DEV.co
Open-Source Databases · authzed

spicedb

SpiceDB is an open-source authorization database inspired by Google's internal Zanzibar system. It stores and queries fine-grained permissions (who can do what on which resources) at scale, handling millions of queries per second with sub-5ms latency.

Source: GitHub — github.com/authzed/spicedb
6.8k
GitHub stars
404
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryauthzed/spicedb
Ownerauthzed
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars6.8k
Forks404
Open issues143
Latest releasev1.54.0 (2026-06-18)
Last updated2026-07-07
Sourcehttps://github.com/authzed/spicedb

What spicedb is

Go-based, distributed authorization system implementing Google Zanzibar's architecture. Supports schema-driven relationship storage, permission checks, and reverse queries ("What can X do?" or "Who can access Y?") with configurable consistency models and multi-paradigm authorization (RBAC, ABAC, ReBAC).

Quickstart

Get the spicedb source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/authzed/spicedb.gitcd spicedb# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Multi-tenant SaaS platforms

Centralized authorization service across microservices, handling complex tenant isolation, role hierarchies, and dynamic permission models without embedding auth logic in every service.

Enterprise software with complex entitlements

Organizations managing fine-grained access control across teams, resources, and workflows (e.g., document collaboration, resource sharing, team-based permissions) with audit trails and consistency guarantees.

Cloud platforms and APIs

Declarative authorization for cloud services, IAM-like systems, and public APIs where permission inheritance, delegation, and scalability across geographic regions are critical requirements.

Implementation considerations

  • Requires designing and validating an authorization schema upfront; poor schema design can impact query performance and schema evolution is non-trivial.
  • Needs a persistent datastore (PostgreSQL, MySQL, CockroachDB, etc.); operational responsibility for backup, replication, and availability of the backing database is required.
  • Permission checks must be integrated into application code via SpiceDB clients (gRPC/HTTP); this introduces a new service dependency and potential latency in every authorization decision.
  • Caveated relationships (conditions/attributes) add expressive power but increase schema complexity and query cost; careful modeling is needed to avoid performance degradation.
  • Consistency model per-request (strong vs. eventual) must be tuned based on application tolerance; stronger consistency guarantees may impact latency and throughput.

When to avoid it — and what to weigh

  • Simple, static role-based access control — If your authorization model is basic (e.g., fixed admin/user/guest roles with no relationships), SpiceDB's schema and operational overhead may be unjustified; simpler solutions suffice.
  • Tight coupling to a specific identity provider — SpiceDB is agnostic to authentication; integrating it into systems where auth and authz are tightly fused may require refactoring and adds a separate moving part to manage.
  • Sub-millisecond latency requirements — While SpiceDB achieves p95 latency of 5ms at scale, real-time, ultra-low-latency authorization checks (< 1ms) may require local caching or embedded authorization logic instead.
  • Stateless, edge-only deployments — SpiceDB requires a persistent backing store (PostgreSQL, MySQL, etc.) and is designed as a centralized service; edge-only authorization without a central database is not a supported deployment model.

License & commercial use

Apache License 2.0 (Apache-2.0). A permissive OSI-approved license allowing commercial use, modification, and distribution with minimal restrictions (inclusion of license and notice of changes required).

Apache 2.0 permits commercial use without explicit per-use licensing; however, the data shows Authzed (the sponsoring company) offers commercial SpiceDB hosting and support. For self-hosted deployments, Apache 2.0 allows free commercial use. For managed services or enterprise support, refer to Authzed's commercial offerings (customer stories and managed platform referenced but not detailed in this data).

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityHigh
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Authorization-critical system; data integrity and access control within SpiceDB itself are foundational security properties. Badges reference CII Best Practices (101%) and OpenSSF Security Scorecards, suggesting security-conscious development. Considerations: (1) Authentication of clients to SpiceDB (gRPC pre-shared key shown in example; production auth/TLS setup required); (2) Network isolation and encryption in transit; (3) Access control to schema changes and audit logs; (4) Correct schema design to prevent unintended permission grants; (5) Backup and recovery procedures for the backing datastore. No exploit disclosure details, penetration test results, or formal security audit data provided in this source.

Alternatives to consider

Authzero (Auth0 Fine-Grained Authorization)

Managed SaaS alternative integrated with Auth0 authentication; avoids self-hosting but less flexible schema and typically higher per-API-call costs; suitable for teams already on Auth0.

OPA/Rego (Open Policy Agent)

Policy-as-code engine for decentralized authorization; lighter weight, embeddable, but no built-in relationship storage or scalable central service; better for policy evaluation than relationship management.

Keycloak Authorization Services

Open-source IAM with built-in authorization; tightly coupled to authentication and identity management; simpler for RBAC but less flexible for fine-grained, relationship-heavy models.

Software development agency

Build on spicedb with DEV.co software developers

SpiceDB enables fine-grained, scalable permission management for SaaS and enterprise applications. Explore the GitHub repository, run the Docker container, or review the documentation to get started.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

spicedb FAQ

How does SpiceDB differ from traditional role-based access control (RBAC)?
RBAC assigns fixed roles to users; SpiceDB stores explicit relationships (e.g., "user X is editor of document Y") and evaluates permissions dynamically. This enables dynamic hierarchies, delegation, and attribute-based conditions without schema changes, supporting ReBAC and ABAC paradigms.
What is the latency impact of querying SpiceDB for every permission check?
SpiceDB achieves p95 latency of 5ms at scale; most applications cache permission results or batch checks to reduce round trips. Network latency, datastore query time, and caching strategy all affect end-to-end latency; monitoring and tuning are essential.
Can SpiceDB be embedded or must it run as a separate service?
SpiceDB is designed as a separate, centralized service (not as an embedded library). It requires a backing datastore and is typically deployed as a distributed microservice shared across application instances.
What databases does SpiceDB support?
The data does not enumerate supported datastores. PostgreSQL, MySQL, and CockroachDB are mentioned in integration context, but the definitive list requires review of the official documentation or source code.

Software development & web development with DEV.co

Adopting spicedb is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source databases software in production.

Ready to centralize authorization across your platform?

SpiceDB enables fine-grained, scalable permission management for SaaS and enterprise applications. Explore the GitHub repository, run the Docker container, or review the documentation to get started.