What's new at AuthZed?
In this release, we've focused on optimization in SpiceDB, introducing new experimental features to optimize the way you plan and create queries, as well as a new keyword to simplify your schema. We've also added other enhancements to the zed CLI, our client libraries, and AuthZed Cloud.
The new spicedb postgres-fdw command exposes SpiceDB as a Postgres Foreign Data Wrapper, allowing users to write permission checks as SELECT statements and express relationship writes using standard SQL.
This is a work in progress and not yet recommended for production, but if you're interested in querying SpiceDB through your existing Postgres connection, we encourage you to experiment and provide feedback.
A new --experimental-query-plan flag enables SpiceDB's in-progress query planner. There's still work to do on statistics sources and optimization before it will provide consistent performance benefits, so we're not recommending it for production yet — but it's available if you want to explore how it works.
self Keyword in PermissionsSpiceDB v1.49.1 adds a self keyword to schema permissions. If you've ever needed to express "a user can view themselves," you previously had to create a relation and write a relationship from the user back to itself — an extra round-trip to the database and a relationship that needed to stay in sync.
With self, you can express this directly in your permission definition. It's less schema to maintain, fewer relationships to write, and no extra database lookup at check time.
zed CLIzed backup can now back up SpiceDB instances that don't expose the ExportBulk API — including very old versions and Serverless deployments. Several reliability fixes shipped alongside this:
use self Validation (v0.35.0)zed validate now understands the use self schema keyword, so schemas using it will validate correctly.
DiffSchema and ReflectSchema are now part of the public API, making it easier to build tooling that inspects or compares SpiceDB schemas from Python.
API usage examples were added to the library, covering common patterns and addressing frequently-asked questions. The library also picked up the new DATASTORE_NOT_MIGRATED error code from the upstream API, giving Go applications a clearer signal when SpiceDB hasn't been migrated yet.
Package compatibility checking via publint was added to the build pipeline. This catches compatibility issues before packages are published to npm, improving reliability for downstream consumers.
Metrics queries are no longer capped at a maximum time range. You can now query the full history available, which is useful when investigating longer-term performance trends or capacity planning.
The connect dialog now shows ready-to-use code snippets for Python, Go, Node.js, and other languages. When you're setting up a new application, you can copy working connection code directly from the console.
A Grafana dashboard example was contributed to the examples repo, providing a starting point for teams that want to visualize SpiceDB metrics in Grafana.
This release brings new documentation resources, expanded cloud provider support for Materialize, open source tooling for schema development, and reliability improvements to SpiceDB.
SpiceDB v1.48.0 introduces new safeguards that prevent the system from consuming excessive memory during operation. This means more stable and predictable performance, even under heavy load.
The Memory Protection Middleware is enabled by default. If your server's memory usage gets too high, incoming requests will be rejected with a ResourceExhausted code (HTTP 429) rather than risking system instability. You can disable this behavior with --enable-memory-protection-middleware=false if needed.
Expiring Relationships, which allows you to set automatic expiration times on relationships, is now generally available. This feature is useful for implementing time-limited access, temporary permissions, or session-based authorization.
Learn more about Expiring Relationships
One of the most common questions we see on Discord is about SpiceDB's various APIs and when to use each one. We've published a new guide that breaks down the available APIs and helps you choose the right approach for your use case.
Materialize, our product for pre-computing permission results, is now supported on Azure. Materialize remains in early access as development continues to broaden support across more scenarios.
We've released spicedb-parser-js, a new open source project that houses the schema parser logic shared across tools like the Playground and VS Code extension.
This foundation will enable support for composable schemas in VS Code and makes it easier for the community to build tooling around SpiceDB schemas.
This release includes numerous bug fixes to improve the overall stability and reliability of AuthZed Cloud.
Build a Multi-Tenant RAG with Fine-Grain Authorization using Motia and SpiceDB
Learn how to combine retrieval-augmented generation with fine-grained permissions to build AI applications that respect your authorization model.
This release includes schema enhancements for SpiceDB, new Materialize API capabilities in the Python client, and dashboard improvements for AuthZed Cloud.
The Schema V2 library now includes:
->) including conditional traversals (.any() and .all())These additions support developers building schema analysis and transformation tools.
This release adds support for the Materialize API, which helps maintain a real-time copy of permissions data in your own database systems.
When displaying lists or tables of accessible resources, checking permissions individually can be slow. The Materialize API addresses this by synchronizing permission relationships to your local systems.
The implementation includes:
Various visual and functional improvements.
AuthZed has introduced the Terraform and OpenTofu Provider for AuthZed Dedicated, giving customers a powerful way to manage their authorization infrastructure using industry standard best practices.
With this new provider, teams can define, version, and automate their resources in their AuthZed Dedicated environment entirely through declarative infrastructure-as-code. This makes it easier than ever to integrate authorization management into existing operational workflows. And we're continuing work to support additional resources in AuthZed Dedicated environments, including Permissions Systems.
Modern infrastructure teams rely on Terraform and OpenTofu to manage everything from compute resources to networking and identity. With the new AuthZed provider, you can now manage your authorization layer in the same way, improving consistency, reducing manual configuration, and enabling repeatable deployments across environments.
For AuthZed customers interested in using the Terraform and OpenTofu provider, please contact your account manager for access.
To explore the provider and get started, visit the AuthZed Terraform Provider on GitHub.
This release brings improvements to SpiceDB's reliability, new AI-assisted development tools, enhanced visibility for cloud customers, and customer stories that showcase real-world authorization implementations.
Better Handling of High Traffic: SpiceDB now intelligently manages write loads by returning clear error messages when the system is busy. (Available when using CockroachDB as the datastore.) This means authorization decisions stay reliable during traffic spikes, preventing service disruptions across applications.
Faster Permission Checks: We've optimized how SpiceDB processes relationship queries, allowing it to skip unnecessary work when checking permissions.
Improved Query Engine: The Lookup Resources engine, which powers queries like "show me everything this user can access," now uses less memory.
Note: If you use the zed command-line tool, you'll need to update to v0.33.0 for full compatibility.
For customers using AuthZed's managed services, this release brings improvements to monitoring, alerting, and operational visibility.
Proactive Resource Monitoring: A new warning banner in the dashboard now alerts you when permission system resource usage is high, giving you time to take action before issues arise. New response code graphs provide visibility into API performance, helping you understand how your authorization system is behaving.
Expanded Monitoring Coverage: Over 25 improvements were made to the monitoring infrastructure, including new alerts that notify teams when storage capacity exceeds 90%, when too many API requests fail, or when memory issues occur. The monitoring system now tracks performance across different regions and customer environments more precisely, helping ensure consistent service quality.
We've launched two Model Context Protocol (MCP) servers that bring SpiceDB resources directly into your AI coding assistant:
These tools work with AI assistants like ChatGPT and Claude Code to help you develop schemas, test permissions, and learn SpiceDB concepts through natural conversation. The zed CLI tool now includes experimental MCP agent support, enabling AI-assisted schema development right from your command line.
Learn more about MCP integration
All AuthZed client libraries have been updated to support the latest SpiceDB v1.45.4 API changes. Here's what's new:
Watch API Improvements: The Watch API now includes expanded metadata, giving you richer context about permission changes as they happen. This is useful for building audit logs, real-time dashboards, or notification systems that react immediately to authorization updates.
Language-Specific Highlights:
ErrorReason enumThe zed CLI received reliability improvements, including more robust retry mechanisms for Watch functionality and better support for the latest SpiceDB versions.
Turo's Success Story: The world's leading car-sharing platform shared how they transformed their authorization system with SpiceDB and AuthZed Dedicated hosting. Their team-based permissions solution solved critical security challenges where fleet owners previously had to share passwords. After two years in production, they've experienced only one incident, demonstrating the reliability of managed hosting.
Canva Insights on the Dual Write Problem: Artie Shevchecko from Canva presented solutions to the dual-write problem when implementing centralized authorization. The talk showed how SpiceDB simplifies data replication challenges compared to traditional event-driven architectures.
Both presentations were part of the Authorization Infrastructure event hosted by AuthZed in August.
We've launched a brand guidelines page with downloadable assets including AuthZed and SpiceDB logos in multiple formats, complete color palette documentation, and usage guidelines.
Updates, new features, and improvements from AuthZed.