the flow usually goes:
1) for new resources, write permissions to spicedb, get the zedtoken
2) store the zedtoken with the content
3) send the zedtoken from the content on access attempts for that content
3a) ensuring that the permissions used are from a time after which the permissions were changed