Skip to main content
Version: 1.0.0

PDP (Policy Decision Point)

A PDP is a network node in an application that provides an endpoint to test for policy decisions- i.e. services may ask the PDP if specific actions or requests are allowed according to the set policy. The PDP essentially becomes your microservice for authorization, and can be deployed as a side-car, cluster, or even as a single instance (for light workload scenarios). PDPs need to be highly available, performant and physically close to the querying services to avoid latency.

The most straightforward way to integrate PDPs into a microservices architecture is as sidecars - meaning each microservice has a sidecar container next to it which it can query for policy. Other topologies include centralized PDP, gateway to PDP (i.e. filtering requests at API gateways or proxies). supports all PDP layouts and provides the missing layers on-top of open-source PDP solutions (such as OpenPolicyAgent). These layers include policy delivery and updating, supporting data collection, application level SDKs, application level instrumentation and more.

The PDP (Which by default bundles together OPA, OPAL, and an API server) is available publicly from Docker hub.

Hosted/Managed cloud PDP option

While we recommend a local PDP for production deployments, a Cloud PDP option is available upon demand and can be deployed for you at the same cloud/region as your application (to minimize network latency as much as possible) Reach out to us at, or in the Slack community with your cloud region to setup cloud PDP (will be available in self-service in near future.)

Powered by OPA+OPAL's PDP orchestration is powered by OPAL - an open source project - developed by the team at and supported by a large community of developers and users. Check out this talk with the primary authors of OPAL to learn more about the unique realtime architecture:

OPAL's built-in separation of the data plane from the control plane, enables users to enjoy the benefits of a fully distributed PDP solution, without having to be dependant on the availability of the cloud, or sharing any data with it.