Update Jul 29, 2021: The Papers We Love video is available and included in this post.
Google's Zanzibar paper was the initial inspiration for Authzed and continues to provide insight as we build our product. But we're not the only ones interested in this technology: the broader software community has also taken an interest in activity around Zanzibar-inspired permissions systems.
(A recent Google trends search corroborates this observation.)
Coincidentally, our CEO Jake recently presented the Zanzibar paper for Papers We Love, and his talk included a survey of the current landscape of (known) Zanzibar-based implementations. In this talk, he collected the following implementations and reviewed each of them against a rubric.
The rubric comprises a set of subjective measures intended to accentuate the design decision differences between the services.
Zanzibar Scorecard
- Paper faithfulness: How closely does the implementation follow the original paper?
- Scalability: Is the implementation distributed?
- CAP Compromise: What CAP trade-offs are taken?
- New enemy?: Does the implementation support zookies?
- Dev UX: Are supporting developer tools provided?
The video of his talk includes the detailed discussion of each of these services and we'll post a link as soon as it becomes available is available to view now:
Can you guess how each service did according to Jake's scorecard?
Here's the scorecard for Airbnb's Himeji as a preview.
Airbnb Himeji
| Criteria | Score |
|---|---|
| Paper faithfulness | Medium |
| Scalability | High |
| CAP Compromise | AP |
| New enemy? | No zookies |
| Dev UX | Average |
Share your thoughts in the Zanzibar discord or introduce any new Zanzibar-inspired implementations not covered yet.
Image credit: dschenkelman
Additional Reading
If you’re interested in learning more about Authorization and Google Zanzibar, we recommend reading the following posts:
- Understanding Google Zanzibar: A Comprehensive Overview
- A Primer on Modern Enterprise Authorization (AuthZ) Systems
- Fine-Grained Access Control: Can You Go Too Fine?
- Relationship Based Access Control (ReBAC): Using Graphs to Power your Authorization System
- Pitfalls of JWT Authorization
FAQ
What are the differences between Permify and SpiceDB, another popular open source implementation of Zanzibar?
SpiceDB and Permify both draw from Zanzibar's design, but differ meaningfully in licensing. SpiceDB ships under Apache-2.0, making it straightforward to embed in closed-source products. Permify uses AGPL-3.0, which can trigger source-availability obligations for networked deployments of modified versions. Permify was also acquired by FusionAuth in November 2025, shifting its governance trajectory.
On datastores, SpiceDB supports CockroachDB, Spanner, PostgreSQL, and MySQL, giving teams real flexibility around consistency and geography. Permify centers on PostgreSQL. Both use snapshot tokens for cache freshness, though SpiceDB calls these ZedTokens while Permify uses Snap Tokens.
Schema modeling diverges too. SpiceDB caveats attach CEL conditions directly to relationships, while Permify bakes ABAC into the schema via attributes and rules. These approaches aren't interchangeable. AuthZed also offers managed services and Materialize for accelerating large-scale lookup queries, plus validation tooling and a Kubernetes operator for production lifecycle management.
Can you provide a comparison of SpiceDB with other Google Zanzibar inspired projects?
SpiceDB stands out among Zanzibar-inspired engines primarily through its ZedToken consistency model, which provides genuine per-request bounded-staleness semantics and "New Enemy" problem mitigation. OpenFGA offers per-request consistency hints today with tokenized snapshots listed as future work, while Ory Keto's snaptokens were documented as unimplemented at publication time.
On conditional logic, SpiceDB Caveats and OpenFGA Conditions both use Google CEL, but SpiceDB's schema DSL offers stronger typing with union, intersection, and arrow traversals. Permify adds CEL-based ABAC rules but now sits within FusionAuth's roadmap, introducing acquisition-related uncertainty.
Operationally, SpiceDB ships a first-party Kubernetes Operator for Day-2 lifecycle management, alongside schema validation and testing tooling and reverse-index queries like LookupResources and LookupSubjects. Teams evaluating these engines should review SpiceDB best practices and AuthZed's documentation to assess fit against their consistency and operational requirements.