SpiceDB

L5 — Agent-Aware Governance Authorization Free (OSS) / Authzed managed Apache-2.0 · OSS

OSS Zanzibar-inspired authorization database from Authzed. Apache-2.0. Sub-10ms permission checks at scale via consistency tokens (zedtokens). Production-tested predecessor to OpenFGA-class systems.

AI Analysis

SpiceDB is the OSS authorization database from Authzed — Apache-2.0, Zanzibar-paper-faithful ReBAC implementation that predates OpenFGA. Authzed Cloud is the managed offering with SOC 2. Pick SpiceDB for the same workloads as OpenFGA: hierarchical permissions, sharing semantics, multi-tenant SaaS. The choice between SpiceDB and OpenFGA is largely about ecosystem fit + commercial support preference; technical capabilities are comparable. SpiceDB was earlier to market and has longer production track record; OpenFGA is CNCF-sandboxed with faster recent momentum.

Trust Before Intelligence

SpiceDB's positioning is identical to OpenFGA's at the architectural level: Zanzibar-style ReBAC where relationships are first-class, sub-10ms decisions at hyperscale, consistency tokens for new-write visibility. The trust differentiator is Authzed's commercial maturity: longer production deployments, more enterprise references, SpiceDB Enterprise (commercial self-hosted) provides additional features (FGAM, materialization, advanced operators). For the same Trust Before Intelligence reasoning that applies to OpenFGA — relationship modeling discipline, tuple isolation in multi-tenant scenarios, GDPR considerations on tuple cleanup — the practical advice is similar.

INPACT Score

32/36

I — Instant

6/6

Sub-10ms ReBAC checks at hyperscale per Zanzibar paper. Production-validated.

N — Natural

5/6

SpiceDB Schema Language for authorization model definition. Permission relationships + arrow expressions feel natural for relationship modeling.

P — Permitted

6/6

ReBAC at Zanzibar level. Best-in-class authorization model.

A — Adaptive

5/6

Multi-cloud, K8s-native; embedded mode + sidecar deployment patterns. Authzed Cloud + SpiceDB Enterprise + OSS variants give procurement flexibility.

C — Contextual

5/6

Tuple store IS the relationship graph. Decision context fully captured.

T — Transparent

5/6

Per-decision logs with full context. Tuple inspection. Strong T.

GOALS Score

22/25

G — Governance

5/6

G1=Y, G2=Y (decision + tuple change audit), G4=Y (schema versioning), G6=Y (compliance via Authzed Cloud). 4/6 -> 5.

O — Observability

4/6

O1=Y, O2=Y (tracing across services), O3=N native, O4=Y, O5=N, O6=N. 3/6 -> 4.

A — Availability

4/6

Sub-ms decisions, multi-replica, in-memory tuple cache, hyperscale-tested. 6/6 -> 4 capped.

L — Lexicon

5/6

Relationship modeling fundamentally a lexicon discipline. L=5.

S — Solid

4/6

Decisions deterministic, typed tuples, consistency-token reads, decision metrics flag anomalies. 5/6 -> 4.

AI-Identified Strengths

+ Zanzibar-paper-faithful — production-grade ReBAC at hyperscale
+ Apache-2.0 OSS with strong commercial backing (Authzed Cloud + SpiceDB Enterprise)
+ Sub-10ms p99 decisions at billions-of-tuples scale
+ Earlier to market than OpenFGA — longer production track record + more enterprise references
+ SpiceDB Schema Language is expressive — arrow expressions handle relationship traversal cleanly
+ Consistency tokens (zedtokens) handle new-write visibility — critical for collaborative-sharing semantics
+ Authzed Cloud + SpiceDB Enterprise tiers provide managed compliance + advanced features

AI-Identified Limitations

- Same operational complexity as OpenFGA — distributed system requires K8s expertise
- Smaller community than OPA's general-purpose policy ecosystem
- Compliance attestations come from Authzed Cloud (not SpiceDB OSS)
- Migration from RBAC requires authorization domain remodeling
- Schema-language learning curve for teams used to attribute-based policies
- Performance shines at scale — overkill for simple authz needs (Cerbos may fit better)
- Two competing implementations of Zanzibar paper (SpiceDB + OpenFGA) creates ecosystem fragmentation

Industry Fit

Best suited for

Same workloads as OpenFGA — multi-tenant SaaS, hierarchical permissions, sharing semanticsEnterprises preferring Authzed's commercial maturity + reference customersWorkloads needing SpiceDB Enterprise's advanced features (FGAM, materialization)Teams already invested in Authzed ecosystem

Compliance certifications

SpiceDB (OSS) holds no compliance certifications. Authzed Cloud holds SOC 2 Type II. SpiceDB Enterprise is commercial self-hosted with additional features.

Use with caution for

Same caution areas as OpenFGA — simple authz, attribute-based needs, limited K8s opsGreenfield deployments where CNCF governance matters more than commercial maturity (OpenFGA may fit)

AI-Suggested Alternatives

OpenFGA

OpenFGA is the most direct alternative — also Zanzibar-inspired, also Apache-2.0. SpiceDB has longer production track record + commercial maturity (Authzed); OpenFGA has CNCF Sandbox + Auth0 backing + faster recent momentum. Pick by ecosystem fit + commercial support preference.

View analysis →

Cerbos

Cerbos is attribute-based application authorization; SpiceDB is relationship-based. They solve different problems.

View analysis →

OPA

OPA is general-purpose policy. SpiceDB is purpose-built ReBAC. Different scopes.

View analysis →

Integration in 7-Layer Architecture

Role: L5 Authorization — ReBAC engine. Sidecar or embedded deployment, sub-millisecond decisions.

Upstream: Receives Check/ListObjects requests via SDK. Receives tuple writes + schema updates.

Downstream: Returns decisions. Emits decision + tuple events to durable storage. Prometheus metrics for L6.

⚡ Trust Risks

high Schema model errors propagate broadly — wrong arrow expression affects every dependent permission check

Mitigation: Use SpiceDB's testing framework. CI gate: schema changes must pass test suite covering positive + negative cases.

high Tuple store grows unbounded; old relationships accumulate

Mitigation: Implement tuple lifecycle. Sweep tuples on user/resource deletion. Monitor tuple count vs entity count.

high Multi-tenant tuple leakage — tenant_A's tuples accessible under tenant_B context

Mitigation: Encode tenant identity in tuple structure. Audit model + production tuples for tenant-isolation invariants.

high Consistency-token misuse — calling check() without zedtoken when new-write visibility matters

Mitigation: Document zedtoken semantics. Use Write-Then-Check pattern in workflows requiring new-write visibility.

medium OSS deployment treated as having Authzed Cloud's compliance posture

Mitigation: Use Authzed Cloud / SpiceDB Enterprise for SOC 2; OSS in attested substrate for self-host compliance.

Use Case Scenarios

strong Multi-tenant document collaboration platform on Authzed Cloud

Same as OpenFGA — relationship-based modeling fits. Authzed Cloud provides SOC 2.

strong Enterprise replacing scattered authz code with centralized ReBAC

SpiceDB Enterprise's commercial maturity fits enterprises requiring vendor support.

weak Simple SaaS with flat authz model

Overkill — Cerbos fits.

Stack Impact

L5 Same as OpenFGA — L5 Authorization ReBAC primitive.

L6 Decision logs feed L6 SIEM.

L7 L7 agents call SpiceDB for per-action authorization.

⚠ Watch For

! Schema changes deployed without test suite
! Tuple store growth unbounded
! Multi-tenant deployment without tenant isolation in tuple structure
! OSS deployment for compliance-attested workload

2-Week POC Checklist

☐ Model authorization domain in SpiceDB Schema Language. Validate with example tuples.
☐ Use SpiceDB testing framework as CI gate.
☐ Test consistency-token semantics with Write-Then-Check.
☐ Validate multi-tenant tuple isolation.
☐ If regulated: Authzed Cloud / Enterprise vs OSS in attested substrate.

Explore in Interactive Stack Builder →

Visit SpiceDB website →

This analysis is AI-generated using the INPACT and GOALS frameworks from "Trust Before Intelligence." Scores and assessments are algorithmic and may not reflect the vendor's complete capabilities. Always validate with your own evaluation.