Start with Identity
Authorization

AuthZed

Founded 2020New York, New York, USAPrivate (open source)Score 4.3/5Evaluated 2026-06-19Website ↗

Capability scores

Methodology →
Authentication
2.0
SSO & Federation
2.0
Authorization
5.0
Lifecycle & Provisioning
2.5
MFA & Passwordless
1.5
Governance & Audit
3.5
Developer Experience
4.5
Deployment Flexibility
4.5
Pricing Transparency
3.5
Support & Ecosystem
3.0

Scored 0–5 against a published rubric. Independent analysis, no vendor sponsorship.

Overview

AuthZed builds SpiceDB, an open-source authorization system directly inspired by Google's Zanzibar paper, plus a managed cloud and enterprise editions. It is a relationship-based access control (ReBAC) engine: you model permissions as a graph of relationships between subjects and objects, then check access by traversing that graph. Founded in 2020 and privately held, AuthZed is one of the two leading Zanzibar-style options alongside the CNCF project OpenFGA. SpiceDB itself is open source under the Apache 2.0 license.

What it is good at

The relationship model and its operational maturity are the strengths. SpiceDB handles nested ownership, sharing, groups, and hierarchies that plain RBAC cannot express cleanly, and it offers strong consistency controls (Zookies/consistency tokens) to avoid the "new enemy" problem where stale permissions leak access. It is designed for scale and low-latency checks, with a well-regarded schema language, good SDKs, and the option to self-host or run AuthZed's managed cloud and dedicated offerings. For sharing- and hierarchy-heavy domains, it is a top-tier choice.

Where it falls short

ReBAC demands modeling discipline: you must think in relationships and operate a tuple store, which is overkill if your rules are simple attribute or role checks. Like every pure authorization engine it does nothing for authentication, SSO, or MFA. Self-hosting at large scale needs care around datastore choice and tuning, and managed pricing trades operational burden for cost.

Pricing

Open-source SpiceDB is free to self-host under Apache 2.0. AuthZed's managed cloud, dedicated, and enterprise tiers are usage-based and quote-based at the high end. Model your costs with the TCO calculator.

Best for, and who should look elsewhere

Choose AuthZed/SpiceDB when permissions are fundamentally about relationships and you want a mature Zanzibar implementation. Compare it head to head in AuthZed vs OpenFGA and the three-way OpenFGA vs AuthZed vs Cerbos. If your rules are attribute-driven, look at Cerbos. See the authorization guide.

Bottom line

A leading choice when permissions are fundamentally about relationships, for teams ready to model in ReBAC and operate a relationship store or pay for the managed cloud.

By SWI Community Team · Last evaluated 2026-06-19

Independent, community-driven analysis. No vendor sponsorship. Compiled from public research and community input and verified on a best-effort basis, so details may be incomplete or out of date. Scores are opinions, not advice. Trademarks belong to their owners; mention does not imply affiliation or endorsement. See the full disclaimer, or send corrections to community@startwithidentity.com.