Currently the auxData block just support JWT tokens. One of our key design decisions early on was to make Cerbos stateless and not having it call out to external services or databases, and requiring the calling application (Policy Enforcement Point/PEP) do the data fetching up and pass it along in the request Cerbos (the Policy Decision Point). The reasons behind this comes from some war stories we had a previous companies where we had to build AuthZ for large scale/high throughput systems (30bn+ requests a day) and having the AuthZ layer call out to other parts of the infrastructure to fetch state we didn't see as a sensible solution as what maybe a simple condition in a policy could be unexpected loaded on those other components - meaning your entire stack needs to be scaled OR the PDP needs to handle caching etc which then opens up a whole can of works around cache busting and eventual consistency. In most cases we see, the PEP is the owner of a lot that data required and already has loaded to handle the request anyway, and knows best what can be cached or not - meaning the PDP is purely making an AuthZ decision based on the inputs it recieves - evaluate it all in memory without requiring any disk or network IO ensuring a timely response - which is key as AuthZ is in the blocking path of every single request to an application.

Also from a deployment perspective, having the PDP being stateless means you can run it right alongside your application (k8s sidecar for example) and scale without having worry about any dependant services and eliminating any unnesscary network hops.