aicoolies logo
SpiceDB logo

SpiceDB

Google Zanzibar-inspired authorization database

Share
freemiumOpen Source
Visit Website →

SpiceDB is an open-source authorization database inspired by Google's Zanzibar system, providing relationship-based access control (ReBAC) at scale. It defines permissions through a schema language that models relationships between users, resources, and roles, then evaluates authorization checks in single-digit milliseconds. Used by companies like Netflix and GitHub, SpiceDB handles millions of permission checks per second.

SpiceDB implements Google's Zanzibar authorization model as an open-source database purpose-built for permission checking at scale. Instead of embedding authorization logic in application code or relying on role-based access control that becomes unmanageable as systems grow, SpiceDB stores relationships between entities and evaluates permission queries against a schema that defines how relationships compose into permissions. This enables complex authorization patterns like hierarchical teams, shared resources, and inherited permissions.

The schema language lets developers model their authorization domain declaratively. A schema defines object types, their relations, and how permissions derive from those relations. For example, a document might have an owner relation and an editor relation, with view permission granted to anyone who is an owner, editor, or member of an organization that owns the document. SpiceDB evaluates these queries through an optimized graph traversal engine that resolves complex permission chains in single-digit milliseconds.

Backed by AuthZed with venture funding and over 6,600 GitHub stars, SpiceDB has been adopted by companies including Netflix, GitHub, and Canva for production authorization. It exposes gRPC and HTTP APIs, supports PostgreSQL, MySQL, CockroachDB, and Spanner as storage backends, and provides client libraries for Go, Python, Java, Ruby, and JavaScript. The distributed architecture handles horizontal scaling for millions of relationships and permission checks, making it suitable for multi-tenant SaaS platforms and complex enterprise applications.

Pricing

Free open source — AuthZed managed from $500/mo

Platforms

gRPC and HTTP APIs — Go, Python, Java, Ruby, JS clients

Categories

Tags

Use Cases

Alternatives

Related Tools

KubeAI

Kubernetes operator for serving AI inference workloads

KubeAI is an Apache-2.0 Kubernetes operator for deploying and scaling AI inference workloads, including LLMs, embeddings, reranking, and speech-to-text. It gives platform teams OpenAI-compatible endpoints, model proxy/controller primitives, model caching, scale-from-zero behavior, and cluster-native resource management for self-hosted inference on Kubernetes.

open-sourceOpen Source
Agent Governance Toolkit logo

Agent Governance Toolkit

Microsoft’s public-preview runtime governance toolkit for policy, identity, sandboxing, audit, and MCP security around AI agents.

Agent Governance Toolkit is Microsoft’s MIT-licensed public-preview toolkit for governing AI agent runtimes. It adds policy enforcement, zero-trust identity, execution sandboxing, audit, reliability, and MCP security-gateway patterns around tool calls and autonomous actions, helping platform teams move beyond prompt-only guardrails while preserving architecture review requirements.

open-sourceOpen SourceTelemetry
Baz logo

Baz

Telemetry-aware AI code reviewer that checks how pull requests may affect real services.

Baz is an AI code-review platform focused on production-aware pull requests. Instead of only reading the diff, Baz connects code changes to application telemetry so reviewers can understand what endpoints, services, and runtime behavior may be affected. That makes it a useful complement to existing AI PR bots when the question is not just whether a change looks correct, but whether it could break a live system.

freemiumTelemetry
rampart

Rampart

Microsoft’s pytest-native red teaming framework for turning AI agent safety findings into CI tests.

RAMPART is an open-source Microsoft framework for safety and security testing of agentic AI applications. It brings red-team findings into a pytest-native workflow so teams can turn prompt injection, unsafe tool use, and behavioral boundary failures into repeatable regression tests. The strongest aicoolies angle is developer workflow: RAMPART makes agent safety part of CI/CD instead of a one-off security review.

open-sourceOpen Source
Statewright logo

Statewright

State-machine guardrails for controlling which tools AI coding agents can use at each phase.

Statewright is a guardrail layer for AI coding agents that uses explicit state machines to control what an agent can do at each stage of a workflow. Instead of relying only on prompt instructions, teams can model phases such as plan, implement, test, and review, then constrain tool access for clients like Claude Code, Codex, Cursor, opencode, and related MCP workflows.

open-sourceOpen Source
Freestyle logo

Freestyle

Sandboxes for coding agents — Linux VMs, Git, and deploys in one box

Freestyle is YC-backed sandbox infrastructure built for AI coding agents, shipping secure Linux VMs with nested virtualization, Git servers, and one-click web deploys. It lets agents run real workloads, branch repos, and deploy apps under short-lived identities while billing only for active compute. Used in production by vly.ai, Rork, and Vibeflow.

freemium

Comparisons