Skip to main content

Overview

The cerbos server command starts the Cerbos Policy Decision Point (PDP) server. This is the main service that evaluates authorization requests against your policies.

Usage

cerbos server [flags]

Flags

Configuration

--config
string
default:".cerbos.yaml"
Path to the configuration file. Can also be set via the CERBOS_CONFIG environment variable.
--set
string[]
Override configuration values. Can be specified multiple times.Format: key=value (supports nested keys using dot notation)Example: --set=server.adminAPI.enabled=true

Logging

--log-level
string
default:"info"
Set the log level for the server.Options: debug, info, warn, error

Cerbos Hub Integration

--hub.deployment-id
string
Use Cerbos Hub to pull the policy bundle for the given deployment ID. This overrides the storage driver defined in the configuration.Can also be set via the CERBOS_HUB_DEPLOYMENT_ID environment variable.
--hub.playground-id
string
Use Cerbos Hub to pull the policy bundle for the given playground ID. This overrides the storage driver defined in the configuration.Can also be set via the CERBOS_HUB_PLAYGROUND_ID environment variable.
--hub-bundle
string
Legacy option to use Cerbos Hub to pull the policy bundle with the given label. This overrides the storage driver defined in the configuration.Can also be set via the CERBOS_HUB_BUNDLE or CERBOS_CLOUD_BUNDLE environment variables.

Debug

--debug-listen-addr
string
default:":6666"
Address to start the gops debugger listener on.

Examples

Start the server with default configuration

cerbos server

Start with Admin API enabled and SQLite storage

cerbos server \
  --set=server.adminAPI.enabled=true \
  --set=storage.driver=sqlite3 \
  --set=storage.sqlite3.dsn=':memory:'

Start with a custom configuration file

cerbos server --config=/path/to/config.yaml

Start with Cerbos Hub deployment

cerbos server --hub.deployment-id=YOUR_DEPLOYMENT_ID

Start with debug logging

cerbos server --log-level=debug

Multiple configuration overrides

cerbos server \
  --set=server.httpListenAddr=:3592 \
  --set=server.grpcListenAddr=:3593 \
  --set=server.adminAPI.enabled=true

Environment Variables

The following environment variables can be used as alternatives to command-line flags:
  • CERBOS_CONFIG - Path to configuration file
  • CERBOS_HUB_DEPLOYMENT_ID - Hub deployment ID
  • CERBOS_HUB_PLAYGROUND_ID - Hub playground ID
  • CERBOS_HUB_BUNDLE - Hub bundle label (legacy)
  • CERBOS_CLOUD_BUNDLE - Hub bundle label (legacy alias)

Configuration

The server requires a configuration file (defaults to .cerbos.yaml in the current directory). The configuration file defines:
  • Server settings (HTTP/gRPC ports, TLS, etc.)
  • Storage backend (disk, git, blob storage, database, Hub)
  • Schema validation settings
  • Audit logging configuration
  • And more
You can override any configuration value using the --set flag without modifying the configuration file.