authenticated experience for the reference docs, and automatically fill in the current Tenant ID, authorizer API key, and JWT so that you can directly execute API calls from the dashboard.

Readme API docs

Hosted Authorizer vs Edge Authorizer

Creating an Aserto tenant automatically creates a corresponding Authorizer instance in the multi-tenant hosted Authorizer. Since it's a multi-tenant service, the hosted Authorizer requires authorization headers to disambiguate the tenant and provide the tenant secret (API key).

The Aserto authorizer can also be deployed as a sidecar (or as a local service), right next to your application. Since this Authorizer is a single-tenant service, it does not require authentication, besides the certificate validation mandated by HTTPS mutual TLS.


Any API call to the hosted Authorizer requires two HTTP headers:

  • Aserto-Tenant-ID: <Tenant-ID>
  • Authorization: basic <Authorizer-API-Key>

You can find these values in the Policy settings in the Aserto Console.

Authorizer API categories

The Authorizer provides the following API categories to calling applications:


The v1 Directory (dir) namespace is now deprecated in favor of the v2 Directory graphQL APIs.

The v1 System (sys) namespace is now removed from v2.