the other option as Jake mentioned would be to reexpose a read-only subset of the SpiceDB API to your frontend, but you need to be careful about information leakage in doing so; its better to issue the checks you need on the backend and only return the results in a
capabilities
or
permission
set