SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

If you're not sensitive to the "New enemy" problem, are there any other benefits to using ZedTokens for permission checks?

yes: read your own write consistency. This is typically needed in web applications. Imagine you create a resource, then you redirect your customer to the page for that resource, but they get 403 because the permissions are stale. What's read-your-writes consistency, and that's solved with zedtokens.

If that's not a thing in your application, and you are not sensitive to the new enemy problem, then you can skip zedtokens.

So, there are no caching benefits or anything else? Will `minimize_latency` always be at least as fast as an `at_least_as_fresh` with a token?

`at_least_as_fresh` will be faster because it can utilize the caches for longer, but not much longer. `minimize_latency` will give you the chance to reuse the caches for approx 6 seconds, while `at_least_as_fresh` will let you reuse the caches for 2x the quantization window, which is currently 10 seconds.

you can tune the chance for cache hit rates by raising the quantization-window CLI parameter for spicedb