SpiceDB / AuthZed

A Google Zanzibar-inspired fine-grained authorisation database (SpiceDB, open source, 6.4k+ GitHub stars) with a commercial cloud offering (AuthZed). Provides relationship-based access control (ReBAC) that scales to billions of relationships, with schema versioning and consistency guarantees. OpenAI uses AuthZed for ChatGPT authorization.

AI applications need authorisation that traditional RBAC cannot provide — per-document access in RAG pipelines, per-tool permissions for agents, and context-dependent access decisions. SpiceDB's relationship-based model maps naturally to these AI-specific authorisation patterns. A centralised permission system eliminates authorization silos across your application ecosystem.

Implement when you need fine-grained authorisation for AI applications, particularly RAG systems with document-level access control or agent systems with tool-level permissions. SpiceDB is self-hosted (Expert Required); AuthZed Cloud is a managed alternative. Schema design and application integration required either way.

Risks addressed — mapped to both OWASP Top 10 standards. 3 in LLM, 2 in Agentic.

What Yuntona stores. Single source of truth — fork it on GitHub.

name: SpiceDB / AuthZed
slug: spicedb-authzed
type: Mixed
category: Identity & AppSec
url: https://authzed.com

reviewed:   2026-04
added:      2026-04
updated:    2026-04

risks:
  llm:  [LLM01, LLM07, LLM08]
  asi:  [ASI02, ASI03]

complexity:    Expert Required
pricing:       —
audience:      Builder
lifecycle:     [develop]

tags: [AuthZ, Open Source, Permissions, ReBAC, Zanzibar]