SpiceDB
Open-source, Google Zanzibar-inspired fine-grained authorization system. SpiceDB stores permission relationships in a schema and evaluates permission checks by traversing relationship graphs. Implements consistent, scalable permissions checks at the tuple level — enabling permissions like 'user:alice can view document:doc123 because she's in group:engineering which has viewer access to project:backend'. Built by AuthZed.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Designed as a security boundary — all permission decisions are auditable. TLS strongly recommended. Pre-shared tokens must use strong random values. SOC2 certified for AuthZed Cloud.
⚡ Reliability
Best When
You need Google Zanzibar-style fine-grained authorization where users have different permissions on different resources in your agent platform.
Avoid When
Simple role-based access is sufficient — SpiceDB's relationship model is powerful but adds significant complexity.
Use Cases
- • Implement fine-grained resource-level permissions for agent systems (user X can access agent Y's outputs for document Z)
- • Build Google Drive-like sharing models for agent workspace resources with inheritance and groups
- • Centralize authorization for multi-agent architectures where different agents have different resource permissions
- • Implement RBAC with resource-level granularity — role doesn't give blanket access, each resource is explicitly permissioned
- • Audit all permission decisions and relationship changes in agent systems with SpiceDB's write-ahead log
Not For
- • Simple RBAC without resource-level granularity — OPA or Casbin are simpler for basic role checks
- • Applications that can't accept eventual consistency in permission checks — SpiceDB has zedtokens for consistency control but adds complexity
- • Teams without resources to run another database service — SpiceDB requires its own PostgreSQL/CockroachDB backend
Interface
Authentication
Preshared token (API key) for client authentication. gRPC and HTTP APIs both support token auth. AuthZed Cloud adds OAuth.
Pricing
SpiceDB core is open source. AuthZed (the company) offers managed SpiceDB cloud with SLA.
Agent Metadata
Known Gotchas
- ⚠ SpiceDB uses Zanzibar's consistency model — default checks may not see the most recent writes; use zedtokens from write operations for consistent reads
- ⚠ Schema changes require migration — adding new permission types requires schema update with zed CLI; live schema changes must be backward compatible
- ⚠ Relationship tuples are the source of truth — forgot to write a relationship when creating a resource is a common bug that causes silent permission denials
- ⚠ Wildcard permissions (*) in SpiceDB grant access to all objects of a type — use carefully in agent systems to avoid unintended access grants
- ⚠ LookupResources and LookupSubjects are powerful but expensive — listing all resources a user can access involves graph traversal; use carefully at scale
- ⚠ SpiceDB requires a backing database (PostgreSQL or CockroachDB) — deploying SpiceDB means running two database systems with their own operational overhead
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for SpiceDB.
Scores are editorial opinions as of 2026-03-06.