SpiceDB implements Google's Zanzibar authorization model as an open-source database purpose-built for permission checking at scale. Instead of embedding authorization logic in application code or relying on role-based access control that becomes unmanageable as systems grow, SpiceDB stores relationships between entities and evaluates permission queries against a schema that defines how relationships compose into permissions. This enables complex authorization patterns like hierarchical teams, shared resources, and inherited permissions.
The schema language lets developers model their authorization domain declaratively. A schema defines object types, their relations, and how permissions derive from those relations. For example, a document might have an owner relation and an editor relation, with view permission granted to anyone who is an owner, editor, or member of an organization that owns the document. SpiceDB evaluates these queries through an optimized graph traversal engine that resolves complex permission chains in single-digit milliseconds.
Backed by AuthZed with venture funding and over 6,600 GitHub stars, SpiceDB has been adopted by companies including Netflix, GitHub, and Canva for production authorization. It exposes gRPC and HTTP APIs, supports PostgreSQL, MySQL, CockroachDB, and Spanner as storage backends, and provides client libraries for Go, Python, Java, Ruby, and JavaScript. The distributed architecture handles horizontal scaling for millions of relationships and permission checks, making it suitable for multi-tenant SaaS platforms and complex enterprise applications.