Authorization has become one of the most rapidly evolving domains in modern cloud-native architectures. While authentication is considered a “solved problem,” authorization continues to expand in complexity, especially as organizations build multi-service applications, rely on microservices, adopt AI agents, and scale globally. One technology that has risen to the forefront in solving authorization the right way is SpiceDB, an open-source implementation of the Zanzibar paper by Google, powering next-generation authorization engines.
This blog is based on Software Plaza webinar From Zanzibar to SpiceDB Rethinking Access Control at AuthZed.
1. SpiceDB is built on the groundbreaking Zanzibar authorization model
In 2019, Google released the Zanzibar paper, explaining how it authorizes billions of users across its products. The paper introduced Relationship-Based Access Control (ReBAC), a major shift from traditional RBAC. Instead of assigning static roles, ReBAC models real-world relationships between people, teams, departments, documents, folders, and organizations. Authorization becomes a graph problem, allowing far more flexibility and accuracy.
For example, a user may access a document not because they’re a “Reader,” but because they belong to a team within a department that owns the folder containing the document. This relationship-driven model maps naturally to modern organizational structures, and SpiceDB fully embraces this paradigm, making it uniquely powerful and adaptable.
2. SpiceDB is a “love letter” to the Zanzibar paper
Oso’s SpiceDB is their “love letter to the Zanzibar paper,” by bringing Google’s authorization ideas to the wider world in an open, accessible, and developer-friendly form. SpiceDB implements the core concepts of Zanzibar but wraps them in a model that engineers can understand and adopt quickly.
A key design choice is to treat authorization like a database rather than a scattered collection of libraries or a standalone policy engine. This database-like approach means authorization logic is predictable, centralized, and consistent, reducing complexity and making it much easier to evolve and reason about over time.
3. SpiceDB is designed for extreme low latency
Authorization happens on the critical path of almost every interaction, such as opening a document, sharing a resource, loading a dashboard, or executing an API call. SpiceDB is built for this demanding environment, providing ultra-low latency even at very large scales. It uses gRPC over HTTP/2 to keep long-lasting, efficient connections, reducing network load.
Internally, SpiceDB divides complex authorization queries into smaller, parallel subqueries and employs hotspot caching to quickly reuse frequently accessed relationship data. Its distributed architecture, based on consistent hashing and peer-to-peer computation, supports horizontal scaling while ensuring consistent performance.
4. ReBAC is more flexible than RBAC, ABAC, or policy engines
SpiceDB’s ReBAC model extends beyond traditional access-control methods by acting as a comprehensive framework that can represent RBAC, ABAC, ACLs, hierarchical inheritance, resource-scoped roles, and complex domain-specific rules. Organizations often outgrow RBAC when they need to model nuanced scenarios such as document ownership, nested teams, project-based permissions, or varying levels of access across business units.
ReBAC excels here because it maps relationships directly between users and resources, enabling rich context-aware authorization. This adaptability makes SpiceDB an ideal fit for SaaS multi-tenant platforms, enterprise systems, collaborative environments, AI agent permissions, complex B2B workflows, and document hierarchies. Its versatility is one key reason companies like OpenAI rely on SpiceDB to manage authorization reliably across rapidly scaling products.
5. SpiceDB centralizes authorization, leading to massive developer productivity gains
Many teams begin with authorization logic distributed across multiple services, resulting in duplicated code, inconsistent behavior, and costly refactoring whenever policies evolve. As systems grow, updating permissions becomes a painful, multi-service deployment effort. SpiceDB eliminates this bottleneck by centralizing authorization in a single authoritative system. Instead of embedding rules in code, developers adjust schemas and relationships directly within SpiceDB, allowing policies to change without touching application logic. This reduces engineering effort, simplifies maintenance, and improves reliability.
6. SpiceDB provides “Lookup” APIs
While most authorization systems only answer “Can user X access Y?”, SpiceDB unlocks an entirely new dimension through powerful lookup APIs. These allow you to query the system for “What objects can this user access?”, “Who can access this resource?”, or “What permissions does this user have across the platform?” These capabilities enable high-value product features such as pre-filled sharing menus, dynamic dropdowns, guided collaboration flows, access reviews, compliance reports, and real-time audit dashboards.
Since these lookups rely on the same relationship-based model that powers access checks, they remain accurate and up-to-date without additional engineering effort. Many teams discover that lookup APIs are among the most transformative and unexpected advantages of adopting SpiceDB’s ReBAC approach.
7. SpiceDB powers enterprise-grade AI authorization
The rise of AI agents, autonomous tools, and Retrieval-Augmented Generation (RAG) pipelines has introduced entirely new authorization challenges. As organizations feed data into vector stores and allow agents to act on behalf of users, enforcing permissions becomes far more complex. SpiceDB is uniquely suited for this environment. OpenAI, for example, uses SpiceDB concepts to ensure embedded or retrieved data respects original access policies, preventing unauthorized exposure.
SpiceDB controls which tools agents can invoke, enforces fine-grained restrictions, and maps AI identities back to their responsible human owners, which is critical in regulated industries. As one founder noted, “AI agents are like interns, but you hire 1,000 of them every hour.” Few systems can authorize at this speed and scale; SpiceDB is one of them.
8. SpiceDB offers two deployment models: Oso dedicated & Oso Cloud
Although SpiceDB is fully open source, many organizations prefer a managed offering so they don’t need to operate their own authorization infrastructure. Oso provides two options: Oso Dedicated and Oso Cloud. Oso Dedicated is a fully managed, single-tenant deployment running inside a private VPC near the customer’s workloads. It suits enterprises requiring strict network isolation, custom tuning, and multi-region active-active performance.
Oso Cloud delivers the same SpiceDB engine through shared control planes, making it more cost-effective and accessible for startups and mid-sized teams. Despite architectural differences, both options guarantee single-tenant data storage, high availability, strong security, and enterprise-grade SLAs, ensuring organizations can rely on SpiceDB as a robust, trusted authorization backbone.
9. Adopting ReBAC is more than just about security
Implementing ReBAC through SpiceDB certainly enhances security, but its benefits extend far beyond locking down access. Teams consistently report dramatic improvements in performance, reduced engineering effort, fewer bugs stemming from scattered logic, and faster rollout of new roles or customer-specific access models. These gains translate into faster feature delivery, smoother enterprise onboarding, and a more intuitive experience for end users, who benefit from predictable, consistent access behavior.
Compliance and security teams appreciate the improved transparency and auditability, while engineering teams value the operational simplicity. Ultimately, adopting ReBAC with SpiceDB is not just a technical upgrade; it is a structural improvement that enables software teams to innovate faster, operate with confidence, and scale their systems more cleanly.
Final Thoughts
Authorization is no longer just a backend afterthought; it is a critical architectural foundation for modern SaaS platforms, large enterprises, AI-driven systems, and data-intensive applications.
SpiceDB and the ReBAC model provide organizations with flexibility, scalability, centralized policy management, rapid authorization, and future-proof support for AI and non-human identities. Whether you're developing a multi-tenant SaaS platform or securing AI agents, SpiceDB offers the right tools for proper authorization.
This blog is based on our interview with Jake Moshenko, Co-founder & CEO of AuthZed. You can watch the full video here.
