Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Is the authorization server typically only used for authenticated requests, or also for unauthenticated (guest) requests?

The general pattern we'd expect is for user/principal information to be gathered from the authentication/identity provider and used in subsequent requests to the PDP (most commonly, roles that the user can assume). That said, there's nothing saying that you couldn't implement (say) a default role and pass that in each request.