Why SpiceDB Matters
Google built Zanzibar to handle authorization for YouTube, Drive, and Cloud. SpiceDB brings the same model to your applications — relationship-based access control that scales to millions of objects.
Quick Start with Docker
docker run -d --name spicedb \
-p 50051:50051 \
authzed/spicedb serve \
--grpc-preshared-key "somerandomkey"
Define a Permission Schema
definition user {}
definition document {
relation owner: user
relation editor: user
relation viewer: user
permission edit = owner + editor
permission view = edit + viewer
}
definition organization {
relation admin: user
relation member: user
permission manage = admin
}
Write Relationships
# Using zed CLI
zed relationship create document:readme owner user:alice
zed relationship create document:readme editor user:bob
zed relationship create document:readme viewer user:charlie
Check Permissions
# Can bob edit the readme?
zed permission check document:readme edit user:bob
# true
# Can charlie edit the readme?
zed permission check document:readme edit user:charlie
# false (charlie is only a viewer)
Use the API from Code
import { v1 } from "@authzed/authzed-node";
const client = v1.NewClient("somerandomkey", "localhost:50051");
const result = await client.checkPermission({
resource: { objectType: "document", objectId: "readme" },
permission: "edit",
subject: { object: { objectType: "user", objectId: "bob" } },
});
console.log(result.permissionship); // HAS_PERMISSION
Key Features
- Google Zanzibar model — proven at YouTube/Drive scale
- Relationship-based — not just roles, but fine-grained object relationships
- Consistency — configurable consistency levels (full, at-least-as-fresh)
- Schema validation — catch permission bugs before deployment
- Multi-language SDKs — Go, Python, Node, Java, Ruby
- Watch API — stream permission changes in real-time
SpiceDB vs Other AuthZ Solutions
| Feature | SpiceDB | OPA/Rego | Casbin |
|---|---|---|---|
| Model | Zanzibar (ReBAC) | Policy-based | RBAC/ABAC |
| Scale | Millions of objects | Per-request eval | In-memory |
| Schema | Typed, validated | Rego DSL | Config file |
| Consistency | Tunable | N/A | N/A |
| Watch API | Yes | No | No |
Resources
Need to extract authorization data, user permissions, or access patterns from APIs? Check out my data tools on Apify or email spinov001@gmail.com for custom solutions.
Top comments (0)