SpiceDB is an open source database system for managing security-critical application permissions inspired by Google's Zanzibar paper.
Developers create a schema that models their permissions requirements and use any of the official or community mantained client libraries to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications.
Features that distinguish SpiceDB from other systems include:
- Expressive gRPC and HTTP APIs for checking permissions, listing access, and powering devtools
- A distributed, parallel graph-engine faithful to the architecture described in Google's Zanzibar paper
- A flexible consistency model configurable per-request that includes resistance to the New Enemy Problem
- An expressive schema language with tools for rapid prototyping, integration testing, and validating designs in CI/CD pipelines
- Pluggable storage system supporting memdb, MySQL, PostgreSQL, CockroachDB, and Cloud Spanner
- Deep observability with Prometheus metrics, structured logging, and OpenTelemetry tracing
Have questions? Join our Discord.
Looking to contribute? See CONTRIBUTING.md.
Want to learn more about Zanzibar? Read the annotated paper with our commentary.
You can find issues by priority: Urgent, High, Medium, Low, Maybe. There are also good first issues.
The data used to calculate permissions have the most critical correctness requirements in the entirety a software system. Despite that, developers continue to build their own ad-hoc solutions coupled to the internal code of each new project. By developing a SpiceDB schema, you can iterate far more quickly and exhaustively test designs before altering any application code. This becomes especially important as you introduce backwards-compatible changes to the schema and want to ensure that the system remains secure.
The SpiceDB schema language is built on top of the concept of a graph of relationships between objects. This ReBAC design is capable of efficiently supporting all popular access control models (such as RBAC and ABAC) and custom models that contain hybrid behavior.
Modern solutions to developing permission systems all have a similar goal: to decouple policy from the application. Using a dedicated database like SpiceDB not only accomplishes this, but takes this idea a step further by also decoupling the data that policies operate on. SpiceDB is designed to share a single unified view of permissions across as many applications as your organization has. This has strategy has become an industry best-practice and is being used to great success at companies large (Google, GitHub, Airbnb) and small (Carta, Authzed).
- Install SpiceDB with homebrew on macOS and Linux
- Run a SpiceDB container using a container engine such as docker
- Deploy non-production-ready examples using Kubernetes and Docker Compose
- Follow the guide for developing a schema
- Watch a video of us modeling GitHub
- Read the schema language design documentation
- Jump into the playground, load up some examples, and mess around
- Learn the latest best practice by following the Protecting Your First App guide
- Explore the gRPC API documentation on the Buf Registry
- Install zed and interact with a live database