Skip to main content


The Authorizer is an open source authorization engine which uses the Open Policy Agent (OPA) to compute a decision based on a policy, user context, and data.

The Authorizer is packaged as a docker image and is meant to be deployed as close as possible to your application:

  • a sidecar container in the same pod as the application (if you're running in Kubernetes)
  • a service that is deployed in the same subnet as your application (if not)

In addition, when you create an Aserto tenant, an Authorizer instance in Aserto's multi-tenant hosted authorizer service is provisioned for you. For some use cases that are less sensitive to latency, this hosted Authorizer instance may be sufficient.

Finally, the same container image underpins Aserto's local developer experience, which you can deploy on your local workstation using the Aserto CLI, and use while developing your application. This helps create a tight development workflow that has no external dependencies.


The main concepts for the Authorizer are:

  • Policy: a set of rules for making an authorization decision
  • Decision: an output of the policy
  • User context: a set of user properties, roles, and scopes that can be used in a policy to determine the value of decisions
  • data: additional data (often in the form of lookup tables) that is used in determining the value of decisions