Home

Awesome

Official SpiceDB Go Client

GoDoc Docs YouTube Discord Server Twitter

This repository houses the official Go client library for SpiceDB and Authzed services.

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

Developers create a schema that models their permissions requirements and use any of the official or community maintained client libraries to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications.

Supported client API versions:

Have questions? Ask in our Discord.

Looking to contribute? See CONTRIBUTING.md.

You can find issues by priority: Urgent, High, Medium, Low, Maybe. There are also good first issues.

Getting Started

We highly recommend following the Protecting Your First App guide to learn the latest best practice to integrate an application with Authzed.

Installation

If you're using a modern version of Go, run the following commands to add dependencies to your project:

go get github.com/authzed/authzed-go
go get github.com/authzed/grpcutil

grpcutil is not strictly required, but greatly reduces the boilerplate required to create a client in the general case.

Initializing a client

The NewClient() constructor is the recommended method for creating a client.

Because this library is using gRPC under the hood, you are free to leverage the wealth of functionality provided via DialOptions.

In order to successfully connect, you will have to provide a Bearer Token with your own API Token from the Authzed dashboard in place of t_your_token_here_1234567deadbeef in the following example:

import (
	"github.com/authzed/authzed-go/v1"
	"github.com/authzed/grpcutil"
)

...
systemCerts, err := grpcutil.WithSystemCerts(grpcutil.VerifyCA)
if err != nil {
	log.Fatalf("unable to load system CA certificates: %s", err)
}

client, err := authzed.NewClient(
	"grpc.authzed.com:443",
	systemCerts,
	grpcutil.WithBearerToken("t_your_token_here_1234567deadbeef"),
)
if err != nil {
	log.Fatalf("unable to initialize client: %s", err)
}

Performing an API call

Requests and response types are located in a package under proto/ respective to their API version.

Because of the verbosity of these types, we recommend writing your own functions/methods to create these types from your existing application's models.

package main

import (
	"context"
	"log"

	"github.com/authzed/authzed-go/proto/authzed/api/v1"
	"github.com/authzed/authzed-go/v1"
	"github.com/authzed/grpcutil"
)

func main() {
	emilia := &v1.SubjectReference{Object: &v1.ObjectReference{
		ObjectType: "blog/user",
		ObjectId:   "emilia",
	}}

	firstPost := &v1.ObjectReference{
		ObjectType: "blog/post",
		ObjectId:   "1",
	}

	client, err := authzed.NewClient(
		"grpc.authzed.com:443",
		grpcutil.WithSystemCerts(grpcutil.VerifyCA),
		grpcutil.WithBearerToken("t_your_token_here_1234567deadbeef"),
	)
	if err != nil {
		log.Fatalf("unable to initialize client: %s", err)
	}

	resp, err := client.CheckPermission(context.Background(), &v1.CheckPermissionRequest{
		Resource:   firstPost,
		Permission: "read",
		Subject:    emilia,
	})
	if err != nil {
		log.Fatalf("failed to check permission: %s", err)
	}

	if resp.Permissionship == v1.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION {
		log.Println("allowed!")
	}
}

Insecure Credentials

For contexts that don't require TLS, such as a development environment or integration tests, it's possible to set up a client that does not use TLS:

import (
	"github.com/authzed/grpcutil"
	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials/insecure"

	"github.com/authzed/authzed-go/v1"
)

client, err := authzed.NewClient(
    "localhost:50051",
    grpc.WithTransportCredentials(insecure.NewCredentials()),
    grpcutil.WithInsecureBearerToken("some token"),
)