I'm implementing SpiceDB with a simple RBAC setup (similar to the playground example). I have two users with

write

relationships to a

document

. When I remove a user (

user1

), I create a

RelationshipUpdate

with a

RelationshipUpdate_OPERATION_DELETE

. I write the relationship, and it then deletes `user1`s relationship to the document. I then immediately create a

ReadRelationshipsRequest

, also adding the Zed Token

zedToken

to the request’s

Requirement

(if it’s not null):

go
readRelationshipRequest := &pb.ReadRelationshipsRequest{
    RelationshipFilter: &pb.RelationshipFilter{
        ResourceType:       "document",
        OptionalRelation:   "writer",
        OptionalResourceId: "0123",
        OptionalSubjectFilter: &pb.SubjectFilter{
            SubjectType: "user",
        },
    },
}

if zedToken != nil {
    readRelationshipRequest.Consistency = &pb.Consistency{
        Requirement: &pb.Consistency_AtLeastAsFresh{
            AtLeastAsFresh: zedToken,
        },
    }
}
return readRelationshipRequest

The request is successful, yet it still includes

user1

even after deleting the relationship. After ~3 seconds, I make another request (gRPC) to list all

writer

relationships, and

user1

is excluded as expected. To sum up, I update a relationship (sometimes more than one), use the Zed Token in the response to immediately verify the update, and then return the final user list. Is my assumption wrong that a fresh Zed Token lets me read my own write right away? Could there be a race condition or misunderstanding on my part about SpiceDB consistency?

that seems unexpected. Which SpiceDB version and datastore are you using? Could you come up with a repro? Can you share the full snippet, including the delete, and retrieving the zedtoken from the delete operation?

While I'm preparing my code snippet, the version I'm using is

1.40.0

and Postgres 16 as the datastore.

no worries!