SpiceDB sets the standard for authorization that scales.
Traffic • Dev Velocity • Functionality • Geography
What is SpiceDB?
SpiceDB is a graph database purpose-built for storing and evaluating access control data.
As of 2021, broken access control became the #1 threat to the web. With SpiceDB, developers finally have the solution to stopping this threat the same way as the hyperscalers.
- World-class engineering: painstakingly built by experts that pioneered the cloud-native ecosystem
- Authentic design: mature and feature-complete implementation of Google's Zanzibar paper
- Proven in production: 5ms p95 when scaled to millions of queries/s, billions of relationships
- Global consistency: consistency configured per-request unlocks correctness while maintaining performance
- Multi-paradigm: caveated relationships combine the best concepts in authorization: ABAC & ReBAC
- Safety in tooling: designs schemas with real-time validation or validate in your CI/CD workflow
- Reverse Indexes: queries for "What can
subjectdo?", "Who can access
Joining the Community
SpiceDB is a community project where everyone is invited to participate and feel welcomed. While the project has a technical goal, participation is not restricted to those with code contributions.
- Ask questions via GitHub Discussions or our Community Discord
- Read blog posts from the Authzed team describing the project and major announcements
- Watch our YouTube videos about SpiceDB, modeling schemas, leveraging CNCF projects, and more
- Explore the SpiceDB Awesome List that enumerates official and third-party projects built by the community
- Reference community examples for demo environments, integration testing, CI pipelines, and writing schemas
CONTRIBUTING.md documents communication, contribution flow, legal requirements, and common tasks when contributing to the project.
Our documentation website is also open source if you'd like to clarify anything you find confusing.
Installing the binary
Binary releases are available for Linux, macOS, and Windows on AMD64 and ARM64 architectures.
brew install authzed/tap/spicedb authzed/tap/zed
Debian-based Linux users can install SpiceDB packages by adding a new APT source:
sudo apt update && sudo apt install -y curl ca-certificates gpg
curl https://pkg.authzed.com/apt/gpg.key | sudo apt-key add -
sudo echo "deb https://pkg.authzed.com/apt/ * *" > /etc/apt/sources.list.d/fury.list
sudo apt update && sudo apt install -y spicedb zed
RPM-based Linux users can install SpiceDB packages by adding a new YUM repository:
sudo cat << EOF >> /etc/yum.repos.d/Authzed-Fury.repo
name=AuthZed Fury Repository
sudo dnf install -y spicedb zed
Running a container
Container images are available for AMD64 and ARM64 architectures on the following registries:
Docker users can run the latest SpiceDB container with the following:
docker run --rm -p 50051:50051 authzed/spicedb serve --grpc-preshared-key "somerandomkeyhere"
SpiceDB containers use Chainguard Images to ship the bare minimum userspace which is a huge boon to security, but can complicate debugging. If you want to execute a user session into a running SpiceDB container and install packages, you can use one of our debug images.
-debug to any tag will provide you an image that has a userspace with debug tooling:
docker run --rm -ti --entrypoint sh authzed/spicedb:latest-debug
Containers are also available for each git commit to the
main branch under
Deploying to Kubernetes
Production Kubernetes users should be relying on a stable release of the SpiceDB Operator. The Operator enforces not only best practices, but orchestrates SpiceDB updates without downtime.
kubectl apply -f https://raw.githubusercontent.com/authzed/examples/main/kubernetes/example.yaml
Developing your own schema
You can try both SpiceDB and zed entirely in your browser on the playground thanks to the power of WebAssembly.
Watch the SpiceDB primer video to get started with schema development:
Trying out the API
When it's time to write code, we recommend using one of the existing client libraries whether it's official or community-maintained.
Because every millisecond counts, we recommend using libraries that leverage the gRPC API for production workloads.
SpiceDB is a community project fueled by contributions from both organizations and individuals. We appreciate all contributions, large and small, and would like to thank all those involved.
In addition, we'd like to highlight a few notable contributions: