diff --git a/app/authzed/concepts/rate-limiting/page.mdx b/app/authzed/concepts/rate-limiting/page.mdx
new file mode 100644
index 0000000..0928720
--- /dev/null
+++ b/app/authzed/concepts/rate-limiting/page.mdx
@@ -0,0 +1,438 @@
+---
+title: "Rate Limiting"
+description: "Configure distributed rate limiting for AuthZed API requests"
+---
+
+import { Callout } from "nextra/components";
+
+# Rate Limiting
+
+
+ **Tech Preview**: This feature is currently in Tech Preview and is subject to
+ change. It is available exclusively in AuthZed Dedicated and SpiceDB
+ Enterprise.
+
+
+AuthZed Dedicated and SpiceDB Enterprise include a distributed rate limiting feature that allows you to control API request rates using flexible matching and bucketing rules. Rate limits are configured via YAML and can be applied globally, per-endpoint, per-service-account, or using custom CEL expressions.
+
+This feature works seamlessly with [Restricted API Access](/authzed/concepts/restricted-api-access) to provide comprehensive control over how your services interact with AuthZed.
+
+## Overview
+
+The rate limiting feature provides:
+
+- **Flexible Matching**: Apply rate limits based on endpoints, service accounts, roles, headers, or custom CEL expressions
+- **Custom Bucketing**: Group requests into rate limit buckets by service account, token, headers, or custom logic
+- **Distributed Coordination**: Coordinate rate limits globally across multiple replicas
+- **Graceful Degradation**: Automatically adjusts limits when coordination is unavailable
+
+## Configuration
+
+The process for configuring rate limiting varies depending on the AuthZed product you're using.
+
+### Dedicated & Cloud
+
+For AuthZed Dedicated, rate limits are configured using the same FGAM configuration file used for [Restricted API Access](/authzed/concepts/restricted-api-access).
+
+Upload your FGAM configuration file (which can include both Restricted API Access and rate limiting rules) through the web dashboard in the Permission System's "Access" tab.
+
+Create a YAML file with your rate limit definitions:
+
+```yaml /dev/null/rate-limits.yaml#L1-50
+rate_limits:
+ # Global rate limit (applies to all requests)
+ - id: "global-limit"
+ displayName: "Global API Rate Limit"
+ match:
+ all: true
+ limit:
+ unit: "second"
+ requests_per_unit: 1000
+
+ # Per-endpoint rate limit
+ - id: "check-permission-limit"
+ displayName: "CheckPermission Rate Limit"
+ match:
+ endpoint: ["CheckPermission"]
+ limit:
+ unit: "second"
+ requests_per_unit: 500
+
+ # Multiple endpoints
+ - id: "read-endpoints-limit"
+ displayName: "Read Endpoints Rate Limit"
+ match:
+ endpoint:
+ - "CheckPermission"
+ - "ReadRelationships"
+ limit:
+ unit: "second"
+ requests_per_unit: 1000
+
+ # Per-service-account with bucketing
+ - id: "sa-limit"
+ displayName: "Service Account Limit"
+ match:
+ service_account: ["high-volume-client"]
+ bucket_by:
+ service_account: true
+ limit:
+ unit: "minute"
+ requests_per_unit: 10000
+
+ # Using headers for tenant-based rate limiting
+ - id: "tenant-limit"
+ displayName: "Per-Tenant Rate Limit"
+ match:
+ endpoint:
+ - "CheckPermission"
+ - "ReadRelationships"
+ bucket_by:
+ request: 'headers["x-tenant-id"]'
+ limit:
+ unit: "second"
+ requests_per_unit: 100
+```
+
+
+ For Dedicated & Cloud, the rate limiting configuration is applied through the
+ FGAM file upload. There is no separate UI or API for rate limiting
+ configuration at this time.
+
+
+## Rate Limit Configuration Reference
+
+### Matching Criteria
+
+Every rate limit **must** specify at least one match criterion. All fields within a match use AND logic (all conditions must be true).
+
+#### Available Match Fields
+
+- **`all`**: Matches all requests (must be the only field in match)
+- **`endpoint`**: Array of API method names (OR logic within array)
+- **`service_account`**: Array of FGAM service account IDs (OR logic within array)
+- **`role`**: Array of FGAM role names (OR logic within array)
+- **`header`**: Array of header match objects (OR logic within array)
+- **`request`**: CEL expression for complex matching logic
+
+#### Match Examples
+
+```yaml /dev/null/match-examples.yaml#L1-60
+rate_limits:
+ # Global rate limit
+ - id: "global"
+ match:
+ all: true
+ limit:
+ unit: "second"
+ requests_per_unit: 1000
+
+ # Single endpoint
+ - id: "single-endpoint"
+ match:
+ endpoint: ["CheckPermission"]
+ limit:
+ unit: "second"
+ requests_per_unit: 100
+
+ # Multiple endpoints (OR logic)
+ - id: "multiple-endpoints"
+ match:
+ endpoint:
+ - "CheckPermission"
+ - "ReadRelationships"
+ - "LookupResources"
+ limit:
+ unit: "second"
+ requests_per_unit: 200
+
+ # Endpoint AND role (both must match)
+ - id: "admin-reads"
+ match:
+ endpoint: ["ReadRelationships"]
+ role: ["admin"]
+ limit:
+ unit: "minute"
+ requests_per_unit: 5000
+
+ # Header matching (single header)
+ - id: "premium-tier"
+ match:
+ header:
+ - name: "x-tier"
+ value: "premium"
+ limit:
+ unit: "second"
+ requests_per_unit: 500
+
+ # Multiple headers (OR logic)
+ - id: "high-tier"
+ match:
+ header:
+ - name: "x-tier"
+ value: "premium"
+ - name: "x-tier"
+ value: "enterprise"
+ limit:
+ unit: "second"
+ requests_per_unit: 1000
+```
+
+### CEL Expressions
+
+Use CEL expressions for advanced matching and bucketing logic. CEL expressions have access to:
+
+- **`endpoint`**: The API endpoint string
+- **`serviceAccount`**: The service account ID
+- **`headers`** or **`meta`**: gRPC metadata headers as `map[string]string`
+- **Request fields**: Access request proto fields (e.g., `CheckPermissionRequest.resource.object_type`)
+
+#### CEL Match Examples
+
+```yaml /dev/null/cel-match-examples.yaml#L1-40
+rate_limits:
+ # Pattern matching on service account
+ - id: "batch-services"
+ match:
+ request: 'serviceAccount.startsWith("batch-")'
+ limit:
+ unit: "minute"
+ requests_per_unit: 50000
+
+ # Complex cross-field logic
+ - id: "premium-endpoints"
+ match:
+ request: |
+ (endpoint in ["CheckPermission", "ReadRelationships"]) &&
+ (headers.get("x-tier", "") in ["premium", "enterprise"])
+ limit:
+ unit: "second"
+ requests_per_unit: 2000
+
+ # Request content filtering
+ - id: "document-checks"
+ displayName: "Per-Document Check Limit"
+ match:
+ endpoint: ["CheckPermission"]
+ request: 'CheckPermissionRequest.resource.object_type == "document"'
+ limit:
+ unit: "second"
+ requests_per_unit: 10
+
+ # Conditional based on request size
+ - id: "bulk-writes"
+ match:
+ endpoint: ["WriteRelationships"]
+ request: "size(WriteRelationshipsRequest.updates) > 100"
+ limit:
+ unit: "minute"
+ requests_per_unit: 100
+```
+
+### Bucketing
+
+Bucketing determines how requests are grouped into separate rate limit counters.
+
+#### Bucketing Options
+
+- **`service_account: true`**: Separate bucket per service account
+- **`token: true`**: Separate bucket per API token
+- **`header: ""`**: Separate bucket per header value
+- **`request: ""`**: Custom bucketing logic via CEL
+
+#### Bucketing Examples
+
+```yaml /dev/null/bucketing-examples.yaml#L1-55
+rate_limits:
+ # Per-service-account bucketing
+ - id: "per-sa"
+ match:
+ all: true
+ bucket_by:
+ service_account: true
+ limit:
+ unit: "second"
+ requests_per_unit: 100
+
+ # Per-tenant bucketing using header
+ - id: "per-tenant"
+ match:
+ endpoint: ["CheckPermission"]
+ bucket_by:
+ request: 'headers["x-tenant-id"]'
+ limit:
+ unit: "second"
+ requests_per_unit: 50
+
+ # Bucket by request field
+ - id: "per-document"
+ match:
+ endpoint: ["CheckPermission"]
+ request: 'CheckPermissionRequest.resource.object_type == "document"'
+ bucket_by:
+ request: "CheckPermissionRequest.resource.object_id"
+ limit:
+ unit: "second"
+ requests_per_unit: 10
+
+ # Complex bucketing combining multiple values
+ - id: "composite-bucket"
+ match:
+ endpoint:
+ - "CheckPermission"
+ - "ReadRelationships"
+ bucket_by:
+ request: |
+ endpoint + "/" +
+ headers.get("x-tenant-id", "default") + "/" +
+ serviceAccount
+ limit:
+ unit: "minute"
+ requests_per_unit: 1000
+```
+
+### Rate Limit Units
+
+The `unit` field supports:
+
+- `"second"`
+- `"minute"`
+- `"hour"`
+- `"day"`
+
+You can also specify custom durations using Go duration syntax (e.g., `"30s"`, `"15m"`, `"2h"`, `"90s"`).
+
+## Error Responses
+
+When a rate limit is exceeded, the API returns:
+
+- **gRPC Status Code**: `RESOURCE_EXHAUSTED`
+- **Response Trailers**:
+ - `x-ratelimit-id`: The rate limit ID that was exceeded
+ - `x-ratelimit-key`: The bucket key
+ - `retry-after`: Seconds until the client can retry
+
+Example error handling in Go:
+
+```go /dev/null/error-handling.go#L1-20
+import (
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+resp, err := client.CheckPermission(ctx, req)
+if err != nil {
+ if st, ok := status.FromError(err); ok {
+ if st.Code() == codes.ResourceExhausted {
+ // Rate limit exceeded
+ trailer := // extract trailer metadata
+ rateLimitID := trailer.Get("x-ratelimit-id")
+ retryAfter := trailer.Get("retry-after")
+
+ // Implement backoff logic
+ log.Printf("Rate limit %s exceeded, retry after %s seconds",
+ rateLimitID, retryAfter)
+ }
+ }
+}
+```
+
+## Self-Hosted Configuration
+
+The following sections apply only to self-hosted SpiceDB Enterprise deployments.
+
+### Basic Setup
+
+For self-hosted SpiceDB Enterprise deployments, use the following command-line flag:
+
+| Flag | Description | Default |
+| --------------------- | --------------------------------------------------- | ------- |
+| `--rate-limit-config` | Path to YAML file containing rate limit definitions | |
+
+```bash /dev/null/self-hosted-basic.sh#L1-3
+spicedb serve \
+ --rate-limit-config=/path/to/config.yaml \
+ ...
+```
+
+The YAML file follows the same format as shown in the configuration examples above.
+
+### Distributed Rate Limiting
+
+
+ Distributed rate limiting with gossip coordination is only configurable for
+ self-hosted SpiceDB Enterprise deployments. AuthZed Dedicated handles this
+ automatically.
+
+
+For self-hosted deployments, you can enable distributed coordination across replicas using gossip for accurate global rate limits.
+
+#### Enabling Gossip
+
+```bash /dev/null/gossip-flags.sh#L1-10
+spicedb serve \
+ --rate-limit-config=/path/to/config.yaml \
+ --rate-limit-gossip-enabled=true \
+ --rate-limit-gossip-listen-addr=:6000 \
+ --rate-limit-gossip-target-service=spicedb \
+ --rate-limit-gossip-port-name=gossip \
+ --rate-limit-gossip-replicas=3 \
+ --rate-limit-gossip-use-dispatch-tls=true \
+ ...
+```
+
+#### Gossip Configuration Flags
+
+| Flag | Default | Description |
+| -------------------------------------- | --------- | ------------------------------------------- |
+| `--rate-limit-gossip-enabled` | `false` | Enable distributed rate limiting via gossip |
+| `--rate-limit-gossip-listen-addr` | `:6000` | Address for gossip connections |
+| `--rate-limit-gossip-target-service` | `spicedb` | Kubernetes service name for peer discovery |
+| `--rate-limit-gossip-port-name` | `""` | Port name to use for peer addresses |
+| `--rate-limit-gossip-replicas` | `1` | Number of replicas for rate division |
+| `--rate-limit-gossip-use-dispatch-tls` | `false` | Use dispatch TLS certificates for gossip |
+| `--rate-limit-gossip-tls-cert` | `""` | TLS certificate for gossip |
+| `--rate-limit-gossip-tls-key` | `""` | TLS key for gossip |
+| `--rate-limit-gossip-tls-ca` | `""` | TLS CA for mutual TLS |
+| `--rate-limit-gossip-tls-server-name` | `""` | Server name for TLS verification |
+
+### Monitoring
+
+For self-hosted SpiceDB Enterprise deployments, rate limiting exposes Prometheus metrics for monitoring:
+
+| Metric | Type | Description |
+| -------------------------------------------------- | --------- | ------------------------------ |
+| `spicedb_ratelimit_check_latency_seconds` | Histogram | Rate limit check latency |
+| `spicedb_ratelimit_gossip_messages_sent_total` | Counter | Gossip messages sent |
+| `spicedb_ratelimit_gossip_messages_dropped_total` | Counter | Messages dropped (buffer full) |
+| `spicedb_ratelimit_gossip_peers_active` | Gauge | Active peer connections |
+| `spicedb_ratelimit_gossip_connection_errors_total` | Counter | Connection failures |
+
+Monitor the `spicedb_ratelimit_gossip_peers_active` metric to ensure gossip coordination is healthy.
+
+### Troubleshooting
+
+#### Rate Limits Not Applied
+
+- Verify the configuration file is being loaded with `--rate-limit-config`
+- Check logs for configuration parsing errors
+- Ensure match criteria are correctly specified (arrays for endpoints, service accounts, etc.)
+
+#### Gossip Connectivity Issues
+
+- Verify the gossip port (default `:6000`) is accessible between pods
+- Check TLS configuration if using encrypted gossip
+- Monitor `spicedb_ratelimit_gossip_peers_active` - should equal `replicas - 1`
+- Review `spicedb_ratelimit_gossip_connection_errors_total` for connectivity problems
+
+#### Rate Limits Too Restrictive in Safe Mode
+
+- Increase `--rate-limit-gossip-replicas` if it doesn't match actual deployment
+- Fix gossip connectivity to enable coordinated mode
+- Consider adjusting base rate limits to account for safe mode operation
+
+#### CEL Expression Errors
+
+- Test CEL expressions with representative requests
+- Use `.get("key", "default")` for optional headers
+- Check logs for CEL evaluation errors
diff --git a/app/spicedb/concepts/commands/page.mdx b/app/spicedb/concepts/commands/page.mdx
index 8fd57da..e41f4eb 100644
--- a/app/spicedb/concepts/commands/page.mdx
+++ b/app/spicedb/concepts/commands/page.mdx
@@ -27,13 +27,12 @@ A database that stores and computes permissions
### Children commands
-- [spicedb datastore](#reference-spicedb-datastore) - datastore operations
-- [spicedb lsp](#reference-spicedb-lsp) - serve language server protocol
-- [spicedb man](#reference-spicedb-man) - Generate man page
-- [spicedb serve](#reference-spicedb-serve) - serve the permissions database
-- [spicedb serve-testing](#reference-spicedb-serve-testing) - test server with an in-memory datastore
-- [spicedb version](#reference-spicedb-version) - displays the version of SpiceDB
-
+- [spicedb datastore](#reference-spicedb-datastore) - datastore operations
+- [spicedb lsp](#reference-spicedb-lsp) - serve language server protocol
+- [spicedb man](#reference-spicedb-man) - Generate man page
+- [spicedb serve](#reference-spicedb-serve) - serve the permissions database
+- [spicedb serve-testing](#reference-spicedb-serve-testing) - test server with an in-memory datastore
+- [spicedb version](#reference-spicedb-version) - displays the version of SpiceDB
## Reference: `spicedb datastore`
@@ -49,11 +48,10 @@ Operations against the configured datastore
### Children commands
-- [spicedb datastore gc](#reference-spicedb-datastore-gc) - executes garbage collection
-- [spicedb datastore head](#reference-spicedb-datastore-head) - compute the head (latest) database migration revision available
-- [spicedb datastore migrate](#reference-spicedb-datastore-migrate) - execute datastore schema migrations
-- [spicedb datastore repair](#reference-spicedb-datastore-repair) - executes datastore repair
-
+- [spicedb datastore gc](#reference-spicedb-datastore-gc) - executes garbage collection
+- [spicedb datastore head](#reference-spicedb-datastore-head) - compute the head (latest) database migration revision available
+- [spicedb datastore migrate](#reference-spicedb-datastore-migrate) - execute datastore schema migrations
+- [spicedb datastore repair](#reference-spicedb-datastore-repair) - executes datastore repair
## Reference: `spicedb datastore gc`
@@ -148,8 +146,6 @@ spicedb datastore gc [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb datastore head`
compute the head (latest) database migration revision available
@@ -181,8 +177,6 @@ spicedb datastore head [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb datastore migrate`
Executes datastore schema migrations for the datastore.
@@ -222,8 +216,6 @@ spicedb datastore migrate [revision] [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb datastore repair`
Executes a repair operation for the datastore
@@ -317,8 +309,6 @@ spicedb datastore repair [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb lsp`
serve language server protocol
@@ -342,12 +332,10 @@ spicedb lsp [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb man`
Generate a man page for SpiceDB.
- The output can be redirected to a file and installed to the system:
+The output can be redirected to a file and installed to the system:
```
spicedb man > spicedb.1
@@ -355,7 +343,6 @@ Generate a man page for SpiceDB.
sudo mandb # Update man page database
```
-
```
spicedb man
```
@@ -368,8 +355,6 @@ spicedb man
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb serve`
start a SpiceDB server
@@ -558,8 +543,6 @@ spicedb serve [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb serve-testing`
An in-memory spicedb server which serves completely isolated datastores per client-supplied auth token used.
@@ -621,8 +604,6 @@ spicedb serve-testing [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb version`
displays the version of SpiceDB
@@ -644,6 +625,3 @@ spicedb version [flags]
--log-level string verbosity of logging ("trace", "debug", "info", "warn", "error") (default "info")
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
-
diff --git a/app/spicedb/getting-started/installing-zed/page.mdx b/app/spicedb/getting-started/installing-zed/page.mdx
index f3e00d0..72d0a89 100644
--- a/app/spicedb/getting-started/installing-zed/page.mdx
+++ b/app/spicedb/getting-started/installing-zed/page.mdx
@@ -1,4 +1,4 @@
-import { Callout } from 'nextra/components'
+import { Callout } from "nextra/components";
# Installing Zed
@@ -123,7 +123,6 @@ You can find more commands for tasks such as testing, linting in the repository'
[CONTRIBUTING.md]: https://github.com/authzed/zed/blob/main/CONTRIBUTING.md
-
## Reference: `zed`
A command-line client for managing SpiceDB clusters.
@@ -161,17 +160,16 @@ zed permission check --explain document:firstdoc writer user:emilia
### Children commands
-- [zed backup](#reference-zed-backup) - Create, restore, and inspect permissions system backups
-- [zed context](#reference-zed-context) - Manage configurations for connecting to SpiceDB deployments
-- [zed import](#reference-zed-import) - Imports schema and relationships from a file or url
-- [zed mcp](#reference-zed-mcp) - MCP (Model Context Protocol) server commands
-- [zed permission](#reference-zed-permission) - Query the permissions in a permissions system
-- [zed relationship](#reference-zed-relationship) - Query and mutate the relationships in a permissions system
-- [zed schema](#reference-zed-schema) - Manage schema for a permissions system
-- [zed use](#reference-zed-use) - Alias for `zed context use`
-- [zed validate](#reference-zed-validate) - Validates the given validation file (.yaml, .zaml) or schema file (.zed)
-- [zed version](#reference-zed-version) - Display zed and SpiceDB version information
-
+- [zed backup](#reference-zed-backup) - Create, restore, and inspect permissions system backups
+- [zed context](#reference-zed-context) - Manage configurations for connecting to SpiceDB deployments
+- [zed import](#reference-zed-import) - Imports schema and relationships from a file or url
+- [zed mcp](#reference-zed-mcp) - MCP (Model Context Protocol) server commands
+- [zed permission](#reference-zed-permission) - Query the permissions in a permissions system
+- [zed relationship](#reference-zed-relationship) - Query and mutate the relationships in a permissions system
+- [zed schema](#reference-zed-schema) - Manage schema for a permissions system
+- [zed use](#reference-zed-use) - Alias for `zed context use`
+- [zed validate](#reference-zed-validate) - Validates the given validation file (.yaml, .zaml) or schema file (.zed)
+- [zed version](#reference-zed-version) - Display zed and SpiceDB version information
## Reference: `zed backup`
@@ -210,13 +208,12 @@ zed backup [flags]
### Children commands
-- [zed backup create](#reference-zed-backup-create) - Backup a permission system to a file
-- [zed backup parse-relationships](#reference-zed-backup-parse-relationships) - Extract the relationships from a backup file
-- [zed backup parse-revision](#reference-zed-backup-parse-revision) - Extract the revision from a backup file
-- [zed backup parse-schema](#reference-zed-backup-parse-schema) - Extract the schema from a backup file
-- [zed backup redact](#reference-zed-backup-redact) - Redact a backup file to remove sensitive information
-- [zed backup restore](#reference-zed-backup-restore) - Restore a permission system from a file
-
+- [zed backup create](#reference-zed-backup-create) - Backup a permission system to a file
+- [zed backup parse-relationships](#reference-zed-backup-parse-relationships) - Extract the relationships from a backup file
+- [zed backup parse-revision](#reference-zed-backup-parse-revision) - Extract the revision from a backup file
+- [zed backup parse-schema](#reference-zed-backup-parse-schema) - Extract the schema from a backup file
+- [zed backup redact](#reference-zed-backup-redact) - Redact a backup file to remove sensitive information
+- [zed backup restore](#reference-zed-backup-restore) - Restore a permission system from a file
## Reference: `zed backup create`
@@ -253,8 +250,6 @@ zed backup create [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed backup parse-relationships`
Extract the relationships from a backup file
@@ -288,8 +283,6 @@ zed backup parse-relationships [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed backup parse-revision`
Extract the revision from a backup file
@@ -317,8 +310,6 @@ zed backup parse-revision
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed backup parse-schema`
Extract the schema from a backup file
@@ -353,8 +344,6 @@ zed backup parse-schema [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed backup redact`
Redact a backup file to remove sensitive information
@@ -391,8 +380,6 @@ zed backup redact [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed backup restore`
Restore a permission system from a file
@@ -432,8 +419,6 @@ zed backup restore [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed context`
Manage configurations for connecting to SpiceDB deployments
@@ -459,11 +444,10 @@ Manage configurations for connecting to SpiceDB deployments
### Children commands
-- [zed context list](#reference-zed-context-list) - Lists all available contexts
-- [zed context remove](#reference-zed-context-remove) - Removes a context by name
-- [zed context set](#reference-zed-context-set) - Creates or overwrite a context
-- [zed context use](#reference-zed-context-use) - Sets a context as the current context
-
+- [zed context list](#reference-zed-context-list) - Lists all available contexts
+- [zed context remove](#reference-zed-context-remove) - Removes a context by name
+- [zed context set](#reference-zed-context-set) - Creates or overwrite a context
+- [zed context use](#reference-zed-context-use) - Sets a context as the current context
## Reference: `zed context list`
@@ -498,8 +482,6 @@ zed context list [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed context remove`
Removes a context by name
@@ -527,8 +509,6 @@ zed context remove
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed context set`
Creates or overwrite a context
@@ -556,8 +536,6 @@ zed context set
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed context use`
Sets a context as the current context
@@ -585,8 +563,6 @@ zed context use
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed import`
Imports schema and relationships from a file or url
@@ -657,8 +633,6 @@ zed import [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed mcp`
MCP (Model Context Protocol) server commands.
@@ -688,8 +662,7 @@ To use with Claude Code, run `zed mcp experimental-run` to start the SpiceDB Dev
### Children commands
-- [zed mcp experimental-run](#reference-zed-mcp-experimental-run) - Run the Experimental MCP server
-
+- [zed mcp experimental-run](#reference-zed-mcp-experimental-run) - Run the Experimental MCP server
## Reference: `zed mcp experimental-run`
@@ -724,8 +697,6 @@ zed mcp experimental-run [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed permission`
Query the permissions in a permissions system
@@ -751,12 +722,11 @@ Query the permissions in a permissions system
### Children commands
-- [zed permission bulk](#reference-zed-permission-bulk) - Check permissions in bulk exist for resource-permission-subject triplets
-- [zed permission check](#reference-zed-permission-check) - Check if a subject has permission on a resource
-- [zed permission expand](#reference-zed-permission-expand) - Expand the structure of a permission
-- [zed permission lookup-resources](#reference-zed-permission-lookup-resources) - Enumerates the resources of a given type for which a subject has permission
-- [zed permission lookup-subjects](#reference-zed-permission-lookup-subjects) - Enumerates the subjects of a given type for which the subject has permission on the resource
-
+- [zed permission bulk](#reference-zed-permission-bulk) - Check permissions in bulk exist for resource-permission-subject triplets
+- [zed permission check](#reference-zed-permission-check) - Check if a subject has permission on a resource
+- [zed permission expand](#reference-zed-permission-expand) - Expand the structure of a permission
+- [zed permission lookup-resources](#reference-zed-permission-lookup-resources) - Enumerates the resources of a given type for which a subject has permission
+- [zed permission lookup-subjects](#reference-zed-permission-lookup-subjects) - Enumerates the subjects of a given type for which the subject has permission on the resource
## Reference: `zed permission bulk`
@@ -798,8 +768,6 @@ zed permission bulk [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed permission expand`
Expand the structure of a permission
@@ -881,8 +847,6 @@ zed permission expand [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed permission lookup-resources`
Enumerates the resources of a given type for which a subject has permission
@@ -925,8 +889,6 @@ zed permission lookup-resources [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed permission lookup-subjects`
Enumerates the subjects of a given type for which the subject has permission on the resource
@@ -966,8 +928,6 @@ zed permission lookup-subjects [flags]
zed preview schema compile root.zed
Write to an output file:
zed preview schema compile root.zed --out compiled.zed
-
+
```
### Options
@@ -1012,8 +972,6 @@ zed preview schema compile [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed relationship`
Query and mutate the relationships in a permissions system
@@ -1039,13 +997,12 @@ Query and mutate the relationships in a permissions system
### Children commands
-- [zed relationship bulk-delete](#reference-zed-relationship-bulk-delete) - Deletes relationships matching the provided pattern en masse
-- [zed relationship create](#reference-zed-relationship-create) - Create a relationship for a subject
-- [zed relationship delete](#reference-zed-relationship-delete) - Deletes a relationship
-- [zed relationship read](#reference-zed-relationship-read) - Enumerates relationships matching the provided pattern
-- [zed relationship touch](#reference-zed-relationship-touch) - Idempotently updates a relationship for a subject
-- [zed relationship watch](#reference-zed-relationship-watch) - Watches the stream of relationship updates and schema updates from the server
-
+- [zed relationship bulk-delete](#reference-zed-relationship-bulk-delete) - Deletes relationships matching the provided pattern en masse
+- [zed relationship create](#reference-zed-relationship-create) - Create a relationship for a subject
+- [zed relationship delete](#reference-zed-relationship-delete) - Deletes a relationship
+- [zed relationship read](#reference-zed-relationship-read) - Enumerates relationships matching the provided pattern
+- [zed relationship touch](#reference-zed-relationship-touch) - Idempotently updates a relationship for a subject
+- [zed relationship watch](#reference-zed-relationship-watch) - Watches the stream of relationship updates and schema updates from the server
## Reference: `zed relationship bulk-delete`
@@ -1082,8 +1039,6 @@ zed relationship bulk-delete <
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed relationship touch`
Idempotently updates a relationship for a subject
@@ -1262,8 +1211,6 @@ zed relationship touch [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed schema diff`
Diff two schema files
@@ -1407,8 +1349,6 @@ zed schema diff
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed schema read`
Read the schema of a permissions system
@@ -1442,8 +1382,6 @@ zed schema read [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed schema write`
Write a schema file (.zed or stdin) to the current permissions system
@@ -1489,8 +1427,6 @@ zed schema write [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed use`
Alias for `zed context use`
@@ -1518,8 +1454,6 @@ zed use
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed validate`
Validates the given validation file (.yaml, .zaml) or schema file (.zed)
@@ -1578,8 +1512,6 @@ zed validate [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed version`
Display zed and SpiceDB version information
@@ -1613,6 +1545,3 @@ zed version [flags]
--skip-version-check if true, no version check is performed against the server
--token string token used to authenticate to SpiceDB
```
-
-
-
diff --git a/wordlist.txt b/wordlist.txt
index 85c64af..bbcb11b 100644
--- a/wordlist.txt
+++ b/wordlist.txt
@@ -99,6 +99,7 @@ Fatalf
FdV
Firehose
FontAwesomeIcon
+GCRA
GC
GCP
GKE
@@ -553,7 +554,10 @@ pseudocode
py
qiqBPvCrlLuc
qux
+QUIC
+quic
radius
+ratelimit
randomizer
rb
reachability
@@ -610,6 +614,8 @@ substring
sudo
svg
systemCerts
+TAT
+tat
tc
testpresharedkey
th