Skip to main content


An AuthorizerClient can communicate via gRPC or REST with a Topaz authorizer running as a sidecar or a microservice alongside your application or to Aserto's hosted authorizer.

The options passed in specify the target authorizer, the communication protocol, and other parameters.

Constructor arguments

  • url (required): The URL for the Authorizer service API.
  • cert_file_path (optional): The location on the filesystem of the CA certificate that signed the certificate served by the Topaz authorizer. See the "Certificates" section for more information.
  • service_type (optional): Either of the string values "gRPC" or "REST", depending on the protocol desired to call the API. Defaults to "gRPC".
  • tenant_id (optional): An Aserto Tenant ID. Required if connecting to Aserto's hosted authorizer.
  • api_key (optional): An Aserto Authorizer API Key. Required if connection to Aserto's hosted authorizer.

Topaz Example

from aserto.client import AuthorizerOptions

options = AuthorizerOptions(

Hosted Example

from aserto.client import AuthorizerOptions

options = AuthorizerOptions(


All endpoints of the Topaz Authorizer use TLS. In order for a client to communicate with the authorizer, certificates must be verified.

In a development environment, Topaz automatically creates a set of self-signed certificates and certificates of the CA (certificate authority) that signed them. It places them in a well-known location on the filesystem, defaulting to $HOME/.local/share/topaz/certs/grpc-ca.crt, or $HOME\AppData\Local\topaz\certs on Windows.

In order for the authorizer client to perform the TLS handshake, it needs to verify the TLS certificate of the one-box using the certificate of the CA that signed it. The certificate for the authorizer's REST endpoints is named gateway-ca.crt. The certificate for the authorizer's gRPC services is named grpc-ca.crt.