Skip to main content


When a Topaz authorizer connects to the Control Plane, we call it an Edge Authorizer. Topaz makes an outgoing mTLS connection, which enables bidirectional communication between Topaz and the Control Plane.

Topaz outgoing messages

Topaz stores decision logs on a local volume. When connected to the control plane, it will send these decision logs to the control plane, preserving durability, and utilizing exactly-once, in-order semantics. Once the decision logs are durably stored in Aserto's cloud object storage, these logs are available for consumption using the Decision Log APIs.

Topaz incoming commands

The Control Plane can send commands to Edge Authorizers using the Relay service. The Relay supports two commands:

  • Invoking OPA Discovery, which will immediately download a new policy image if one is available, short-circuiting the polling timer.
  • Invoking the Directory synchronization logic in Topaz, which will immediately download any new manifest and/or data changes and synchronize them with the local Topaz directory.

Commands sent automatically

When the Aserto Control Plane detects that a new policy image is available in the Aserto Policy Registry, it will automatically send the command to short-circuit OPA Discovery.

Scenarios for sending commands manually

  1. If you're using a different OCI v2 artifact registry (such as AWS ECR, Azure Container Registry, Google Artifact Registry, GitHub Container Registry, etc), you may elect to use the control plane to send the OPA Discovery message using the API as part of your CI workflow.
  2. If you need to trigger a directory sync right after you write objects or relations to the Aserto Central Directory, you can use the control plane to send the Sync Edge Directory command using the API.

Sending control plane commands

The control plane commands can be sent via three mechanisms: