Skip to content
PDP

OpenID AuthZEN–compliant PDP

Interoperable JSON decisions for gateways and services. EmpowerNow extensions add constraints, obligations, and TTL.

Platform TeamsSecurity Architects +1 more
Book demo Quickstart Read docs
AA compliant AA compliant
Visual representation of policy decision architecture with structured governance layers

Why it wins

AuthZEN interop: one decision contract across apps/PEPs

AI Agent guardrails: Budget 402, streaming caps, egress/model allow‑lists

Hybrid ReBAC + ABAC via Membership Service PIP

Explainable decisions + signed receipts

How it works

Subject/Resource/Action/Context → PDP → Decision. PEPs enforce constraints (sync) and obligations (async). Batch multiple checks in one call for faster pages and smoother agent runs. Deploy once to gateways/services; adopt incrementally via a PDP facade and PEP middleware.

What it is

A standards‑credible authorization brain that evaluates ABAC + relationships and returns AuthZEN‑style decisions. EmpowerNow decision extensions add constraints (sync guardrails) and obligations (async actions) so gateways and services can enforce consistently.

What you get

  • Cost control for AI agents: stop runaway spend (HTTP 402), cap tokens, restrict models/egress
  • Fewer bespoke integrations: one JSON decision contract across PEPs and vendors
  • Faster delegated flows: model human↔human and human↔agent delegations once; reuse everywhere
  • Audit confidence: signed, hash‑chained receipts and human‑readable reasons

Why it's unique

  • Graph‑anchored ABAC: policy logic in YAML via Policy nodes; fast‑moving edge constraints (budget, trust, expiry) live in graph
  • Hybrid ReBAC + ABAC: delegations, teams, ownership from the Membership Service (Neo4j) without role explosion
  • Delegation kits: human↔human and human↔agent OBO with spend caps, trust levels, expiry, consent
  • AuthZEN interop: decision exchange aligned to the OpenID WG; extensions (constraints/obligations/TTL) are product‑level
  • Plan/schema pinning: deny off‑plan tool calls and catch schema drift pre‑exec (MCP Gateway)
  • Proof by receipts: signed, hash‑chained receipts for audit and chargeback

See it

Batch decisions = fewer round‑trips, lower latency.

Send multiple checks in one call for faster pages and smoother agent runs.

Graph-Anchored ABAC Graph-Anchored ABAC Patent-Pending Hybrid: ReBAC Speed + ABAC Expressiveness 🚀 THE INNOVATION Policies ARE graph nodes WITH pointers to ABAC ❌ TRADITIONAL ABAC • Flat policy lookup No relationships = no context • External policy store only Separate DB query per decision • Limited expressiveness Can't leverage graph topology VS ✅ GRAPH-ANCHORED ABAC • Graph traversal first Relationships provide context • Policies IN graph + pointers Single query, rich rules • Best of both worlds Speed + Expressiveness 🚀 STEP 1: GRAPH LAYER (ReBAC) Fast relationship traversal • Identity topology • Neo4j Patrick AITravel Flight DELEGATES_TO HAS_CAPABILITY STEP 2: POLICY ANCHOR LAYER ⚓ THE INNOVATION: Policy nodes embedded IN the graph Each node points to external ABAC documents • Enables conflict resolution Policy Node Policy Node Policy Node STEP 3: ATTRIBUTE LAYER (ABAC) External policy documents • Rich rules • Version controlled budget.yaml spend_cap: $3000 remaining: $2280 service.yaml airlines: [AA,UA] class: economy audit.yaml obligations: - log_access POINTER POINTER POINTER STEP 4: MERGE POLICIES → CONFLICT RESOLUTION → DECISION ⚖️ Hierarchical policy merge with precedence rules • Final authorization decision Patent Claim: Policies embedded AS first-class graph nodes + pointers to external ABAC = Best of both worlds: Graph traversal speed + Policy expressiveness

AuthZEN compliance

Compatible with AuthZEN decision exchange across PDP/PEP/PIP/PAP. We keep ABAC; you adopt interoperable JSON. EmpowerNow adds decision extensions (constraints, obligations, TTL) for practical enforcement.

OpenID AuthZEN WG

Note: Extensions are product‑level and not part of the current AuthZEN spec.

AI Agent governance

  • Budget holds and settle; HTTP 402 upgrade CTA
  • Model routing to mini; streaming token caps
  • Egress/model allow‑lists; consent obligations at issuance

Decision example (EmpowerNow extensions)


{
  "decision": "Permit",
  "ttl": 3000,
  "constraints": {
    "models_allow": ["gpt-4o-mini"],
    "egress_allow": ["*.example.com"],
    "stream_tokens_max": 2048
  },
  "obligations": [
    { "type": "budget_hold", "limit_usd": 2.00, "call_id": "abc-123" }
  ],
  "reasons": ["policy:agent.tools.invoke"]
}

Hybrid ReBAC with Membership Service

Combine ABAC attributes with relationship edges (delegations, teams, ownership) from the Neo4j‑backed Membership Service PIP for dynamic, auditable access.

Relationship data shape


{
  "relationships": [
    { "type": "member_of_team", "subject": "user_123", "object": "team_finance" },
    { "type": "delegates_to", "subject": "manager_9", "object": "user_123", "capabilities": ["approve"], "status": "active" }
  ]
}

Proof

  • Explainable decisions with reasons; every action emits a signed receipt
  • Budget/content/params enforced via constraints and obligations
  • Integrates with Membership Service (ReBAC) and Inventory/Search as PIPs
Deep dive

Integrations

Works with your gateways, LLM providers, and data plane.

Envoy / Istio ext_authz NGINX / Traefik OpenAI / Azure OpenAI / Anthropic / Vertex AI Redis / Kafka / ClickHouse Neo4j Membership Service

Is this for me?

  • Platform teams: standardize decisions across gateways and services
  • Security architects: budgets/egress/models; explainability + receipts
  • App teams: one middleware; fewer roles via delegations and ownership
AuthZEN WG AuthZEN Draft‑04 OIDC CAEP

Compatible with AuthZEN decision exchange; EmpowerNow decision extensions (constraints, obligations, TTL) enable practical enforcement.

AI chat budget 402

Safe stop + upgrade CTA.

Off‑plan tool deny

Plan step mismatch.

See it live Read docs

Plans

Book demo Talk to us

Read more

What is AuthZEN?

Understand decisions, constraints and obligations.

Read →

Constraints & Obligations

How PDP returns enforceable constraints with decisions.

Read →

Explainability

Expose why a decision happened for audits and UX.

Read →

Delegated Authorization

Model relationships and delegations for business context.

Explore →

What's next?

Book a demo

See decisions and constraints live.

Book demo

Talk to a specialist

Map decisions to your domain model.

Contact

Read the docs

Dive into PDP API and examples.

Docs ↗

Explore standards

AuthZEN, OAuth, DPoP and more.

Standards →

Learn more

Technical docs

PDP DocsPrimer: AuthZEN

Marketing site

Delegated AuthorizationAgent-Safe Tools

Related reading

PDP Reference

Compare

  • OPA/Cerbos: no standard AuthZEN envelope (constraints/obligations/TTL) or conservative merge → evidence
  • AWS AVP: managed PDP; Cedar allow/forbid model without AuthZEN response semantics → evidence
  • Envoy/Istio: excellent PEPs; decision contract depends on the PDP; AuthZEN provides explainability + obligations → evidence