>

Apply for $700 in starter credits on AuthZed Cloud

[Apply now]
Interactive demo· 5 steps · ~3 min

Authorization for RAG

See how retrieval-augmented generation can leak confidential data, then how SpiceDB prevents it.

A walkthrough of an insecure chatbot, the failure mode, and the SpiceDB integration that prevents it. Try both sides live.

Step 1 of 5

RAG Without Authorization

Try it yourself. Ask a question that accesses a document you're not allowed to see. The AI returns the confidential data anyway.

Acme Corp AI · Authorization OFF
User
Question
Try it
Ask Bob (Eng) the Q4 salary question, or Alice (HR) about Project X. Same question, wrong user. The AI should refuse, but without authorization it returns the document anyway.
Step 2 of 5

Why RAG Leaks Data

Standard RAG pipelines retrieve documents based on semantic similarity, not on who's allowed to see them.

Without Authorization

1
User Query
semantic search
2
Vector DB
retrieve top-K docs
no authz check
3
LLM
full context
includes restricted docs
4
Data Leak
confidential exposed
user sees what they shouldn’t
Vector DB
Vector DB has no ACLs. Embeddings are stored flat. A semantic search returns all similar documents regardless of who ingested them.
LLM
LLM uses all context. The model synthesizes everything in its context window. It has no concept of data sensitivity or access rights.
Output leak
Output leaks secrets. Salary data, confidential specs, private HR records. The LLM will summarize anything it can access, regardless of sensitivity.
Step 3 of 5

RAG with Authorization Infrastructure

Now try the same question with authorization enabled. The vector DB retrieves first, then SpiceDB checks permissions on every returned document ID before anything reaches the LLM.

Acme Corp AI · Authorization ON
User
Question
Authz ON

Post-Filter Authorization

Retrieve first, check permissions second

1
User Query
semantic search
2
Vector DB
retrieve top-K docs
returns doc IDs + metadata
3
SpiceDB
CheckPermission per doc ID
post-filter on metadata
4
LLM
authorized docs only
Post-filter approach
The vector DB retrieves the top-K results first. A CheckPermissionRequest is then performed on every document ID returned, using the article_id stored in document metadata. Only documents the user is authorized to view are passed to the LLM.
Step 4 of 5

How SpiceDB Enforces This

Every permission check is evaluated against a schema and a set of relationships, in milliseconds.

schema.zed
definition user {}
 
definition document {
relation viewer: user
permission view = viewer
}

The schema defines types and their permission relationships.viewer grants view permission.

Relationships

Streaming
ResourceRelationSubject
document:q4-salariesvieweruser:alice
document:hr-policyvieweruser:alice
document:all-handsvieweruser:alice
document:eng-roadmapvieweruser:bob
document:project-xvieweruser:bob
document:all-handsvieweruser:bob

Computed Access Matrix

DocumentAlice (HR)Bob (Eng)
Q4 Salary Forecast
Engineering Roadmap
All-Hands Notes
Product Spec: Project X
HR Policy Handbook
Step 5 of 5

The Problem Compounds With Agents

When an AI agent acts on behalf of a user, it should only be able to access what that user can access, nothing more.

AI Assistant
acting as Bob
Q4 Salary Forecast
document
✗ DENIED

Bob can't view salary data, so his AI assistant can't either.

AI Assistant
acting as Alice
Q4 Salary Forecast
document
✓ ALLOWED

Alice is in HR and can view salary data, so her AI assistant can too.

Hover either row to focus the comparison.

agentic-delegation.zed

An agent can only view what the user it represents can view.

definition user {
relation delegate: agent
}
definition agent {}
definition document {
relation viewer: user
permission view = viewer + viewer->delegate
}

Start Securing Your AI Today

Ready to build AI systems that respect every permission and prevent data leaks? Talk to our experts to see how AuthZed can secure your enterprise AI.