Authorization as a service for your Node.js apps

const { jwtAuthz } = require("@aserto/aserto-node") const checkAuthz = jwtAuthz({ ... }) // ... app.get("/protectPath/:param", checkJwt, checkAuthz, async (req, res) => { ... } )
Technology logo

Fine-grained authorization in Node.js

Speak with an engineer

Authorization in Node.js

Node.js is a popular, open-source Javascript server runtime environment. Aserto is a powerful authorization-as-a-service platform that lets you add enterprise-grade role-based access control (RBAC) to your Node.js application in under a day. Quickstarts, a Node.js / Express.js SDK, and REST/gRPC APIs are available to help you get up and running.

Aserto helps you define, evolve, and enforce user permissions within your Node.js application. It’s simple to integrate, but powerful enough to support fine-grained access control, custom roles, and audit trails - all essential features for adoption within large customer organizations.

Built on trusted open-source projects like OPA and OCI, Aserto handles all the heavy lifting required to achieve secure, scalable, high-performance RBAC and attribute-based access control (ABAC).

Adding authorization to your Node.js application

Authorization should happen every time your application needs to access a protected resource on behalf of a user. To perform an authorization check, your application should call the Aserto Authorizer and pass user context (typically in the form of an access token), policy context, and resource context. The Aserto Authorizer uses the popular open-source OPA decision engine to quickly make an authorization decision based on this data. The decision returned should determine whether your application should pass or fail the request.

The Aserto Node.js SDK contains three capabilities that make it easy to add authorization to your application:

  1. A function called `is` which you can call with the user context, policy context, and resource context, and that returns an authorization decision.
  2. Middleware that can be added to an Express.js route, which calls the Aserto authorizer and will return an “access denied” response if the user isn’t authorized to perform the operation on that resource.
  3. A display state map for every operation, which your frontend (e.g. React) application can use to conditionally render UI based on the permissions of the current user.

Authorizer deployment options

Aserto runs a hosted authorizer as a service, which is great for development, since you don’t have to stand anything up to get started with adding authorization to your application.

For production deployments, you should deploy Aserto’s Edge Authorizer right next to your application, either as a sidecar or a microservice in the same cluster or subnet. Aserto’s control plane automatically syncs all of the user, resource, and policy data to the Edge Authorizer, so it is ready to make lightning-fast authorization decisions for your Node.js application.

Auditing authorization decisions

Aserto keeps record of every authorization decision in a decision log for easy auditing from the control plane. Decision logs can be streamed or batched up into your favorite log analysis tool. Aserto makes this data available to applications in two ways:

1. A set of bucket storage objects you can download

2. A near real-time data stream you can tap via the Aserto APIs or the Aserto CLI

The Edge Authorizer architecture

Authorization happens upon every request, so response time is critical. The Aserto Edge Authorizers are deployed as microservices or sidecars right next to your application to minimize latency and maximize availability, so your application is never dependent on the availability of a remote authorization service.

The Edge Authorizers make authorization decisions based on three important inputs:

1. Policies from your policy registry

2. Users, attributes, and roles from Identity provider, supplemented with application-specific information from the Aserto directory

3. Resource context passed by your application

Any changes made to your identity provider’s directory are automatically synchronized into the Aserto directory, so your authorization decisions are always up-to-date. Aserto pushes any updates to your Edge Authorizer in near real time. Alternatively, the system can be configured to update on an interval determined by the application administrator.

Leveraging the policy, user, and resource contexts, Aserto makes it easy to evolve your authorization from coarse-grained RBAC to fine-grained authorization using ABAC, Access-control lists (ACL), or a mix thereof to meet the needs of your enterprise customers as they evolve. Aserto allows you to build a strong authorization foundation once, and adapt your access control model over time to match your customers’ requirements.

Aserto also comes with the following benefits:

  • Out-of-the-box support for audit trails, custom roles, RBAC, ABAC, and ACL
  • A policy-as-code workflow to build, tag, push, version, and pull policy images (like docker images)
  • Integrations with your identity provider, artifact registry, logging system, and frontend framework of your choice.
  • Built on top of a trusted OSS policy engine, the Open Policy Agent (OPA)


  1. Node.js SDK
  2. Node.js quickstart
  3. A developer guide to adding authorization to a Node.js app
  4. Demonstrating several approaches to RBAC in Node.js
  5. Git repo with examples of different approaches of RBAC in Node.js
Built for developers with

David Kerber

VP of Technology

"Authorization involves really hard problems that I want experts to solve. We like to focus our internal engineering efforts on our customers and their problems. Aserto allows us to do just that, at a small fraction of the cost it would take to build and maintain it ourselves, not to mention the opportunity cost."

Mathias Biilmann Christensen

Co-founder & CEO, Netlify

"As millions of developers and businesses are adopting a Jamstack approach, most modern web applications involve multiple APIs and services. Aserto's promise of separating policies from code could radically simplify the implementation of authorization across the front-end UI and the larger world of back-end functions and endpoints."

Tom Preston-Werner

Co-founder, GitHub

"Building & managing an authorization/RBAC system is a huge pain, especially at enterprise scale. So stop! Aserto has a distributed, millisecond latency, 100% availability API for that. I'm excited to help as an angel investor!"


Authorization as easy as an API call

Speak with an engineer