# SpiceDB — Zanzibar-Inspired Authorization Database > SpiceDB is an open-source database for storing and evaluating fine-grained authorization data, inspired by Google's Zanzibar system for consistent global permissions. ## Install Save in your project root: # SpiceDB — Zanzibar-Inspired Authorization Database ## Quick Use ```bash docker run -d -p 50051:50051 authzed/spicedb serve --grpc-preshared-key "somerandomkeyhere" zed schema write schema.zed --endpoint=localhost:50051 --token=somerandomkeyhere zed permission check document:readme reader user:alice --endpoint=localhost:50051 --token=somerandomkeyhere ``` ## Introduction SpiceDB implements a permissions system modeled after Google's Zanzibar paper. It stores relationships between objects and subjects, then evaluates permission checks against a schema you define. This lets applications enforce consistent, fine-grained access control without embedding authorization logic in application code. ## What SpiceDB Does - Stores relationship tuples that describe who has access to what - Evaluates permission checks in milliseconds using a graph-based engine - Enforces a typed schema language for defining relations and permissions - Supports multiple storage backends including PostgreSQL, CockroachDB, and MySQL - Provides gRPC and HTTP APIs with client libraries for Go, Java, Python, Ruby, and more ## Architecture Overview SpiceDB runs as a stateless gRPC service backed by a relational datastore. Relationship data is stored as tuples in the database. On a permission check request, SpiceDB traverses the relation graph defined by the schema, resolving nested relations and intersections to return an allow or deny result. A watch API streams relationship changes for cache invalidation. ## Self-Hosting & Configuration - Run via Docker, Helm chart, or the SpiceDB Operator on Kubernetes - Configure the datastore backend with `--datastore-engine` (postgres, cockroachdb, mysql, memdb) - Set preshared keys or mTLS for API authentication - Run `spicedb migrate head` to initialize or upgrade the datastore schema - Horizontal scaling is achieved by adding stateless SpiceDB replicas behind a load balancer ## Key Features - Schema language with IDE support for defining typed relations and permissions - Consistent snapshot reads using Zanzibar-style zookies (consistency tokens) - Bulk import and export of relationship data for migration or backup - Watch API for streaming real-time changes to relationships - Caveat system for conditional permissions based on runtime context ## Comparison with Similar Tools - **Permify** — Similar Zanzibar approach but a younger project; SpiceDB has broader language support - **Ory Keto** — Earlier Zanzibar implementation; SpiceDB provides a richer schema language - **Casbin** — Library-based policy engine; SpiceDB is a standalone scalable service - **Open Policy Agent** — General-purpose policy engine; SpiceDB specializes in relationship-based access control ## FAQ **Q: What is the Zanzibar model?** A: It is Google's approach to authorization where permissions are derived from stored relationships between objects and users, enabling consistent checks at scale. **Q: Can SpiceDB handle millions of relationships?** A: Yes. With CockroachDB or PostgreSQL as the backend, SpiceDB scales to billions of relationships. **Q: Does SpiceDB support RBAC and ABAC?** A: SpiceDB natively models ReBAC (relationship-based). RBAC is expressible as relations; ABAC is supported via the caveat system. **Q: Is SpiceDB free?** A: The core database is open source under Apache 2.0. AuthZed offers a managed cloud version. ## Sources - https://github.com/authzed/spicedb - https://authzed.com/docs --- Source: https://tokrepo.com/en/workflows/d81bac9e-3ade-11f1-9bc6-00163e2b0d79 Author: AI Open Source