Google Zanzibar handles authorization for billions of users across YouTube, Drive, and Calendar. SpiceDB is a purpose-built permissions database inspired by Zanzibar — define permissions as relationships and check them in microseconds.
What Is SpiceDB?
SpiceDB is an open-source permissions database by AuthZed. It stores and evaluates permissions using a Zanzibar-like model where access decisions are based on relationships between objects. Think of it as a specialized database for authorization.
The Free Tool
SpiceDB is completely free and open source:
- Zanzibar model: Relationship-based access control
- Schema language: Define permissions declaratively
- gRPC + REST APIs: High-performance permission checks
- Watch API: Real-time permission change notifications
- Caveats: Conditional permissions with runtime context
- Consistency: Tunable consistency for reads
- SDKs: Go, Java, Python, Ruby, Node.js, .NET
Quick Start
Run SpiceDB:
docker run -d -p 50051:50051 \
authzed/spicedb serve \
--grpc-preshared-key "somerandomkeyhere"
Define a schema:
definition user {}
definition organization {
relation admin: user
relation member: user
permission manage = admin
permission view = admin + member
}
definition document {
relation org: organization
relation owner: user
relation editor: user
relation viewer: user
permission edit = owner + editor + org->manage
permission view = edit + viewer + org->view
}
Write relationships and check permissions:
import { v1 } from '@authzed/authzed-node';
const client = v1.NewClient('somerandomkeyhere', 'localhost:50051');
// Write: alice is owner of document:readme
await client.writeRelationships({
updates: [{
operation: 'OPERATION_CREATE',
relationship: {
resource: { objectType: 'document', objectId: 'readme' },
relation: 'owner',
subject: { object: { objectType: 'user', objectId: 'alice' } },
},
}],
});
// Check: can alice edit document:readme?
const result = await client.checkPermission({
resource: { objectType: 'document', objectId: 'readme' },
permission: 'edit',
subject: { object: { objectType: 'user', objectId: 'alice' } },
});
console.log(result.permissionship); // PERMISSIONSHIP_HAS_PERMISSION
Why Teams Choose SpiceDB
A multi-tenant SaaS grew from simple admin/user roles to needing organization-level permissions, document sharing, and team hierarchies. Their authorization code became 5,000 lines of SQL joins. After migrating to SpiceDB, permissions were defined in a 30-line schema and checked via API in microseconds. Adding new permission types went from days to minutes.
Who Is This For?
- SaaS platforms with complex multi-tenant permissions
- Document collaboration tools needing Google Drive-like sharing
- Enterprise apps requiring auditable, fine-grained access control
- Teams scaling beyond simple RBAC
Start Building
SpiceDB gives you a purpose-built database for permissions. Define once, check everywhere, scale infinitely.
Need help with authorization architecture? I build custom auth solutions — reach out to discuss your project.
Found this useful? I publish daily deep-dives into developer tools and APIs. Follow for more.
Top comments (0)