Welcome to the official documentation for the SpiceDB ecosystem.
Developers create and apply a schema (opens in a new tab) that models their application's resources and permissions. From their applications, client libraries (opens in a new tab) are used to insert relationships or check permissions in their applications.
Building modern authorization from scratch is non-trivial and requires years of development from domain experts. Until SpiceDB, the only developers with access to these workflows were employed by massive tech companies that could invest in building mature, but proprietary solutions. Now we have a community organized around sharing this technology so that the entire industry can benefit.
In some scenarios, SpiceDB can be challenging to operate because it is a critical, low-latency, distirbuted system. For folks interested in a managed SpiceDB services and enterprise functionality, there are AuthZed's products.
In August 2020, the founders of AuthZed left Red Hat (opens in a new tab), who had acquired their previous company CoreOS (opens in a new tab). In the following month, they would write the first API-complete implementation of Zanzibar; project Arrakis was written in lazily-evaluated, type-annotated Python. In September, Arrakis was demoed as a part of their YCombinator (opens in a new tab) application. In March 2021, Arrakis was rewritten in Go, a project code-named Caladan. This rewrite would eventually be open-sourced in September 2021 under the name SpiceDB (opens in a new tab).
You can read also read the history of Google's Zanzibar project, which is the spirtual predecessor and inspiration for SpiceDB.
Features that distinguish SpiceDB from other systems include:
- Expressive gRPC (opens in a new tab) and HTTP/JSON (opens in a new tab) APIs for checking permissions, listing access, and powering devtools
- A distributed, parallel graph-engine faithful to the architecture described in Google's Zanzibar paper (opens in a new tab)
- A flexible consistency model configurable per-request (opens in a new tab) that includes resistance to the New Enemy Problem (opens in a new tab)
- An expressive schema language (opens in a new tab) with a playground (opens in a new tab) and CI/CD integrations for validation (opens in a new tab) and integration testing (opens in a new tab)
- A pluggable storage system (opens in a new tab) supporting in-memory (opens in a new tab), Spanner (opens in a new tab), CockroachDB (opens in a new tab), PostgreSQL (opens in a new tab) and MySQL (opens in a new tab)
- Deep observability with Prometheus (opens in a new tab) metrics, pprof (opens in a new tab) profiles, structured logging, and OpenTelemetry (opens in a new tab) tracing
SpiceDB developers and community members have recorded videos explaining concepts, modeling familiar applications, and deep diving on the tech powering everything!
Thousands of community members chat interactively in our Discord (opens in a new tab). Why not ask them a question or two?
SpiceDB and Zed run on Linux, macOS, and Windows on both AMD64 and ARM64 architectures.
Follow the instructions below install to your development machine:
We've documented the concepts SpiceDB users should understand:
After these, we recommend these concepts for running SpiceDB:
Finally, there are some more advanced concepts that are still fundamental:
You can experiment with and share schema and data snippets on the Playground (opens in a new tab).
When you're done, you can easily import these into a real SpiceDB instance using
Here's a very example to toy with:
Once you're ready to take things into production, you can reference our guides or explore a managed solution with AuthZed.
Even if you aren't interested in paid products, you can still schedule a call or reach out on Discord.