How often should I reuse this object? Always or is it fine to create a new one every authorization request? In terms of caching, do I cache the BasePdpEngine or my policy provider?
I am expecting a lot of authorization requests, so i'm not sure which optimization to consider.
BasePdpEngine class is thread-safe, you can (and should!) reuse the same BasePdpEngine object to handle all requests. This is what we do in the RESTful PDP that handles XACML Requests via REST API.