The authorization layer for modern infrastructure.

One policy engine for every access decision — your users, your services, your AI agents. Ultra-low latency at the edge, deployable in five minutes.

Start free →View docs
<2ms
p95 edge latency · p99 <10ms
5 min
from install to first authorized call
100%
decisions logged and queryable
authzx-console · Audit
Recent decisions● live · 1,247 total
ALLOWagent:gpt-sum → doc:q4-reportread1.8ms
ALLOWuser:nora → workspace:acmeedit0.6ms
DENYagent:claude → vault:secretslist2.1ms
ALLOWservice:billing → invoice:*read0.4ms
ALLOWuser:engineering → repo:authzxpush1.2ms
P95 LATENCY
1.8ms
ALLOW RATE
94.3%
AGENTS
3 connected

Standards-conformant. Drop-in compatible with the stack you already use.

AuthZEN 1.0TerraformMCPSOC 2 (in progress)Dogfooded

Built for the agent era

AI agents now make more decisions than your users do.

AuthzX governs every decision your software makes — your users, your services, the AI agents acting on their behalf. One engine, one audit log, one place to debug when something gets denied at 2am.

For platforms

User & workspace authz

RBAC, ABAC, multi-tenancy, fine-grained permissions. Stop scattering if (user.role === "admin") across every controller.

workspace.member → doc:* → read
workspace.admin → user:* → invite
For services

Service-to-service authz

Replace token-passing chaos with policy-driven service identity. Every internal API call gated by the same engine.

service:billing → invoice:* → read
service:webhook → event:* → publish
For AI agents

Agent tool gating

Every MCP tool call checked against policy before execution. Task-scoped permissions with TTL. Agents can only do what you authorized. For as long as you authorized it.

agent:gpt-sum → doc:q4-* → read · ttl 10m
agent:claude → vault:* → DENY

How it works

From policy to production in minutes.

Write a policy, deploy the agent, and see decisions flow through the console.

Step 01

Write a policy

Define who can do what in Terraform or the dashboard. RBAC, ABAC, direct grants. Combine them in one policy.

resource "authzx_policy" "document_editor" {
  application_id = authzx_application.docs.id
  name           = "document_editor"
  effect         = "ALLOW"
  priority       = 50

  resources = [{
    resource_id = authzx_resource.q4_report.id
    actions     = ["read", "write"]
  }]
}
Step 02

Deploy the agent

Run the AuthzX Agent next to your app. It syncs policies from the cloud and evaluates locally in under 2ms.

# docker-compose.yml
services:
  authzx-agent:
    image: authzx/agent:latest
    environment:
      AUTHZX_API_KEY: ${AUTHZX_API_KEY}
    ports:
      - "8181:8181"
Step 03

Authorize every call

One API call from your app. Every decision logged with full context — subject, resource, action, matched policy.

POST http://localhost:8181/v1/authorize
{
  "subject": { "id": "user_42" },
  "resource": { "type": "document", "name": "q4_report" },
  "action": "read"
}

The platform

What authorization actually takes to get right.

Four pillars covering the full lifecycle: policy authoring, runtime decisions, observability, and developer experience.

Architecture

Runtime

Cloud-hosted policies, local agent for under 2ms decisions. Graceful degradation when the cloud is unreachable.

Local AuthzX Agent
Runs next to your app. Decisions in under 2ms on the warm path.
Data stays local
Policy decisions evaluated in your infrastructure, not ours. Sensitive access data never leaves your network.
Graceful degradation
Cached policy bundles keep authz running even when cloud is down.
MCP tool gating
Every AI agent tool invocation checked against policy before running.

Policy authoring

Authoring

Mix RBAC, ABAC, and direct grants in one policy. Author in Terraform or in the dashboard. AuthZEN-conformant out of the box.

RBAC + ABAC
Roles, attributes, direct grants. Combine them in a single policy.
Task-scoped permissions
Time-bound grants with TTL. Agents get only what they need, only when they need it.
AuthZEN 1.0 conformant
Drop-in compatible with any AuthZEN PEP. No translation layer.

Observability

Audit

Every decision logged with subject, resource, action, matched policy, and full context. Searchable in the dashboard, available during audits.

Full audit trail
Every decision captured with reasoning: users, services, and agents. Exportable for SOC 2.
Decision observability
Dashboards for allow/deny rates, latency, hotspots, anomalies.
Access checker
Test "can X do Y to Z?" against live policies. Debug step-by-step.

Developer experience

DX

Install the agent, grab a key, authorize your first call. Terraform-first, SDK-native, no framework to learn.

Terraform-first policy-as-code
Your authz lives in git, reviewed like the rest of your infra.
REST API + SDKs
TypeScript, Go, Python. Or hit /v1/authorize directly.
Five-minute setup
Install the agent, grab an API key, authorize your first call.

The non-negotiables

Authz your security team can defend.

Compliance

SOC 2 Type II in progress. Every decision logged with full context for audit response.

Performance

Under 2ms p95 at the local agent. No network hop for the hot path.

Dogfooded

Our admin dashboard runs on AuthzX. Every privileged action gated by the same engine you use. If it breaks for you, it breaks for us first.

Standards

AuthZEN 1.0 conformant. Terraform provider included. No vendor lock-in.