SpiceDB integrations

SpiceDB is an open-source, graph-based authorization system inspired by Google Zanzibar. It provides fine-grained, relationship-based access control for your applications.

Installation and setup

Install the Python SDK:

pip install langchain-spicedb

Optional extras are available for specific framework support:

pip install langchain-spicedb[langchain]
pip install langchain-spicedb[langgraph]
pip install langchain-spicedb[all]

You also need a running SpiceDB instance. For local development:

docker run --rm -p 50051:50051 authzed/spicedb serve \
    --grpc-preshared-key "sometoken" \
    --grpc-no-tls

Define your schema and permissions

Create a SpiceDB schema that defines your authorization model:

from authzed.api.v1 import Client, WriteSchemaRequest
from grpcutil import insecure_bearer_token_credentials

client = Client("localhost:50051", insecure_bearer_token_credentials("sometoken"))

schema = """
definition user {}

definition article {
    relation viewer: user
    permission view = viewer
}
"""

await client.WriteSchema(WriteSchemaRequest(schema=schema))

Create relationships between users and resources:

from authzed.api.v1 import (
    WriteRelationshipsRequest,
    RelationshipUpdate,
    Relationship,
    ObjectReference,
    SubjectReference,
)

# Alice can view article:doc1
relationship = Relationship(
    resource=ObjectReference(object_type="article", object_id="doc1"),
    relation="viewer",
    subject=SubjectReference(
        object=ObjectReference(object_type="user", object_id="alice")
    ),
)

await client.WriteRelationships(
    WriteRelationshipsRequest(
        updates=[
            RelationshipUpdate(
                operation=RelationshipUpdate.OPERATION_CREATE,
                relationship=relationship,
            )
        ]
    )
)

Retriever

The SpiceDBRetriever wraps any LangChain retriever with SpiceDB authorization filtering, removing documents the user does not have permission to access.

from langchain_spicedb import SpiceDBRetriever

For a detailed walkthrough, see the SpiceDB Retriever page.

Tools

The SpiceDBPermissionTool and SpiceDBBulkPermissionTool enable agents to check SpiceDB permissions before taking actions.

from langchain_spicedb import SpiceDBPermissionTool, SpiceDBBulkPermissionTool

For a detailed walkthrough, see the SpiceDB Tools page.

Runnables

SpiceDBAuthFilter is an LCEL-compatible Runnable for authorization in chains. SpiceDBAuthLambda is a lightweight wrapper for use with RunnableLambda.

from langchain_spicedb import SpiceDBAuthFilter, SpiceDBAuthLambda

LangGraph nodes

Factory functions and classes for adding authorization as a node in LangGraph workflows:

from langchain_spicedb import create_auth_node, AuthorizationNode, RAGAuthState

Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

Edit this page on GitHub or file an issue.

Popular Providers

Integrations by component

Installation and setup

Retriever

Tools

Runnables

LangGraph nodes

Popular Providers

Integrations by component

Documentation Index

​Installation and setup

​Retriever

​Tools

​Runnables

​LangGraph nodes

​Related resources

Installation and setup

Retriever

Tools

Runnables

LangGraph nodes

Related resources