SpiceDB

New
assess
First Added:July 23, 2023 Updated: July 1, 2026

SpiceDB is an open-source, Google Zanzibar-inspired database for fine-grained authorization. It stores relationship tuples, evaluates permission checks over a graph, and stays separate from authentication. We assess it as the leading open ReBAC engine when apps need global-scale authorization beyond RBAC or Open Policy Agent policy checks.

Blurb

SpiceDB is an open-source, Google Zanzibar-inspired database system for real-time, security-critical application permissions.

Summary

What it is: Authorization datastore and API from AuthZed. Developers define a SpiceDB schema, write relationships from app code, and call Check, Lookup, and Expand APIs.

When to use: Product needs relationship-based access control modeled after Zanzibar. You want schema validation, ZedTokens for consistency, and a mature OSS core with optional AuthZed Cloud.

When to skip: Simple role matrices or static policy bundles are enough. Use RBAC patterns or Open Policy Agent with Policy as Code instead. Keto may fit if you already standardize on Ory.

Key features: SpiceDB schema language, gRPC and HTTP APIs, pluggable backends (PostgreSQL, CockroachDB, Spanner, MySQL), Prometheus and OpenTelemetry hooks.

Details

TopicNotes
ModelReBAC tuples and graph traversal; complements policy engines rather than replacing them
OpsSelf-host SpiceDB or use AuthZed managed service; pick datastore per scale and HA needs
EcosystemClient libraries, zed CLI, schema playground, and CI validation for authz schemas

Compared to Open Policy Agent

OPA evaluates Rego policies against JSON inputs. SpiceDB persists relationships and answers permission queries at runtime. Many estates use both: OPA for config and admission gates, SpiceDB for application-level object permissions.

References