spicedb
SpiceDB is an open-source authorization database inspired by Google's internal Zanzibar system. It stores and queries fine-grained permissions (who can do what on which resources) at scale, handling millions of queries per second with sub-5ms latency.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | authzed/spicedb |
| Owner | authzed |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 6.8k |
| Forks | 404 |
| Open issues | 143 |
| Latest release | v1.54.0 (2026-06-18) |
| Last updated | 2026-07-07 |
| Source | https://github.com/authzed/spicedb |
What spicedb is
Go-based, distributed authorization system implementing Google Zanzibar's architecture. Supports schema-driven relationship storage, permission checks, and reverse queries ("What can X do?" or "Who can access Y?") with configurable consistency models and multi-paradigm authorization (RBAC, ABAC, ReBAC).
Get the spicedb source
Clone the repository and explore it locally.
git clone https://github.com/authzed/spicedb.gitcd spicedb# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires designing and validating an authorization schema upfront; poor schema design can impact query performance and schema evolution is non-trivial.
- Needs a persistent datastore (PostgreSQL, MySQL, CockroachDB, etc.); operational responsibility for backup, replication, and availability of the backing database is required.
- Permission checks must be integrated into application code via SpiceDB clients (gRPC/HTTP); this introduces a new service dependency and potential latency in every authorization decision.
- Caveated relationships (conditions/attributes) add expressive power but increase schema complexity and query cost; careful modeling is needed to avoid performance degradation.
- Consistency model per-request (strong vs. eventual) must be tuned based on application tolerance; stronger consistency guarantees may impact latency and throughput.
When to avoid it — and what to weigh
- Simple, static role-based access control — If your authorization model is basic (e.g., fixed admin/user/guest roles with no relationships), SpiceDB's schema and operational overhead may be unjustified; simpler solutions suffice.
- Tight coupling to a specific identity provider — SpiceDB is agnostic to authentication; integrating it into systems where auth and authz are tightly fused may require refactoring and adds a separate moving part to manage.
- Sub-millisecond latency requirements — While SpiceDB achieves p95 latency of 5ms at scale, real-time, ultra-low-latency authorization checks (< 1ms) may require local caching or embedded authorization logic instead.
- Stateless, edge-only deployments — SpiceDB requires a persistent backing store (PostgreSQL, MySQL, etc.) and is designed as a centralized service; edge-only authorization without a central database is not a supported deployment model.
License & commercial use
Apache License 2.0 (Apache-2.0). A permissive OSI-approved license allowing commercial use, modification, and distribution with minimal restrictions (inclusion of license and notice of changes required).
Apache 2.0 permits commercial use without explicit per-use licensing; however, the data shows Authzed (the sponsoring company) offers commercial SpiceDB hosting and support. For self-hosted deployments, Apache 2.0 allows free commercial use. For managed services or enterprise support, refer to Authzed's commercial offerings (customer stories and managed platform referenced but not detailed in this data).
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Strong |
| Assessment confidence | High |
Authorization-critical system; data integrity and access control within SpiceDB itself are foundational security properties. Badges reference CII Best Practices (101%) and OpenSSF Security Scorecards, suggesting security-conscious development. Considerations: (1) Authentication of clients to SpiceDB (gRPC pre-shared key shown in example; production auth/TLS setup required); (2) Network isolation and encryption in transit; (3) Access control to schema changes and audit logs; (4) Correct schema design to prevent unintended permission grants; (5) Backup and recovery procedures for the backing datastore. No exploit disclosure details, penetration test results, or formal security audit data provided in this source.
Alternatives to consider
Authzero (Auth0 Fine-Grained Authorization)
Managed SaaS alternative integrated with Auth0 authentication; avoids self-hosting but less flexible schema and typically higher per-API-call costs; suitable for teams already on Auth0.
OPA/Rego (Open Policy Agent)
Policy-as-code engine for decentralized authorization; lighter weight, embeddable, but no built-in relationship storage or scalable central service; better for policy evaluation than relationship management.
Keycloak Authorization Services
Open-source IAM with built-in authorization; tightly coupled to authentication and identity management; simpler for RBAC but less flexible for fine-grained, relationship-heavy models.
Build on spicedb with DEV.co software developers
SpiceDB enables fine-grained, scalable permission management for SaaS and enterprise applications. Explore the GitHub repository, run the Docker container, or review the documentation to get started.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
spicedb FAQ
How does SpiceDB differ from traditional role-based access control (RBAC)?
What is the latency impact of querying SpiceDB for every permission check?
Can SpiceDB be embedded or must it run as a separate service?
What databases does SpiceDB support?
Software development & web development with DEV.co
Adopting spicedb is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source databases software in production.
Ready to centralize authorization across your platform?
SpiceDB enables fine-grained, scalable permission management for SaaS and enterprise applications. Explore the GitHub repository, run the Docker container, or review the documentation to get started.