Skip to content
PDP

OpenID AuthZEN–compliant PDP

Interoperable JSON decisions for gateways and services. EmpowerNow extensions add constraints, obligations, and TTL.

Platform TeamsSecurity Architects +1 more
Book demo Quickstart Read docs
AA compliant AA compliant
Visual representation of policy decision architecture with structured governance layers

Why it wins

AuthZEN interop: one decision contract across apps/PEPs

AI Agent guardrails: Budget 402, streaming caps, egress/model allow‑lists

Hybrid ReBAC + ABAC via Membership Service PIP

Explainable decisions + signed receipts

How it works

Subject/Resource/Action/Context → PDP → Decision. PEPs enforce constraints (sync) and obligations (async). Batch multiple checks in one call for faster pages and smoother agent runs. Deploy once to gateways/services; adopt incrementally via a PDP facade and PEP middleware.

What it is

A standards‑credible authorization brain that evaluates ABAC + relationships and returns AuthZEN‑style decisions. EmpowerNow decision extensions add constraints (sync guardrails) and obligations (async actions) so gateways and services can enforce consistently.

What you get

  • Cost control for AI agents: stop runaway spend (HTTP 402), cap tokens, restrict models/egress
  • Fewer bespoke integrations: one JSON decision contract across PEPs and vendors
  • Faster delegated flows: model human↔human and human↔agent delegations once; reuse everywhere
  • Audit confidence: signed, hash‑chained receipts and human‑readable reasons

Why it's unique

  • Graph‑anchored ABAC: policy logic in YAML via Policy nodes; fast‑moving edge constraints (budget, trust, expiry) live in graph
  • Hybrid ReBAC + ABAC: delegations, teams, ownership from the Membership Service (Neo4j) without role explosion
  • Delegation kits: human↔human and human↔agent OBO with spend caps, trust levels, expiry, consent
  • AuthZEN interop: decision exchange aligned to the OpenID WG; extensions (constraints/obligations/TTL) are product‑level
  • Plan/schema pinning: deny off‑plan tool calls and catch schema drift pre‑exec (MCP Gateway)
  • Proof by receipts: signed, hash‑chained receipts for audit and chargeback

See it

Batch decisions = fewer round‑trips, lower latency.

Send multiple checks in one call for faster pages and smoother agent runs.

Graph-Anchored ABAC Graph-Anchored ABAC Patent-Pending Hybrid: ReBAC Speed + ABAC Expressiveness 🚀 THE INNOVATION Policies ARE graph nodes WITH pointers to ABAC ❌ TRADITIONAL ABAC • Flat policy lookup No relationships = no context • External policy store only Separate DB query per decision • Limited expressiveness Can't leverage graph topology VS ✅ GRAPH-ANCHORED ABAC • Graph traversal first Relationships provide context • Policies IN graph + pointers Single query, rich rules • Best of both worlds Speed + Expressiveness 🚀 STEP 1: GRAPH LAYER (ReBAC) Fast relationship traversal • Identity topology • Neo4j Patrick AITravel Flight DELEGATES_TO HAS_CAPABILITY STEP 2: POLICY ANCHOR LAYER ⚓ THE INNOVATION: Policy nodes embedded IN the graph Each node points to external ABAC documents • Enables conflict resolution Policy Node Policy Node Policy Node STEP 3: ATTRIBUTE LAYER (ABAC) External policy documents • Rich rules • Version controlled budget.yaml spend_cap: $3000 remaining: $2280 service.yaml airlines: [AA,UA] class: economy audit.yaml obligations: - log_access POINTER POINTER POINTER STEP 4: MERGE POLICIES → CONFLICT RESOLUTION → DECISION ⚖️ Hierarchical policy merge with precedence rules • Final authorization decision Patent Claim: Policies embedded AS first-class graph nodes + pointers to external ABAC = Best of both worlds: Graph traversal speed + Policy expressiveness

AuthZEN compliance

Compatible with AuthZEN decision exchange across PDP/PEP/PIP/PAP. We keep ABAC; you adopt interoperable JSON. EmpowerNow adds decision extensions (constraints, obligations, TTL) for practical enforcement.

OpenID AuthZEN WG

Note: Extensions are product‑level and not part of the current AuthZEN spec.

AI Agent governance

  • Budget holds and settle; HTTP 402 upgrade CTA
  • Model routing to mini; streaming token caps
  • Egress/model allow‑lists; consent obligations at issuance

Decision example (EmpowerNow extensions)


{
  "decision": "Permit",
  "ttl": 3000,
  "constraints": {
    "models_allow": ["gpt-4o-mini"],
    "egress_allow": ["*.example.com"],
    "stream_tokens_max": 2048
  },
  "obligations": [
    { "type": "budget_hold", "limit_usd": 2.00, "call_id": "abc-123" }
  ],
  "reasons": ["policy:agent.tools.invoke"]
}

Hybrid ReBAC with Membership Service

Combine ABAC attributes with relationship edges (delegations, teams, ownership) from the Neo4j‑backed Membership Service PIP for dynamic, auditable access.

Relationship data shape


{
  "relationships": [
    { "type": "member_of_team", "subject": "user_123", "object": "team_finance" },
    { "type": "delegates_to", "subject": "manager_9", "object": "user_123", "capabilities": ["approve"], "status": "active" }
  ]
}

Proof

  • Explainable decisions with reasons; every action emits a signed receipt
  • Budget/content/params enforced via constraints and obligations
  • Integrates with Membership Service (ReBAC) and Inventory/Search as PIPs
Deep dive

Integrations

Works with your gateways, LLM providers, and data plane.

Envoy / Istio ext_authz NGINX / Traefik OpenAI / Azure OpenAI / Anthropic / Vertex AI Redis / Kafka / ClickHouse Neo4j Membership Service

Is this for me?

  • Platform teams: standardize decisions across gateways and services
  • Security architects: budgets/egress/models; explainability + receipts
  • App teams: one middleware; fewer roles via delegations and ownership
AuthZEN WG AuthZEN Draft‑04 OIDC CAEP

Compatible with AuthZEN decision exchange; EmpowerNow decision extensions (constraints, obligations, TTL) enable practical enforcement.

AI chat budget 402

Safe stop + upgrade CTA.

Off‑plan tool deny

Plan step mismatch.

See it live Read docs

Plans

Book demo See pricing Talk to us

Read more

What is AuthZEN?

Understand decisions, constraints and obligations.

Read →

Constraints & Obligations

How PDP returns enforceable constraints with decisions.

Read →

Explainability

Expose why a decision happened for audits and UX.

Read →

Delegated Authorization

Model relationships and delegations for business context.

Explore →

What's next?

Book a demo

See decisions and constraints live.

Book demo

Talk to a specialist

Map decisions to your domain model.

Contact

Read the docs

Dive into PDP API and examples.

Docs ↗

Explore standards

AuthZEN, OAuth, DPoP and more.

Standards →

Learn more

Technical docs

PDP DocsPrimer: AuthZEN

Marketing site

Delegated AuthorizationAgent-Safe Tools

Related reading

PDP Reference

Compare

  • OPA/Cerbos: no standard AuthZEN envelope (constraints/obligations/TTL) or conservative merge → evidence
  • AWS AVP: managed PDP; Cedar allow/forbid model without AuthZEN response semantics → evidence
  • Envoy/Istio: excellent PEPs; decision contract depends on the PDP; AuthZEN provides explainability + obligations → evidence