That's correct. The PSKs in open source SpiceDB are solely used for authenticating the service to SpiceDB. Once you've authenticated, you have full access to the SpiceDB. SpiceDB Enterprise (self-hosted) and AuthZed's Dedicated Cloud platform (managed) ship with the ability to control what each PSK can actually perform on the API. If you want this functionality, we'd obviously prefer you use one of the paid products otherwise you'd have to do as you say and build something in front of SpiceDB which further adds latency and additional complexity that could lead to privilege escalation if misconfigured/buggy.