A command-line client for managing SpiceDB and Authzed.

zed features include:

• Unix-friendly interface for the v1 Authzed API
• Context switching that stores credentials securely in your OS keychain
• An experimental OPA REPL with additional builtins for checking permissions

See CONTRIBUTING.md for instructions on how to contribute and perform common tasks like building the project and running tests.

We highly recommend following the Protecting Your First App guide to learn the latest best practice to integrate an application with Authzed.

zed is currently packaged by Homebrew for both macOS and Linux. Individual releases are also available on the releases page.

brew install authzed/tap/zed

In order to do anything useful, zed first needs a context: a named pair of the endpoint and its accompanying credential.

The zed context subcommand has operations for setting the current, creating, listing, deleting contexts.

zed context set prod grpc.authzed.com:443 tc_zed_my_laptop_deadbeefdeadbeefdeadbeefdeadbeef
zed context set dev localhost:80 testpresharedkey
zed context list

At any point in time, the ZED_ENDPOINT and ZED_TOKEN environment variables can be used to override their respective values in the current context.

For each type of noun used in SpiceDB, there is a zed subcommand:

• zed schema
• zed relationship
• zed permission

For example, you can read a schema, check permissions, and create or delete relationships:

zed schema read
zed permission check document:firstdoc writer user:emilia
zed relationship create document:firstdoc reader user:beatrice
zed relationship delete document:firstdoc reader user:beatrice

Experimentally, zed embeds an instance of OPA that supports additional builtin functions for accessing SpiceDB.

The following functions have been added:

authzed.check("resource:id", "permission", "subject:id", "zedtoken")

It can be found under the zed experiment opa command:

$ zed experiment opa eval 'authzed.check("document:firstdoc", "reader", "user:emilia", "")'
{
  "result": [
    {
      "expressions": [
        {
          "value": true,
          "text": "authzed.check(\"document:firstdoc\", \"reader\", \"user:emilia\", \"\")",
          "location": {
            "row": 1,
            "col": 1
          }
        }
      ]
    }
  ]
}

If you are interested in OPA, please feel free to reach out to provide feedback.