Skip to main content
SpiceDB is an open-source, graph-based authorization system inspired by Google Zanzibar. It provides fine-grained, relationship-based access control for your applications.

Installation and setup

Install the Python SDK: 
pip install langchain-spicedb
Optional extras are available for specific framework support: 
pip install langchain-spicedb[langchain]
pip install langchain-spicedb[langgraph]
pip install langchain-spicedb[all]
You also need a running SpiceDB instance. For local development: 
docker run --rm -p 50051:50051 authzed/spicedb serve \
    --grpc-preshared-key "sometoken" \
    --grpc-no-tls
Create a SpiceDB schema that defines your authorization model:
from authzed.api.v1 import Client, WriteSchemaRequest
from grpcutil import insecure_bearer_token_credentials

client = Client("localhost:50051", insecure_bearer_token_credentials("sometoken"))

schema = """
definition user {}

definition article {
    relation viewer: user
    permission view = viewer
}
"""

await client.WriteSchema(WriteSchemaRequest(schema=schema))
Create relationships between users and resources:
from authzed.api.v1 import (
    WriteRelationshipsRequest,
    RelationshipUpdate,
    Relationship,
    ObjectReference,
    SubjectReference,
)

# Alice can view article:doc1
relationship = Relationship(
    resource=ObjectReference(object_type="article", object_id="doc1"),
    relation="viewer",
    subject=SubjectReference(
        object=ObjectReference(object_type="user", object_id="alice")
    ),
)

await client.WriteRelationships(
    WriteRelationshipsRequest(
        updates=[
            RelationshipUpdate(
                operation=RelationshipUpdate.OPERATION_CREATE,
                relationship=relationship,
            )
        ]
    )
)

Retriever

The SpiceDBRetriever wraps any LangChain retriever with SpiceDB authorization filtering, removing documents the user does not have permission to access. 
from langchain_spicedb import SpiceDBRetriever
For a detailed walkthrough, see the SpiceDB Retriever page.

Tools

The SpiceDBPermissionTool and SpiceDBBulkPermissionTool enable agents to check SpiceDB permissions before taking actions. 
from langchain_spicedb import SpiceDBPermissionTool, SpiceDBBulkPermissionTool
For a detailed walkthrough, see the SpiceDB Tools page.

Runnables

SpiceDBAuthFilter is an LCEL-compatible Runnable for authorization in chains. SpiceDBAuthLambda is a lightweight wrapper for use with RunnableLambda. 
from langchain_spicedb import SpiceDBAuthFilter, SpiceDBAuthLambda

LangGraph nodes

Factory functions and classes for adding authorization as a node in LangGraph workflows: 
from langchain_spicedb import create_auth_node, AuthorizationNode, RAGAuthState
Edit this page on GitHub or file an issue.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.