MCPcopy
hub / github.com/authzed/spicedb

github.com/authzed/spicedb @v1.54.0 sqlite

repository ↗ · DeepWiki ↗ · release v1.54.0 ↗
13,352 symbols 69,113 edges 1,178 files 4,996 documented · 37%
README

spicedb logo spicedb Logo

SpiceDB sets the standard for authorization that scales. Scale with Traffic • Dev Velocity • Functionality • Geography

release badge   docker pulls badge   built with Go badge   coverage   cii badge   ssf badge

discord badge   twitter badge   linkedin badge

launch codespaces badge   launch gitpod badge

What is SpiceDB?

spicedb diagram spicedb diagram

SpiceDB is the most mature open source project inspired by Google's internal authorization system: Zanzibar.

As of 2021, broken access control became the #1 threat to web security according to OWASP. With SpiceDB, platform and product teams can be be protected by answering this question easily: "can subject X perform action Y on resource Z?"

Similar to a relational database, developers define a schema, write data in the form of relationships, and then use SpiceDB's clients to issue permission checks in their application to determine what actions a user can take on a resource. Other queries are also possible, such as "What can subject do?" or "Who can access resource?".

SpiceDB is often ran as a centralized service shared across product suites and microservice architectures.

SpiceDB is focused purely on authorization and is designed to be fully agnostic to authentication solutions/identity providers.

What is Google Zanzibar?

In 2019, Google released the paper "Zanzibar: Google's Consistent, Global Authorization System" providing the original inspiration for SpiceDB. The paper presents the design, implementation, and deployment of, Zanzibar, Google's internal system for storing and evaluating access control lists. Originally designed for Google+ Circles, Zanzibar now sits at the core Google's entire product suite (Calendar, Drive, Maps, Photos, YouTube) and powers the Google Cloud IAM service.

While SpiceDB has gone on to innovate well beyond the functionality outlined in the paper, development of SpiceDB aims to always remain faithful to the paper's values and goals.

Why SpiceDB?

  • World-class engineering: painstakingly built by experts that pioneered the cloud-native ecosystem
  • Authentic design: mature and feature-complete implementation of Google's Zanzibar paper
  • Proven in production: 5ms p95 when scaled to millions of queries/s, billions of relationships
  • Global consistency: consistency configured per-request unlocks correctness while maintaining performance
  • Multi-paradigm: caveated relationships combine the best concepts in authorization: ABAC & ReBAC
  • Safety in tooling: designs schemas with real-time validation or validate in your CI/CD workflow
  • Reverse Indexes: queries for "What can subject do?", "Who can access resource?"

Who uses SpiceDB?

SpiceDB is a powerful tool in a variety of domains and in organizations of all sizes; we've chosen to highlight a few interesting community members:

Beyond the community, you can also read customer stories for commercial usage of SpiceDB.

Getting Started

Installing the binary

Binary releases are available for Linux, macOS, and Windows on AMD64 and ARM64 architectures.

Homebrew users for both macOS and Linux can install the latest binary releases of SpiceDB and zed using the official tap:

brew install authzed/tap/spicedb authzed/tap/zed

Debian-based Linux users can install SpiceDB packages by adding a new APT source:

sudo apt update && sudo apt install -y curl ca-certificates gpg
curl https://pkg.authzed.com/apt/gpg.key | sudo apt-key add -
sudo echo "deb https://pkg.authzed.com/apt/ * *" > /etc/apt/sources.list.d/fury.list
sudo apt update && sudo apt install -y spicedb zed

RPM-based Linux users can install SpiceDB packages by adding a new YUM repository:

sudo cat << EOF >> /etc/yum.repos.d/Authzed-Fury.repo
[authzed-fury]
name=AuthZed Fury Repository
baseurl=https://pkg.authzed.com/yum/
enabled=1
gpgcheck=0
EOF
sudo dnf install -y spicedb zed

Running a container

Container images are available for AMD64 and ARM64 architectures on the following registries:

Docker users can run the latest SpiceDB container with the following:

# expose grpc and http. http is used in the examples below.
docker run --rm -p 50051:50051 -p 8443:8443 authzed/spicedb serve --http-enabled true --grpc-preshared-key "somerandomkeyhere"

SpiceDB containers use Chainguard Images to ship the bare minimum userspace which is a huge boon to security, but can complicate debugging. If you want to execute a user session into a running SpiceDB container and install packages, you can use one of our debug images.

Appending -debug to any tag will provide you an image that has a userspace with debug tooling:

docker run --rm -ti --entrypoint sh authzed/spicedb:latest-debug

Containers are also available for each git commit to the main branch under ${REGISTRY}/authzed/spicedb-git:${COMMIT}.

Write your own schema and relationships

Now that you have SpiceDB running, you must define your schema and write relationships that represent the permissions in your application. There are various way to do this:

    # write a schema
    curl --location 'http://localhost:8443/v1/schema/write' \
    --header 'Content-Type: application/json' \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer somerandomkeyhere' \
    --data '{
        "schema": "definition user {} \n definition folder { \n relation parent: folder\n relation viewer: user \n permission view = viewer + parent->view \n } \n definition document {\n relation folder: folder \n relation viewer: user \n permission view = viewer + folder->view \n }"
    }'

    # write a relationship
    curl --location 'http://localhost:8443/v1/relationships/write' \
    --header 'Content-Type: application/json' \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer somerandomkeyhere' \
    --data '{
        "updates": [
            {
                "operation": "OPERATION_TOUCH",
                "relationship": {
                    "resource": {
                        "objectType": "folder",
                        "objectId": "budget"
                    },
                    "relation": "viewer",
                    "subject": {
                        "object": {
                            "objectType": "user",
                            "objectId": "anne"
                        }
                    }
                }
            }
        ]
    }'

You can follow a guide for developing a schema or review the the schema language design documentation.

Finally, you can watch the SpiceDB primer video on schema development.

Query the SpiceDB API

You can use the client libraries or the gRPC and HTTP APIs to query SpiceDB. For example,

curl --location 'http://localhost:8443/v1/permissions/check' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer somerandomkeyhere' \
--data '{
  "consistency": {
    "minimizeLatency": true
  },
  "resource": {
    "objectType": "folder",
    "objectId": "budget"
  },
  "permission": "view",
  "subject": {
    "object": {
      "objectType": "user",
      "objectId": "anne"
    }
  }
}'


#{
#    "checkedAt": {
#        "token": "GhUKEzE3NTE1NjYwMjUwMDAwMDAwMDA="
#    },
#    "permissionship": "PERMISSIONSHIP_HAS_PERMISSION"
#}

'

You can also issue queries with zed, the official command-line client. The Playground also has a tab for experimenting with zed all from within your browser.

Integrating SpiceDB into Your Application

To get an understanding of integrating an application with SpiceDB, you can follow the Protecting Your First App guide or review API documentation on the Buf Registry or Postman.

Deploying to Production

The core SpiceDB service has been utilized in production by Authzed since 2021 so you can be confident that it is battle-tested. Moreover, it supports various datastores, including Google Cloud Spanner, CockroachDB, MySQL, and PostgreSQL. Read this to learn the best practices for each.

You can choose t

Extension points exported contracts — how you extend this code

RevisionHolder (Interface)
RevisionHolder is an interface for types that can provide a unique ID and revision information. [30 implementers]
pkg/zedtoken/zedtoken.go
WithSourcePosition (Interface)
WithSourcePosition defines an interface for proto messages in core with SourcePosition information attached. [9 implementers]
pkg/namespace/metadata.go
SchemaDefinition (Interface)
SchemaDefinition represents a namespace or caveat definition under a schema. [6 implementers]
pkg/datastore/datastore.go
LegacySchemaWriter (Interface)
LegacySchemaWriter provides access to legacy schema write operations. Deprecated: This is only for backwards-compatible [16 …
pkg/datalayer/datalayer.go
HasMetadata (Interface)
HasMetadata indicates that the error has metadata defined. [31 implementers]
pkg/spiceerrors/common.go
Iterator (Interface)
Iterator is a Plan that forms a tree structure through its Subiterators, where the tree represents the query execution p [16 …
pkg/query/types.go
Parented (Interface)
Parented is an interface for schema elements that have a parent. It allows traversing up the schema hierarchy without ty [17 …
pkg/schema/v2/schema.go
SchemaDefinition (Interface)
SchemaDefinition represents an object or caveat definition in a schema. [6 implementers]
pkg/schemadsl/compiler/compiler.go

Core symbols most depended-on inside this repo

Equal
called by 3627
pkg/datastore/datastore.go
Run
called by 2043
pkg/cmd/server/server.go
Errorf
called by 1975
pkg/schemadsl/compiler/node.go
Context
called by 1763
internal/dispatch/stream.go
New
called by 1408
pkg/datastore/test/datastore.go
MustParse
called by 1126
pkg/tuple/parsing.go
Len
called by 916
pkg/genutil/mapz/multimap.go
Contains
called by 696
internal/developmentmembership/trackingsubjectset.go

Shape

Method 6,460
Function 5,218
Struct 1,209
Interface 203
TypeAlias 137
FuncType 123
Class 2

Languages

Go100%
TypeScript1%

Modules by API surface

pkg/proto/core/v1/core.pb.go474 symbols
pkg/proto/core/v1/core_vtproto.pb.go472 symbols
pkg/datastore/mocks/mock_datastore.go328 symbols
pkg/proto/dispatch/v1/dispatch.pb.go310 symbols
pkg/proto/dispatch/v1/dispatch_vtproto.pb.go234 symbols
pkg/proto/developer/v1/developer.pb.go195 symbols
pkg/proto/developer/v1/developer_vtproto.pb.go180 symbols
pkg/proto/impl/v1/impl_vtproto.pb.go156 symbols
pkg/proto/impl/v1/impl.pb.go147 symbols
pkg/schema/v2/walk_test.go121 symbols
pkg/datastore/datastore.go112 symbols
pkg/datalayer/mocks/mock_datalayer.go110 symbols

Dependencies from manifests, versioned

4d63.com/gocheckcompilerdirectivesv1.3.0 · 1×
4d63.com/gochecknoglobalsv0.2.2 · 1×
buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/gov1.36.11-20250718181 · 1×
buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/gov1.36.11-20260415201 · 1×
buf.build/gen/go/bufbuild/registry/connectrpc/gov1.19.1-202601261449 · 1×
buf.build/gen/go/bufbuild/registry/protocolbuffers/gov1.36.11-20260126144 · 1×
buf.build/gen/go/gogo/protobuf/protocolbuffers/gov1.36.10-20240617172 · 1×
buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/gov1.36.11-20241007202 · 1×
buf.build/gen/go/prometheus/prometheus/protocolbuffers/gov1.36.10-20251118093 · 1×
buf.build/go/appv0.2.0 · 1×
buf.build/go/bufpluginv0.9.0 · 1×
buf.build/go/bufprivateusagev0.1.0 · 1×

Datastores touched

spicedbDatabase · 1 repos
defaultdbDatabase · 1 repos
(mysql)Database · 1 repos
dbnameDatabase · 1 repos
dbnameDatabase · 1 repos
mydbDatabase · 1 repos
testspicedbDatabase · 1 repos

For agents

$ claude mcp add spicedb \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact