SpiceDB
A Google Zanzibar-inspired database that answers "can this subject do this on that resource?" by traversing a graph of relationships.
- Category: Identity & Policy
- CNCF maturity: Independent
- Language: Go
- License: Apache-2.0
- Repository: authzed/spicedb
- Documented at commit:
4bb1d7b3(2026-06-19)
What it is
SpiceDB is an open-source implementation of the authorization system described in Google's 2019 Zanzibar paper. Instead of storing permissions as flat access-control lists, you store relationships between objects (for example document:budget#viewer@user:anne) and define a schema that derives permissions from those relationships. To make an access decision, SpiceDB walks the relationship graph rather than evaluating a static rule.
It runs as a server exposing gRPC and HTTP APIs. Clients write a schema, write relationships, then ask permission questions such as CheckPermission. The relationship data lives in a pluggable datastore: PostgreSQL, MySQL, CockroachDB, Google Spanner, or an in-memory store for development.
SpiceDB is built and maintained by AuthZed. It sits in the authorization layer of an application stack: the service that owns the data calls SpiceDB to decide who may see or change each object, keeping authorization logic out of the application database.
When to use it
- You need relationship-based access control (ReBAC): permissions that follow ownership, group membership, and folder hierarchies rather than a fixed role matrix.
- You want consistency guarantees across services, using ZedToken to avoid the "New Enemy" problem where a stale read leaks data after a permission was revoked.
- You want one authorization service that several applications share, decoupled from any single application database.
- It is a poorer fit when your needs are a small fixed set of roles (a simpler RBAC library is enough), or when your decisions are pure policy-over-attributes with no relationship graph (a policy engine like OPA fits better).
In this deep-dive
- History: origin, milestones, and why it exists.
- Architecture: components and how requests flow.
- Adoption & Ecosystem: who runs it and what surrounds it.
- Internals: the code paths that matter, read from source.
- Getting Started: install and a first working setup.
Sources
- authzed/spicedb (GitHub)
- authzed/spicedb GitHub REST API
- Starlet #17 SpiceDB (star-history)
- SpiceDB, the Google Zanzibar open source solution (AuthZed)
- Google Zanzibar (AuthZed Docs)
- Top 5 Google Zanzibar open-source implementations in 2024 (WorkOS)
- Alternatives to OpenFGA (AuthZed)
- Top Alternatives to SpiceDB (Oso)
- Google Zanzibar vs OPA (Permit.io)
- SpiceDB product page (AuthZed)
- spicedb/README.md