// the find
authzed/spicedb
Open Source, Google Zanzibar-inspired database for scalably storing and querying fine-grained authorization data
SpiceDB is a dedicated authorization service implementing the Google Zanzibar design: you define a schema of resource types and relations, write relationship tuples into it, and query it at runtime to answer 'can user X do Y on resource Z?' It's the most mature open-source Zanzibar implementation, used in production by Red Hat, Netflix, IBM, and others at real scale.
The per-request consistency model (minimizeLatency vs. atLeastAsFresh vs. fullyConsistent via zedTokens) is the right API design — you pay for strong consistency only where you actually need it, not globally. The caveat system (contributed by Netflix) lets you bolt ABAC conditions onto ReBAC relations without abandoning the graph model; you can express 'viewer IF document.region == user.region' as a first-class construct. The datastore abstraction is genuinely deep — Postgres, CockroachDB, Spanner, MySQL, and an in-memory backend all implement the same interface with real per-backend migrations (25 Postgres migrations, 13 MySQL migrations), not thin wrappers. The e2e 'newenemy' test specifically validates the consistency hazard the Zanzibar paper was designed to solve, which signals the team actually understands the hard correctness properties.
Authorization-as-a-service means SpiceDB sits on every request's hot path — it needs HA treatment like your primary database, and if it's slow or down, your whole app's permission checks fail. Schema evolution has no migration story for relationship data: adding a new relation type requires you to manually coordinate populating existing tuples before any code that depends on the new permission ships, with no tooling equivalent to a database migration framework. The open-source version has no built-in multi-tenancy; if you're a SaaS platform that needs isolated permission graphs per customer, you're hand-namespacing object types or buying into the commercial AuthZed Cloud offering. MySQL support was contributed by GitHub and the consistency guarantees around zedTokens are weaker there than on Postgres or CockroachDB — easy to miss if you pick MySQL and discover later you're not actually getting the consistency model you signed up for.