At AuthZed, we believe there’s a time and place for every piece of technology; the tricky part is determining if your use case actually is the time and place. For many years, there’s been a strong argument by domain experts against using JWTs for web sessions. While this campaign has succeeded to help improve the security of the web frontend, there hasn’t been an equivalent campaign for the backend. While building [SpiceDB](https://github.com/authzed/spicedb), we’ve surveyed many backend developers only to find that many don’t know the pitfalls of JWTs or even that alternatives exist. SpiceDB is an open source project that implements one such alternative called _centralized authorization_. Because of this, I’ll be sure to include exactly how a centralized strategy accounts for the pitfalls with JWTs, too!
What is Google Zanzibar? Why did they build it? And why is it important? I'll break down and answer those questions based on the research paper and from our experience building SpiceDB, the open source, fine-grained permissions database inspired by Google Zanzibar.