SpiceDB Documentation

Welcome to the official documentation for the SpiceDB ecosystem.

New? Follow our first steps guide→Got questions? Our FAQ has answers→Paid products? That's the AuthZed docs→

What is SpiceDB?

SpiceDB is an open-source, Google Zanzibar (opens in a new tab)-inspired database system for real-time, security-critical application permissions.

Developers create and apply a schema (opens in a new tab) that models their application's resources and permissions. From their applications, client libraries (opens in a new tab) are used to insert relationships or check permissions in their applications.

Building modern authorization from scratch is non-trivial and requires years of development from domain experts. Until SpiceDB, the only developers with access to these workflows were employed by massive tech companies that could invest in building mature, but proprietary solutions. Now we have a community organized around sharing this technology so the entire industry can benefit.

In some scenarios, SpiceDB can be challenging to operate because it is a critical, low-latency, distributed system. For folks interested in managed SpiceDB services and enterprise functionality, there are AuthZed's products.

A brief SpiceDB history lesson

In August 2020, the founders of AuthZed left Red Hat (opens in a new tab), who had acquired their previous company CoreOS (opens in a new tab). In the following month, they would write the first API-complete implementation of Zanzibar; project Arrakis was written in lazily-evaluated, type-annotated Python. In September, Arrakis was demoed as a part of their YCombinator (opens in a new tab) application. In March 2021, Arrakis was rewritten in Go, a project code named Caladan. This rewrite would eventually be open-sourced in September 2021 under the name SpiceDB (opens in a new tab).

You can also read the history of Google's Zanzibar project, the spiritual predecessor and inspiration for SpiceDB.

SpiceDB Features

Features that distinguish SpiceDB from other systems include:

Expressive gRPC (opens in a new tab) and HTTP/JSON (opens in a new tab) APIs for checking permissions, listing access, and powering devtools
A distributed, parallel graph engine faithful to the architecture described in Google's Zanzibar paper (opens in a new tab)
A flexible consistency model configurable per request (opens in a new tab) that includes resistance to the New Enemy Problem (opens in a new tab)
An expressive schema language (opens in a new tab) with a playground (opens in a new tab) and CI/CD integrations for validation (opens in a new tab) and integration testing (opens in a new tab)
A pluggable storage system (opens in a new tab) supporting in-memory (opens in a new tab), Spanner (opens in a new tab), CockroachDB (opens in a new tab), PostgreSQL (opens in a new tab) and MySQL (opens in a new tab)
Deep observability with Prometheus (opens in a new tab) metrics, pprof (opens in a new tab) profiles, structured logging, and OpenTelemetry (opens in a new tab) tracing

First Steps