but can you explain more of what you'd like to see?

is it an assertion you want?

you can do it from the

zed

tab

i want to validate if user has the relation to all the resources i expect. assertTrue also starts with a resource like 'document:doc1....' , wondering if there was a way to say 'user:user1#...'

no; you can use expected relations for that but it is still resource -> all subjects

is there no other way to assert / query based on user in the playground?

assertions are always a single resource + permission + subject

Hello, i need help with modeling the schema to support my usecase I have a list api /accounts that returns a list of accounts. I have two types of users, 1) Global user 2) User within a territory. For 1), /accounts should return all the accounts. For 2), /accounts should return the accounts mapped to the user's territory. I have a

read

permission and

read_by_territory

. How do i merge them into a single permission? I tried using caveats but didn't succeed. Any help is greatly appreciated. definition user {} definition account { relation location: territory relation reader: user permission read = reader permission read_by_territory = read & location->assigned } definition territory { relation assigned_to: user permission assigned = assigned_to }

Hey folks, we're hitting an error with SpiceDB Serverless: 'CheckBulkPermissions is not yet supported in SpiceDB Serverless'. Does anyone know if there's a timeline for when this feature will be implemented in Serverless, or if there are any workarounds we should consider in the meantime?

There is, at present time, no scheduled timeline to add support for it

the recommendation remains to run standard checks in parallel

Thanks @Joey . Will do that

How can I apply jobs?

Hi folks! I've began noticing tons of "context canceled" errors on Datadog traces coming from the dispatch service. Is this expected? Unsure if this has been asked before, so apologies if this information is already available elsewhere. We do not have dispatch cluster enabled, in case that's relevant

How does SpiceDB compare to Keycloak's authorization functionality? If possible, how would they work together? Thanks

Hi, I'm trying to test spicedb-kubeapi-proxy from https://github.com/authzed/spicedb-kubeapi-proxy using the default sample rules at https://github.com/authzed/spicedb-kubeapi-proxy/blob/main/deploy/rules.yaml (and contributing learnings into https://github.com/authzed/spicedb-kubeapi-proxy/issues/48 ) I'm currently blocked with the api proxy hanging while responding to k8s api requests generated from "kubectl create namespace a-namespace". With -v9 verbose logging, the proxy logs confirm the upstream backend POST call suceeded. I'm running with embedded spicedb and in memory sqlite. Triggering a thread dump by sending a SIGQUIT signal shows on thread apparently waiting for the async relations in the github.com/authzed/spicedb-kubeapi-proxy/pkg/authz.(*AuthzData).FilterObject(0xc00095f3b0, 0xc000d99268, {0xc000245880, 0x210, 0x380}) call . Is this the right place to exchange on usage of the proxy ? I see the discussions are not yet enabled onto https://github.com/authzed/spicedb-kubeapi-proxy/ and wonder whether an issue is more appropriate. EDIT: I submitted additional diagnostic details into https://github.com/authzed/spicedb-kubeapi-proxy/issues/106 Thanks in advance for your help.

How can we restricted api access in spice db , or using token or what ,how can we implement restricted api access.

Hi team, I'm really interested in spiceDB and wanted to share a few ideas from my perspective as an AI/ML engineer working on scalable backend systems. First off, I've been impressed by authzed's scalability—handling up to a million qps is no small feat. that said, I've noticed some performance inconsistencies and latency spikes during high-traffic periods or after feature rollouts. This might be a great opportunity to explore ML-driven anomaly detection across metrics like latency, throughput, and error rates. It could help proactively surface issues before they affect users. On a similar note, predictive analytics could be valuable for forecasting capacity needs and fine-tuning resource allocation—especially as systems scale. I also see potential around schema design and migration. while the existing CI/CD support for schema validation is solid, complex policies can still introduce subtle bugs or lead to unintended access patterns. for teams unfamiliar with zanzibar-style models, this can be a real hurdle. It might be worth exploring AI-powered tooling that can analyze application models and suggest optimized spiceDB schema definitions, or even assist with migrating legacy auth systems—automating some of the heavy lifting and reducing error-prone manual effort. I’ve got a few other ideas as well and would be happy to chat or brainstorm further if that’s helpful. Thanks for all the great work you’re doing—big fan of the project.

how can i connect localhost spicedb

i's parameter is addr=:9090 insecure=true service=metrics

Hey guys , i have my spicedb in k8s and and have schema and relations uploaded , when i am trying to write new relationship and then delete it using grpcurl commands,its not reflecting in my database postgres , what could be the issue for it?

I have done write relationship and check permission and then deleted in check permission again but it's not behaving fully consistent as documented in docs

👋 Hello yall, how're things going? I'm seeing some strange behaviour in our SpiceDB that I wouldn't know how to debug. On sending a request like:

zed permission lookup-resources document can_comment user:$uuid --page-limit 100

(can comment is a permission backed by a relation that allows for user:*, just in case it makes any difference) We get a flamegraph that looks like this (see attached). The strange thing is that the sql queries occur during the 1st ~10ms of the request, but then the request hangs for 30s, until it times out on server side. Do you know what can be causing this? should we just discourage the use of lookup resources for wildcard-backed relations? https://cdn.discordapp.com/attachments/844600078948630559/1376849986460979313/CleanShot_2025-05-27_at_10.08.06.png?ex=6836d2f9&is=68358179&hm=d7e08c9480a952fb7138c84293967c4f0e5026cece0c7090bdc934ba636fa971&

Hi all. We are using the SpiceDB operator for our deployment. We're also using an nginx ingress infront of the spiceDB cluster. What we are observing is if a pod is shutdown and a new pod spun up to take its place, for a few minutes after, we are seeing errors like

rpc error: code = DeadlineExceeded desc = received context error while waiting for new LB policy update: context deadline exceeded

We have the gRPC shutdown grace period set to 5s currently.

because the storage doesn't work the way you think it does

in order to be able to call the API with

at_exact_snapshot

, postgres needs to keep around rows that have been deleted, so deletes don't actually remove rows from the database

they mark the row as deleted using the

deleted_xid

column

Is there a formal grammar description for the schema language?

like an abstract specification? no, not currently.

Hi guys! Is there a way I can propagate a traceId into the requests and have them appear inside the logs?