SpiceDB

SpiceDB is a database system for managing security-critical application permissions.

Developers create a schema that models their permissions requirements and use a client library to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications.

Features that distinguish SpiceDB from other systems include:

• Expressive gRPC and HTTP APIs for checking permissions, listing access, and powering devtools
• An architecture faithful to Google's Zanzibar paper, including resistance to the New Enemy Problem
• An intuitive and expressive schema language complete with a playground dev environment
• A powerful graph engine that supports distributed, parallel evaluation
• Pluggable storage that supports in-memory, PostgreSQL, and CockroachDB
• Deep observability with Prometheus metrics, structured logging, and distributed tracing

See CONTRIBUTING.md for instructions on how to contribute and perform common tasks like building the project and running tests.

Why SpiceDB?

Verifiable Correctness

The data used to calculate permissions have the most critical correctness requirements in the entirety a software system. Despite that, developers continue to build their own ad-hoc solutions coupled to the internal code of each new project. By developing a SpiceDB schema, you can iterate far more quickly and exhaustively test designs before altering any application code. This becomes especially important as you introduce backwards-compatible changes to the schema and want to ensure that the system remains secure.

Optimal Flexibility

The SpiceDB schema language is built on top of the concept of a graph of relationships between objects. This ReBAC design is capable of efficiently supporting all popular access control models (such as RBAC and ABAC) and custom models that contain hybrid behavior.

Modern solutions to developing permission systems all have a similar goal: to decouple policy from the application. Using a dedicated database like SpiceDB not only accomplishes this, but takes this idea a step further by also decoupling the data that policies operate on. SpiceDB is designed to share a single unified view of permissions across as many applications as your organization has. This has strategy has become an industry best-practice and is being used to great success at companies large (Google, GitHub, Airbnb) and small (Carta, Authzed).

Getting Started

Installing SpiceDB

SpiceDB is currently packaged by Homebrew for both macOS and Linux. Individual releases and other formats are also available on the releases page.

brew install authzed/tap/spicedb

SpiceDB is also available as a container image:

docker pull quay.io/authzed/spicedb:latest
docker run quay.io/authzed/spicedb serve --grpc-preshared-key "somerandomkeyhere"

SpiceDB supports environment variables. You can replace any command's argument with an environment variable by adding the SPICEDB prefix.
For example --log-level becomes SPICEDB_LOG_LEVEL.

docker run -e SPICEDB_GRPC_PRESHARED_KEY=somerandomkeyhere quay.io/authzed/spicedb serve

For production usage, we highly recommend using a tag that corresponds to the latest release, rather than latest.

Running SpiceDB locally

spicedb serve --grpc-preshared-key "somerandomkeyhere"

Visit http://localhost:8080 to see next steps, including loading the schema

Running SpiceDB for testing

spicedb serve-testing

This command runs SpiceDB such that each Bearer Token provided by the client is allocated its own isolated, ephemeral datastore. By using unique tokens in each of your application's integration tests, they can be executed in parallel safely against a single instance of SpiceDB.

A SpiceDB GitHub action is also available to run SpiceDB as part of your integration test workflows.

Developing your own schema

• Follow the guide for developing a schema
• Watch a video of us modeling GitHub
• Read the schema language design documentation
• Jump into the playground, load up some examples, and mess around

Integrating with your application

• Learn the latest best practice by following the Protecting Your First App guide
• Explore the gRPC API documentation on the Buf Registry
• Install zed and interact with a live database