EU-based managed service will be great news. We are going to use microfrontends with microservices, which should be shown/hidden on the basis of the combination of the current user, a tenant, a license and a client. It is even more complicated, but for the frontend it is probably enough information. So the user will come from a OAuth2/OIDC token and the frontend shell, which should glue all the microfrontends together, will need to create the context for the application. The shell will let the user select a tenant, which also defines the license for the user, which in turn defines the microfrontends (products) and the clients, to which the user has access. A client could also be set in the context (as most of the products, operate on a client), but a client could be blocked for a given user and product, so we should only show it, if it is not blocked, the license of the user allows it and if the tenant has rights (relation of owning or sharing) on the client. So we thought, that we could in some way just call the SpiceDB from the frontend to list all the microfrontends (products), which a user could see for a combination of user, tenant and optionally a client. We probably will just need to implement a REST-API, in order to have this information. This information is not critical and we need it only in read only mode, the REST-APIs will nevertheless check SpiceDB to find out, if the user has enough permissions (tenant, license, client) for each call. I hope I have explained it somewhat clear 🙂