Skip to Content
SpiceDB is 100% open source. Please help us by starring our GitHub repo. ↗
SpiceDB DocumentationGetting StartedFAQ

Frequently-asked Questions

Is SpiceDB Open Source?

SpiceDB is developed as an Apache 2.0-licensed  open-source, community-first effort.

Large contributions must follow a proposal and feedback process regardless of whether the authors are maintainers, AuthZed employees, or brand new to the community.

Other AuthZed open source projects are typically licensed Apache 2.0  unless they are a fork of another codebase. Example code is MIT-licensed  so that they can be modified and adopted into any codebase.

Not all code produced at AuthZed is open source. There are two conditions under which code is kept proprietary:

  • Functionality is minimally applicable to the community and is directly tied to enterprise environments
  • Functionality is tied to AuthZed’s infrastructure and is not widely applicable to all deployments

Does SpiceDB secure IT infrastructure?

SpiceDB is a database designed to be integrated into applications.

There are some organizations with homegrown IT use-cases that use SpiceDB. However, for most IT use cases, this is probably more low-level than what you need.

We recommend looking into tools designed around specific IT workflows such as auditing (Orca , PrismaCloud ), governance, access management (Indent , ConductorOne ).

Is SpiceDB a policy engine?

SpiceDB is not a policy engine.

SpiceDB was inspired by Zanzibar, which popularized the concept of Relationship-based access control (ReBAC). ReBAC systems offer correctness, performance, and scaling guarantees that are not possible in systems designed purely around policy. Notably, policy engines cannot implement Reverse Indices.

However, there are some scenarios where ReBAC systems can benefit from dynamic enforcement. For these scenarios, SpiceDB supports Caveats as a light-weight form of policy that avoids pitfalls present in many other systems.

How do I filter resources based on access decisions in SpiceDB?

There are three approaches for filtering resources based on whether users have access to them:

  1. LookupResources - Use when the number of accessible resources is relatively small. Call LookupResources to get all resource IDs the user can access, then use those IDs as a filter in your database query (e.g., WHERE id = ANY(ARRAY[...])). This is the simplest approach and a good starting point.

  2. CheckBulkPermissions - Use when accessible resources are too large for LookupResources. Fetch a page of candidate results from your database, then call CheckBulkPermissions to determine which ones the user can access. Keep iterating until you have a full page of permitted results. This works well with cursor-based pagination and search interfaces.

  3. Materialize (Early Access) - For maximum scalability with large datasets or high traffic. Materialize watches permission changes in SpiceDB and maintains a local denormalized view of user permissions, allowing you to use simple database JOINs for filtering.

Choose based on your scale: start with LookupResources, move to CheckBulkPermissions when needed, and consider Materialize for the highest performance requirements. Learn more

How can I get involved with SpiceDB?

The best first step is to join Discord .

Discord is a great place to chat with other community members and the maintainers of the software.

If you’re looking to contribute code, you can read CONTRIBUTING.md  in our open source projects for details how to contribute, good first issues, and common development workflows.

Last updated on
Tutorial: Protecting a Blog ApplicationGoogle Zanzibar