{"id":13491100,"url":"https://github.com/authzed/spicedb","last_synced_at":"2025-05-14T22:05:40.171Z","repository":{"id":36955878,"uuid":"396856161","full_name":"authzed/spicedb","owner":"authzed","description":"Open Source, Google Zanzibar-inspired database for scalably storing and querying fine-grained authorization data","archived":false,"fork":false,"pushed_at":"2025-05-13T12:26:22.000Z","size":21240,"stargazers_count":5653,"open_issues_count":110,"forks_count":313,"subscribers_count":49,"default_branch":"main","last_synced_at":"2025-05-14T22:05:08.352Z","etag":null,"topics":["abac","acl","authorization","ciam","cloud-native","database","distributed-systems","entitlements","fga","fine-grained-access-control","fine-grained-authorization","kubernetes","permissions","rbac","rebac","security","security-tools","zanzibar"],"latest_commit_sha":null,"homepage":"https://authzed.com/docs","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/authzed.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-08-16T15:32:09.000Z","updated_at":"2025-05-14T17:16:45.000Z","dependencies_parsed_at":"2023-01-17T08:15:31.687Z","dependency_job_id":"931f5c8e-00b5-4340-9828-3d08b32bd053","html_url":"https://github.com/authzed/spicedb","commit_stats":{"total_commits":2960,"total_committers":53,"mean_commits":55.84905660377358,"dds":0.6293918918918919,"last_synced_commit":"aa50776bf94bf79788d2c7f84104aaf6ee6e8bb6"},"previous_names":[],"tags_count":102,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/authzed","download_url":"https://codeload.github.com/authzed/spicedb/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254235687,"owners_count":22036962,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abac","acl","authorization","ciam","cloud-native","database","distributed-systems","entitlements","fga","fine-grained-access-control","fine-grained-authorization","kubernetes","permissions","rbac","rebac","security","security-tools","zanzibar"],"created_at":"2024-07-31T19:00:53.546Z","updated_at":"2025-05-14T22:05:40.121Z","avatar_url":"https://github.com/authzed.png","language":"Go","readme":"\u003ch1 align=\"center\"\u003e\n    \u003ca href=\"https://authzed.com#gh-dark-mode-only\" target=\"_blank\"\u003e\n        \u003cimg width=\"300\" src=\"https://github.com/user-attachments/assets/0ebf4718-283b-4c40-b567-1d577c0a2e03\" alt=\"spicedb logo\"\u003e\n    \u003c/a\u003e\n    \u003ca href=\"https://authzed.com#gh-light-mode-only\" target=\"_blank\"\u003e\n        \u003cimg width=\"300\" src=\"https://github.com/user-attachments/assets/577a72f9-4fdd-49f8-b1d6-e53025d219b8\" alt=\"spicedb Logo\"\u003e\n    \u003c/a\u003e\n\u003c/h1\u003e\n\n\u003ch3 align=\"center\"\u003e\n  SpiceDB sets the standard for authorization that \u003ci\u003escales\u003c/i\u003e.\n  \u003cbr/\u003e\u003cbr/\u003eScale with\u003cbr/\u003e\n  Traffic • Dev Velocity • Functionality • Geography\n\u003c/h3\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/authzed/spicedb/releases\"\u003e\u003cimg alt=\"release badge\" src=\"https://img.shields.io/github/v/release/authzed/spicedb?color=%236EC93F\u0026label=latest%20release\u0026sort=semver\u0026style=flat-square\"\u003e\u003c/a\u003e\n  \u0026nbsp;\n  \u003ca href=\"https://hub.docker.com/repository/docker/authzed/spicedb\" target=\"_blank\"\u003e\u003cimg alt=\"docker pulls badge\" src=\"https://img.shields.io/docker/pulls/authzed/spicedb?color=%23448CE6\u0026style=flat-square\"\u003e\u003c/a\u003e\n  \u0026nbsp;\n  \u003ca href=\"https://authzed.com/blog/go-ecosystem\"\u003e\u003cimg alt=\"built with Go badge\" src=\"https://img.shields.io/badge/built_with-Go-367B99.svg?style=flat-square\"\u003e\u003c/a\u003e\n  \u0026nbsp;\n  \u003ca href=\"https://www.bestpractices.dev/en/projects/6348\" target=\"_blank\"\u003e\u003cimg alt=\"cii badge\" src=\"https://img.shields.io/cii/percentage/6348?style=flat-square\u0026label=cii%20best%20practices\u0026color=F8D44B\"\u003e\u003c/a\u003e\n  \u0026nbsp;\n  \u003ca href=\"https://securityscorecards.dev/viewer/?uri=github.com/authzed/spicedb\" target=\"_blank\"\u003e\u003cimg alt=\"ssf badge\" src=\"https://api.securityscorecards.dev/projects/github.com/authzed/spicedb/badge\"\u003e\u003c/a\u003e\n  \u0026nbsp;\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://discord.gg/spicedb\"\u003e\u003cimg alt=\"discord badge\" src=\"https://img.shields.io/badge/discord-spicedb-7289da?style=flat-square\"\u003e\u003c/a\u003e\n\t\u0026nbsp;\n    \u003ca href=\"https://twitter.com/authzed\"\u003e\u003cimg alt=\"twitter badge\" src=\"https://img.shields.io/badge/twitter-@authzed-1d9bf0.svg?style=flat-square\"\u003e\u003c/a\u003e\n    \u0026nbsp;\n    \u003ca href=\"https://www.linkedin.com/company/authzed/\"\u003e\u003cimg alt=\"linkedin badge\" src=\"https://img.shields.io/badge/linkedin-+authzed-2D65BC.svg?style=flat-square\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n## What is SpiceDB?\n\n\u003ca href=\"https://authzed.com#gh-dark-mode-only\" target=\"_blank\"\u003e\u003cimg align=\"right\" width=\"300\" src=\"https://github.com/user-attachments/assets/e0e70549-91dc-4a07-9309-2e18942a7902\" alt=\"spicedb diagram\" /\u003e\u003c/a\u003e\n\u003ca href=\"https://authzed.com#gh-light-mode-only\" target=\"_blank\"\u003e\u003cimg align=\"right\" width=\"300\" src=\"https://github.com/user-attachments/assets/97342fce-d94b-42b6-b02f-fe3958d13981\" alt=\"spicedb diagram\" /\u003e\u003c/a\u003e\n\nSpiceDB is the most mature open source project inspired by Google's internal authorization system: [Zanzibar].\n\nAs of 2021, [broken access control became the #1 threat to web security according to OWASP][owasp].\nWith SpiceDB, platform teams are armed with the same techniques for stopping this threat that the hyperscale tech companies have been doing for years behind closed doors.\n\nSimilar to a relational database, developers define a schema, write data to the database, and query that data in various ways.\nHowever, unlike relational databases that use general-purpose SQL, SpiceDB exposes a gRPC API specifcally optimized for authorizing actions in your systems.\n\nBecause SpiceDB self-contains data and logic for used for authorization, it is often ran as a centralized service shared across product suites and microservice architectures.\n\nSpiceDB is focused purely on *authorization* and is designed to be fully agnostic to *authentication* solutions/identity providers.\n\n[owasp]: https://owasp.org/Top10/A01_2021-Broken_Access_Control/\n\n### What is Google Zanzibar?\n\nIn 2019, Google released the paper \"[Zanzibar: Google's Consistent, Global Authorization System][zanzibar]\" providing the original inspiration for SpiceDB.\nThe paper presents the design, implementation, and deployment of, Zanzibar, Google's internal system for storing and evaluating access control lists.\nOriginally designed for [Google+ Circles][circles], Zanzibar now sits at the core Google's entire product suite (Calendar, Drive, Maps, Photos, YouTube) and powers the Google Cloud IAM service.\n\nWhile SpiceDB has gone on to innovate well beyond the functionality outlined in the paper, development of SpiceDB aims to always remain faithful to the paper's values and goals.\n\n[zanzibar]: https://authzed.com/zanzibar\n[circles]: https://en.wikipedia.org/wiki/Google+#Circles\n\n### Why SpiceDB?\n\n- [**World-class engineering**][about]: painstakingly built by experts that pioneered the cloud-native ecosystem\n- [**Authentic design**][zanzibar]: mature and feature-complete implementation of Google's Zanzibar paper\n- [**Proven in production**][1M]: 5ms p95 when scaled to millions of queries/s, billions of relationships\n- [**Global consistency**][consistency]: consistency configured per-request unlocks correctness while maintaining performance\n- [**Multi-paradigm**][caveats]: caveated relationships combine the best concepts in authorization: ABAC \u0026 ReBAC\n- [**Safety in tooling**][tooling]: designs schemas with real-time validation or validate in your CI/CD workflow\n- [**Reverse Indexes**][reverse-indexes]: queries for \"What can `subject` do?\", \"Who can access `resource`?\"\n\n[about]: https://authzed.com/why-authzed\n[1M]: https://authzed.com/blog/google-scale-authorization\n[caveats]: https://netflixtechblog.com/abac-on-spicedb-enabling-netflixs-complex-identity-types-c118f374fa89\n[tooling]: https://authzed.com/docs/spicedb/modeling/validation-testing-debugging\n[reverse-indexes]: https://authzed.com/docs/spicedb/getting-started/faq#what-is-a-reverse-index\n[consistency]: https://authzed.com/docs/spicedb/concepts/consistency\n\n### Who uses SpiceDB?\n\nSpiceDB is a powerful tool in a variety of domains and in organizations of all sizes; we've chosen to highlight a few interesting community members:\n\n- [IBM's AI Data \u0026 Model Factory Platform](https://youtu.be/4K2a9HcRhXA)\n- [Red Hat's Insights Platform](https://www.redhat.com/en/technologies/management/insights)\n- [GitPod](https://github.com/gitpod-io/gitpod/issues/15632)\n- [TubiTV China (中文)](https://zhuanlan.zhihu.com/p/685603356)\n- [DMM Online Salon (日本語)](https://inside.dmm.com/articles/salon-datebase-migration-challenges/)\n\nBeyond the community, you can also read [customer stories][stories] for commercial usage of SpiceDB.\n\n[stories]: https://authzed.com/customers\n\n## Joining the Community\n\nJoin our fellow contributors from companies such as \u003cimg alt=\"github logo\" height=\"15px\" src=\"https://github.com/authzed/spicedb/assets/343539/c05b8aef-c862-4499-bebf-0a43f3b423c4\"\u003e GitHub, \u003cimg alt=\"adobe logo\" height=\"15px\" src=\"https://github.com/user-attachments/assets/64007fa0-f342-4eba-bc81-0e078677e918\"\u003e Adobe, \u003cimg alt=\"google logo\" height=\"15px\" src=\"https://github.com/user-attachments/assets/15a144f4-4244-40af-be58-53ea3be46bc4\"\u003e Google, \u003cimg alt=\"fastly logo\" height=\"15px\" src=\"https://github.com/user-attachments/assets/57f042c3-e106-4524-95b8-167acc6be16e\"\u003e Fastly, \u003cimg alt=\"plaid logo\" height=\"15px\" src=\"https://github.com/user-attachments/assets/0678972d-b8ff-41e6-a507-7289a1ee1e94\"\u003e Plaid, \u003cimg alt=\"red hat logo\" height=\"15px\" src=\"https://github.com/user-attachments/assets/955a6c28-3a5c-4679-8e12-b50734024be2\"\u003e Red Hat, and \u003cimg alt=\"reddit logo\" height=\"15px\" src=\"https://github.com/user-attachments/assets/78d542f9-37f7-4d78-bf34-8aa0b0ddd12d\"\u003e Reddit.\n\nSpiceDB is a community project where everyone is invited to participate and [feel welcomed].\nWhile the project has a technical goal, participation is not restricted to those with code contributions.\n\n[CONTRIBUTING.md] documents communication, contribution flow, legal requirements, and common tasks when contributing to the project.\n\nYou can find issues by priority: [Urgent], [High], [Medium], [Low], [Maybe].\nThere are also [good first issues].\n\nOur [documentation] is also [open source][oss-docs] if you'd like to clarify anything you find confusing.\n\n[feel welcomed]: CODE-OF-CONDUCT.md\n[CONTRIBUTING.md]: CONTRIBUTING.md\n[Urgent]: https://github.com/authzed/spicedb/labels/priority%2F0%20urgent\n[High]: https://github.com/authzed/spicedb/labels/priority%2F1%20high\n[Medium]: https://github.com/authzed/spicedb/labels/priority%2F2%20medium\n[Low]: https://github.com/authzed/spicedb/labels/priority%2F3%20low\n[Maybe]: https://github.com/authzed/spicedb/labels/priority%2F4%20maybe\n[good first issues]: https://github.com/authzed/spicedb/labels/hint%2Fgood%20first%20issue\n[documentation]: https://authzed.com/docs\n[oss-docs]: https://github.com/authzed/docs\n\n## Getting Started\n\n### Familiarizing yourself with our learning materials\n\n- Ask questions via [GitHub Discussions] or our [Community Discord]\n- Read [blog posts] from the Authzed team describing the project and major announcements\n- Watch our [YouTube videos] about SpiceDB, modeling schemas, leveraging CNCF projects, and more\n- Explore the [SpiceDB Awesome List] that enumerates official and third-party projects built by the community\n- Reference [community examples] for demo environments, integration testing, CI pipelines, and writing schemas\n\n[GitHub Discussions]: https://github.com/orgs/authzed/discussions/new?category=q-a\n[Community Discord]: https://authzed.com/discord\n[blog posts]: https://authzed.com/blog\n[SpiceDB Awesome List]: https://github.com/authzed/awesome-spicedb\n[YouTube videos]: https://www.youtube.com/@authzed\n[community examples]: https://github.com/authzed/examples\n\n### Installing the binary\n\nBinary releases are available for Linux, macOS, and Windows on AMD64 and ARM64 architectures.\n\n[Homebrew] users for both macOS and Linux can install the latest binary releases of SpiceDB and [zed] using the official tap:\n\n```command\nbrew install authzed/tap/spicedb authzed/tap/zed\n```\n\n[Debian-based Linux] users can install SpiceDB packages by adding a new APT source:\n\n```command\nsudo apt update \u0026\u0026 sudo apt install -y curl ca-certificates gpg\ncurl https://pkg.authzed.com/apt/gpg.key | sudo apt-key add -\nsudo echo \"deb https://pkg.authzed.com/apt/ * *\" \u003e /etc/apt/sources.list.d/fury.list\nsudo apt update \u0026\u0026 sudo apt install -y spicedb zed\n```\n\n[RPM-based Linux] users can install SpiceDB packages by adding a new YUM repository:\n\n```command\nsudo cat \u003c\u003c EOF \u003e\u003e /etc/yum.repos.d/Authzed-Fury.repo\n[authzed-fury]\nname=AuthZed Fury Repository\nbaseurl=https://pkg.authzed.com/yum/\nenabled=1\ngpgcheck=0\nEOF\nsudo dnf install -y spicedb zed\n```\n\n[zed]: https://github.com/authzed/zed\n[homebrew]: https://docs.authzed.com/spicedb/installing#brew\n[Debian-based Linux]: https://en.wikipedia.org/wiki/List_of_Linux_distributions#Debian-based\n[RPM-based Linux]: https://en.wikipedia.org/wiki/List_of_Linux_distributions#RPM-based\n  \n### Running a container\n\nContainer images are available for AMD64 and ARM64 architectures on the following registries:\n\n- [authzed/spicedb](https://hub.docker.com/r/authzed/spicedb)\n- [ghcr.io/authzed/spicedb](https://github.com/authzed/spicedb/pkgs/container/spicedb)\n- [quay.io/authzed/spicedb](https://quay.io/authzed/spicedb)\n\n[Docker] users can run the latest SpiceDB container with the following:\n\n```command\ndocker run --rm -p 50051:50051 authzed/spicedb serve --grpc-preshared-key \"somerandomkeyhere\"\n```\n\nSpiceDB containers use [Chainguard Images] to ship the bare minimum userspace which is a huge boon to security, but can complicate debugging.\nIf you want to execute a user session into a running SpiceDB container and install packages, you can use one of our debug images.\n\nAppending `-debug` to any tag will provide you an image that has a userspace with debug tooling:\n\n```command\ndocker run --rm -ti --entrypoint sh authzed/spicedb:latest-debug\n```\n\nContainers are also available for each git commit to the `main` branch under `${REGISTRY}/authzed/spicedb-git:${COMMIT}`.\n\n[Docker]: https://docs.docker.com/get-docker/\n[Chainguard Images]: https://github.com/chainguard-images/images\n  \n### Deploying to Kubernetes\n\nProduction Kubernetes users should be relying on a stable release of the [SpiceDB Operator].\nThe Operator enforces not only best practices, but orchestrates SpiceDB updates without downtime.\n\nIf you're only experimenting, feel free to try out one of our community-maintained [examples] for [testing SpiceDB on Kubernetes]:\n\n```command\nkubectl apply -f https://raw.githubusercontent.com/authzed/examples/main/kubernetes/example.yaml\n```\n\n[examples]: https://github.com/authzed/examples\n[SpiceDB Operator]: https://github.com/authzed/spicedb-operator\n[testing SpiceDB on Kubernetes]: https://github.com/authzed/examples/tree/main/kubernetes\n\n### Developing your own schema\n\nYou can try both SpiceDB and zed entirely in your browser in the [hosted Playground] thanks to the power of WebAssembly.\nThe [Playground app is open source] and can also be self-hosted.\n\nIf you don't want to start with the examples loadable from the Playground, you can follow a guide for [developing a schema] or review the the schema language [design documentation].\n\nWatch the SpiceDB primer video to get started with schema development:\n\n\u003ca href=\"https://www.youtube.com/watch?v=AoK0LrkGFDY\" target=\"_blank\"\u003e\u003cimg width=\"600\" alt=\"SpiceDB Primer YouTube Thumbnail\" src=\"https://github.com/authzed/spicedb/assets/343539/7784dfa2-b330-4c5e-b32a-090759e48392\"\u003e\u003c/a\u003e\n\n[hosted Playground]: https://play.authzed.com\n[Playground app is open source]: https://github.com/authzed/playground\n[developing a schema]: https://docs.authzed.com/guides/schema\n[design documentation]: https://docs.authzed.com/reference/schema-lang\n\n### Trying out the API\n\nFor debugging or getting started, we recommend [installing zed], the official command-line client.\nThe [Playground] also has a tab for experimenting with zed all from within your browser.\n\nWhen it's time to write code, we recommend using one of the [existing client libraries] whether it's official or community-maintained.\n\nBecause every millisecond counts, we recommend using libraries that leverage the gRPC API for production workloads.\n\nTo get an understanding of integrating an application with SpiceDB, you can follow the [Protecting Your First App] guide or review API documentation on the [Buf Registry] or [Postman].\n\n[installing zed]: https://authzed.com/docs/spicedb/getting-started/installing-zed\n[playground]: https://play.authzed.com\n[existing client libraries]: https://github.com/authzed/awesome-spicedb#clients\n[Protecting Your First App]: https://docs.authzed.com/guides/first-app\n[Buf Registry]: https://buf.build/authzed/api/docs\n[Postman]: https://www.postman.com/authzed/workspace/spicedb/overview\n\n## Acknowledgements\n\nSpiceDB is a community project fueled by contributions from both organizations and individuals.\nWe appreciate all contributions, large and small, and would like to thank all those involved.\n\nIn addition, we'd like to highlight a few notable contributions:\n\n- \u003cimg alt=\"github logo\" height=\"15px\" src=\"https://github.com/authzed/spicedb/assets/343539/c05b8aef-c862-4499-bebf-0a43f3b423c4\"\u003e The GitHub Authorization Team for implementing and contributing the MySQL datastore\n- \u003cimg alt=\"netflix logo\" height=\"15px\" src=\"https://github.com/authzed/spicedb/assets/343539/e64128f0-978f-4fd6-bdd7-1ce7cb6b34b9\"\u003e The Netflix Authorization Team for sponsoring and being a design partner for caveats\n- \u003cimg alt=\"equinix logo\" height=\"15px\" src=\"https://github.com/authzed/spicedb/assets/343539/7bf706f9-910d-4902-8957-c914a7468eff\"\u003e The Equinix Metal Team for sponsoring our benchmarking hardware\n","funding_links":[],"categories":["Authentication and Authorization","Go","Repositories","Databases","Database","Authorization","security-tools","Zanzibar Softwares and Services","\u003ca name=\"Go\"\u003e\u003c/a\u003eGo","Policy Engines \u0026 Frameworks"],"sub_categories":["Permission Databases","\u003ca name=\"authZ-golang\"\u003e\u003c/a\u003eGolang","Databases Implemented in Go","ReBAC frameworks","Zanzibar-Based"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthzed%2Fspicedb","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fauthzed%2Fspicedb","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthzed%2Fspicedb/lists"}