Skip to main content

← Back to glossary

Term · 27. Emerging Categories 2024-2026

AuthZEN

AuthZEN is an OpenID Foundation working group and emerging standard that defines a common API for externalized authorization — letting a policy enforcement point ask a policy decision point whether a subject may perform an action on a resource, over a standard interface. It aims to do for authorization what OIDC did for authentication: interoperability, so organizations can swap authorization engines without rewriting every application.

IDM/IGA Domain
AuthZ Standards IETF / RFC

Definition

OpenID Foundation working group standardising a uniform API for authorization decisions across heterogeneous Policy Decision Points (PDPs). Enables a single Policy Enforcement Point (PEP) to query multiple authorization providers — vendors such as Auth0 FGA, AWS Verified Permissions, Cerbos, OpenFGA, SGNL — without vendor lock-in. Specification entered Implementer's Draft status in 2024.

Synonyms
  • AuthZEN — externalized authorization standard
Application
Regulatory: IETF RFC (e.g., 7519 JWT, 6749 OAuth 2.0)
Standards & regulations
  • IETF
Sources

Related terms

← Back to glossary  ·  Open in main list

FAQ

Frequently asked questions

What problem does AuthZEN solve?

Authorization today is fragmented — every vendor has its own API. AuthZEN standardizes the request and response between enforcement and decision points, so applications and policy engines from different vendors can interoperate.

What is externalized authorization?

It means moving access decisions out of application code into a dedicated policy engine (PDP). The app (PEP) sends a query and gets allow or deny back. This centralizes policy, improves consistency and makes auditing easier.

Is AuthZEN production-ready?

It is an early but actively developed standard with multiple vendor implementations emerging. It is worth tracking for new authorization architectures; mature deployments today often use OPA, Cedar or vendor PDPs that may adopt AuthZEN over time.