What's new at AuthZed?
In this release, we've made significant enhancements to SpiceDB's schema management, moved closer to general availability of the Query Planner, and made improvements to our Python and Go clients.
Large permission schemas can now be split across multiple files. The new use import and use partial keywords let you define pieces of your schema in separate files and compose them together — the same way you'd organize any other large codebase.
This affects the full development workflow: SpiceDB, the VS Code extension, and the zed CLI all support composable schemas as of this release cycle.
Note: if you're using composable schemas, the root file must declare use import before any import statements, and use partial before any partial declarations.
The experimental query planner (enabled via --experimental-query-plan) received substantial work over this period. In v1.49.2, it gained recursive direction strategies and a canonicalization framework for query plan outlines. In v1.50.0, it expanded to cover LookupResources and LookupSubjects endpoints, added in-memory statistics for informing optimizations, and can now prune branches during Check requests that cannot possibly lead to the expected subject type — reducing unnecessary work.
This is still experimental and not recommended for production, but it's meaningfully closer to general availability.
SpiceDB now correctly parses version information from CockroachDB 26.1 clusters. If you're planning to upgrade your CRDB cluster to 26.1, SpiceDB v1.49.2 or later is required.
zed CLIzed validate now works with composable (multi-file) schemas. If your schema uses import or partial, zed validate can now validate it correctly — including resolving imports and checking the composed result.
This requires declaring use import at the top of your root schema file before any import statements, and use partial before any partial declarations.
DownloadPermissionSetsResponse now includes a timestamp field, making it easier to reason about the freshness of permission set snapshots in applications that use this API.
protovalidate was moved from a required dependency to an optional/dev dependency, reducing installation footprint for users who don't need schema validation tooling.
A new example was added showing how to build an agentic Retrieval-Augmented Generation (RAG) system with authorization enforced by SpiceDB. This covers a practical pattern for teams building AI applications that need to ensure users only retrieve documents they're permitted to see.
In this release, we've focused on optimization in SpiceDB, introducing new experimental features to optimize the way you plan and create queries, as well as a new keyword to simplify your schema. We've also added other enhancements to the zed CLI, our client libraries, and AuthZed Cloud.
The new spicedb postgres-fdw command exposes SpiceDB as a Postgres Foreign Data Wrapper, allowing users to write permission checks as SELECT statements and express relationship writes using standard SQL.
This is a work in progress and not yet recommended for production, but if you're interested in querying SpiceDB through your existing Postgres connection, we encourage you to experiment and provide feedback.
A new --experimental-query-plan flag enables SpiceDB's in-progress query planner. There's still work to do on statistics sources and optimization before it will provide consistent performance benefits, so we're not recommending it for production yet — but it's available if you want to explore how it works.
self Keyword in PermissionsSpiceDB v1.49.1 adds a self keyword to schema permissions. If you've ever needed to express "a user can view themselves," you previously had to create a relation and write a relationship from the user back to itself — an extra round-trip to the database and a relationship that needed to stay in sync.
With self, you can express this directly in your permission definition. It's less schema to maintain, fewer relationships to write, and no extra database lookup at check time.
zed CLIzed backup can now back up SpiceDB instances that don't expose the ExportBulk API — including very old versions and Serverless deployments. Several reliability fixes shipped alongside this:
use self Validation (v0.35.0)zed validate now understands the use self schema keyword, so schemas using it will validate correctly.
DiffSchema and ReflectSchema are now part of the public API, making it easier to build tooling that inspects or compares SpiceDB schemas from Python.
API usage examples were added to the library, covering common patterns and addressing frequently-asked questions. The library also picked up the new DATASTORE_NOT_MIGRATED error code from the upstream API, giving Go applications a clearer signal when SpiceDB hasn't been migrated yet.
Package compatibility checking via publint was added to the build pipeline. This catches compatibility issues before packages are published to npm, improving reliability for downstream consumers.
Metrics queries are no longer capped at a maximum time range. You can now query the full history available, which is useful when investigating longer-term performance trends or capacity planning.
The connect dialog now shows ready-to-use code snippets for Python, Go, Node.js, and other languages. When you're setting up a new application, you can copy working connection code directly from the console.
A Grafana dashboard example was contributed to the examples repo, providing a starting point for teams that want to visualize SpiceDB metrics in Grafana.
This release brings new documentation resources, expanded cloud provider support for Materialize, open source tooling for schema development, and reliability improvements to SpiceDB.
SpiceDB v1.48.0 introduces new safeguards that prevent the system from consuming excessive memory during operation. This means more stable and predictable performance, even under heavy load.
The Memory Protection Middleware is enabled by default. If your server's memory usage gets too high, incoming requests will be rejected with a ResourceExhausted code (HTTP 429) rather than risking system instability. You can disable this behavior with --enable-memory-protection-middleware=false if needed.
Expiring Relationships, which allows you to set automatic expiration times on relationships, is now generally available. This feature is useful for implementing time-limited access, temporary permissions, or session-based authorization.
Learn more about Expiring Relationships
One of the most common questions we see on Discord is about SpiceDB's various APIs and when to use each one. We've published a new guide that breaks down the available APIs and helps you choose the right approach for your use case.
Materialize, our product for pre-computing permission results, is now supported on Azure. Materialize remains in early access as development continues to broaden support across more scenarios.
We've released spicedb-parser-js, a new open source project that houses the schema parser logic shared across tools like the Playground and VS Code extension.
This foundation will enable support for composable schemas in VS Code and makes it easier for the community to build tooling around SpiceDB schemas.
This release includes numerous bug fixes to improve the overall stability and reliability of AuthZed Cloud.
Build a Multi-Tenant RAG with Fine-Grain Authorization using Motia and SpiceDB
Learn how to combine retrieval-augmented generation with fine-grained permissions to build AI applications that respect your authorization model.
This release includes schema enhancements for SpiceDB, new Materialize API capabilities in the Python client, and dashboard improvements for AuthZed Cloud.
The Schema V2 library now includes:
->) including conditional traversals (.any() and .all())These additions support developers building schema analysis and transformation tools.
This release adds support for the Materialize API, which helps maintain a real-time copy of permissions data in your own database systems.
When displaying lists or tables of accessible resources, checking permissions individually can be slow. The Materialize API addresses this by synchronizing permission relationships to your local systems.
The implementation includes:
Various visual and functional improvements.
AuthZed has introduced the Terraform and OpenTofu Provider for AuthZed Dedicated, giving customers a powerful way to manage their authorization infrastructure using industry standard best practices.
With this new provider, teams can define, version, and automate their resources in their AuthZed Dedicated environment entirely through declarative infrastructure-as-code. This makes it easier than ever to integrate authorization management into existing operational workflows. And we're continuing work to support additional resources in AuthZed Dedicated environments, including Permissions Systems.
Modern infrastructure teams rely on Terraform and OpenTofu to manage everything from compute resources to networking and identity. With the new AuthZed provider, you can now manage your authorization layer in the same way, improving consistency, reducing manual configuration, and enabling repeatable deployments across environments.
For AuthZed customers interested in using the Terraform and OpenTofu provider, please contact your account manager for access.
To explore the provider and get started, visit the AuthZed Terraform Provider on GitHub.
This release brings improvements to SpiceDB's reliability, new AI-assisted development tools, enhanced visibility for cloud customers, and customer stories that showcase real-world authorization implementations.
Better Handling of High Traffic: SpiceDB now intelligently manages write loads by returning clear error messages when the system is busy. (Available when using CockroachDB as the datastore.) This means authorization decisions stay reliable during traffic spikes, preventing service disruptions across applications.
Faster Permission Checks: We've optimized how SpiceDB processes relationship queries, allowing it to skip unnecessary work when checking permissions.
Improved Query Engine: The Lookup Resources engine, which powers queries like "show me everything this user can access," now uses less memory.
Note: If you use the zed command-line tool, you'll need to update to v0.33.0 for full compatibility.
For customers using AuthZed's managed services, this release brings improvements to monitoring, alerting, and operational visibility.
Proactive Resource Monitoring: A new warning banner in the dashboard now alerts you when permission system resource usage is high, giving you time to take action before issues arise. New response code graphs provide visibility into API performance, helping you understand how your authorization system is behaving.
Expanded Monitoring Coverage: Over 25 improvements were made to the monitoring infrastructure, including new alerts that notify teams when storage capacity exceeds 90%, when too many API requests fail, or when memory issues occur. The monitoring system now tracks performance across different regions and customer environments more precisely, helping ensure consistent service quality.
We've launched two Model Context Protocol (MCP) servers that bring SpiceDB resources directly into your AI coding assistant:
These tools work with AI assistants like ChatGPT and Claude Code to help you develop schemas, test permissions, and learn SpiceDB concepts through natural conversation. The zed CLI tool now includes experimental MCP agent support, enabling AI-assisted schema development right from your command line.
Learn more about MCP integration
All AuthZed client libraries have been updated to support the latest SpiceDB v1.45.4 API changes. Here's what's new:
Watch API Improvements: The Watch API now includes expanded metadata, giving you richer context about permission changes as they happen. This is useful for building audit logs, real-time dashboards, or notification systems that react immediately to authorization updates.
Language-Specific Highlights:
ErrorReason enumThe zed CLI received reliability improvements, including more robust retry mechanisms for Watch functionality and better support for the latest SpiceDB versions.
Turo's Success Story: The world's leading car-sharing platform shared how they transformed their authorization system with SpiceDB and AuthZed Dedicated hosting. Their team-based permissions solution solved critical security challenges where fleet owners previously had to share passwords. After two years in production, they've experienced only one incident, demonstrating the reliability of managed hosting.
Canva Insights on the Dual Write Problem: Artie Shevchecko from Canva presented solutions to the dual-write problem when implementing centralized authorization. The talk showed how SpiceDB simplifies data replication challenges compared to traditional event-driven architectures.
Both presentations were part of the Authorization Infrastructure event hosted by AuthZed in August.
We've launched a brand guidelines page with downloadable assets including AuthZed and SpiceDB logos in multiple formats, complete color palette documentation, and usage guidelines.
Updates, new features, and improvements from AuthZed.