Morning. after a read of the CheckPermission() impl. (https://github.com/authzed/spicedb/blob/HEAD/internal/services/v1/permissions.go#L55) it does not look like it is possible to log every call (maybe besides using tracing and set sampling=1.0). I am wondering what it would take to do a GCP like permission analyzer that could tell you if a permission was actually used in the the last month. Did anyone build something like it and if so how?

This is a feature in Authzed Dedicated - Audit Logs. You can build it by doing a custom gRPC middleware that intercepts all gRPC calls, and then you do with that information whatever you want. If you are ok with using application logs as your input, you can get that information as well, by enabling the request payload flag, although please note that comes with overhead if requests are big.

grpcInterceptor is a good idea (of course also not without overhead). whats the

request payload flag

?

you can implement it with minimal overhead, we did so. At the expense of async delivery.