How to Use the Cerbos (Access Control) MCP in Windsurf

Let Windsurf Cascade write, test, and deploy authorization rules directly to your Cerbos instance without leaving the IDE.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Cerbos (Access Control) MCP to Windsurf

Create your Vinkius account to connect Cerbos (Access Control) to Windsurf and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Cerbos (Access Control) with Windsurf

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Manage access policies via Windsurf MCP Server

Cascade looks at your application code and figures out exactly what permissions you need. It uses `add_policy` to write those rules in standard YAML format. You just tell the agent what roles exist in your new feature. If a requirement changes, Cascade handles the updates automatically. It pulls the current rules with `get_policy`, modifies the conditions, and commits the changes using `update_policy`. You review the diff and move on.

Test authorization rules instantly

Stop guessing if your YAML syntax actually works. Cascade runs `check_resources` right in your editor to verify that a specific user can access a target item. It builds the test payload based on your active files. Batch testing works the same way. The agent fires off `authzen_evaluations` through the MCP connection to validate multiple scenarios at once. If a test fails, Windsurf spots the error, fixes the policy, and re-runs the check before you even ask.

Audit access and schemas autonomously

Debugging a denied request usually means digging through server logs. Now you just ask your agent to run `list_audit_logs` and find out exactly why a specific action failed. It grabs the relevant trace data instantly. Managing data structures is just as fast. Cascade checks your active definitions with `get_schema` and applies any necessary changes via `add_schema`. Everything stays synced with your codebase.

Setup guide

Set up Cerbos (Access Control) MCP in Windsurf

Prerequisites

Windsurf IDE installed (macOS, Windows, or Linux)
Active Vinkius subscription with a valid endpoint token

1

Open MCP configuration

Click the Cascade assistant icon in the sidebar, then click the hammer icon (🔨) at the top of the panel. Select "Configure" to open ~/.codeium/windsurf/mcp_config.json.
2

Add the Cerbos (Access Control) MCP

Paste the JSON snippet shown on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Refresh MCPs

Go back to the hammer icon (🔨) in Cascade and click "Refresh". Windsurf will detect the new server. No full restart is needed — the connection is hot-reloaded.
4

Verify in Cascade

Start a new Cascade conversation and ask something like "Show my Cerbos (Access Control) payment history." If connected, Cascade will call the Cerbos (Access Control) tools directly. You will see a green dot next to the server name in the MCP panel.

mcp_config.json

{
  "mcpServers": {
    "cerbos-access-control-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Cerbos. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Cerbos (Access Control) now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Cerbos (Access Control) MCP in Windsurf

Open your editor settings and navigate to the Cascade MCP Servers UI. Paste your Vinkius endpoint URL into the configuration panel. Click refresh to let the agent discover the tools.

Yes. The agent runs live permission checks against your server. It builds the JSON payload automatically and evaluates the response.

It handles multiple checks in a single call. Cascade formats the request and parses the results to verify complex role hierarchies.

The server returns an error code that the agent intercepts. Cascade reads the syntax issue and attempts a fix immediately.

Your policy definitions and user roles never sit on our infrastructure. Vinkius routes the requests through an isolated V8 sandbox that dies the second the operation finishes. The agent only holds the specific YAML rules it needs for the current task.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript