OpenID AuthZEN: the standard for interoperable authorization
Historically, developers embedded authorization logic directly into application code — creating fragmented, unauditable “spaghetti logic.” Externalizing this logic solves the hardcoding problem, but introduces a new challenge: a lack of interoperability.
AuthZEN is a working group within the OpenID Foundation dedicated to solving this by standardizing how authorization components communicate.
A universal API for PEP–PDP communication
The AuthZEN Authorization API 1.0 specification standardizes the communication pattern between the PEP and the PDP. In a modern authorization architecture, the client (the PEP) intercepts a request and asks a centralized PDP for an authorization decision.
AuthZEN provides a standard, JSON-based format for this request and response cycle. The PDP evaluates the incoming request against its active policies and returns a simple boolean decision — which can optionally include additional context for step-up authentication or fields to redact.
- SubjectThe entity requesting access — a user, service, or AI agent.
- ResourceThe asset or data object being accessed.
- ActionThe operation being performed — read, write, delete.
- ContextRuntime signals — time, location, risk score, device posture.
{
"subject": {
"type": "user",
"id": "alice@acme.com"
},
"resource": {
"type": "report",
"id": "q4-financials"
},
"action": {
"name": "read"
},
"context": {
"ip": "192.168.1.10",
"time": "2026-04-29T09:30:00Z"
}
}
// PDP Response
{
"decision": true
}Decouple enforcement from decision-making
The Authorization API enables PEPs to integrate seamlessly with any PDP that supports the standard, regardless of the underlying authorization model or policy language.
This provides a universal interface that decouples the enforcement of policies from the decision-making engine. With this standard in place, organizations can take full control of their fine-grained authorization strategy — bringing their own PDP and avoiding the need to rewrite application code if they switch authorization vendors down the line.
- No more vendor lock-in
Switch PDPs without rewriting application code. The standard interface remains constant.
- Bring your own PDP
Full control over your fine-grained authorization strategy. Use any compatible decision engine.
- Universal enforcement
Any PEP can communicate with any AuthZEN-compatible PDP across your entire technology stack.
How PlainID is involved
As a market leader in authorization, PlainID is committed to removing roadblocks to adoption and promoting advanced authorization design patterns across the industry. We are proud to be an active member of the OpenID Foundation's AuthZEN Working Group, helping to drive the standard forward while ensuring native support within our platform.
- Active Working Group Member
PlainID participates in the OpenID Foundation's AuthZEN Working Group, helping to shape the standard as it evolves.
- Native Platform Support
The PlainID PDP natively supports the AuthZEN Authorization API 1.0, requiring zero custom integration work.
- Broad Ecosystem Compatibility
Compatible with a broad spectrum of authorization engines and PDPs — from core IDPs to distributed microservices and data lakes.
- Scale Without Rewriting
Scale an advanced authorization strategy that is fully compatible with your existing technology stack — no code rewrites required.
Talk to a PlainID authorization engineer
Get a technical walkthrough of AuthZEN support in the PlainID platform.