$HEADLESS SYSTEMS
03 / Scorecard / Auth & Identity

AuthZed

C
Headless Index
43/100
denominator 40
JAIRF
N/A
Verified
MAY 21, 2026
Methodology v1 · JAIRF v1.0.0

Powered by JAIRF v1.0.0 by Jentic · open methodology at /the-headless-index/methodology

Editorial verdict
AuthZed is partially headless and partly UI-led. The Headless Index thesis-fit score of 43/100 puts it mid-table on the index, and JAIRF is recorded as N/A for this vendor because no public OpenAPI specification was reachable for the open-source scorer. In practice, vendors at this tier are partly machine-consumable: the core flows are reachable through code but several adjacent surfaces still expect a human at a dashboard, and the rest of this verdict explains where AuthZed lands inside that pattern. On the API surface, the question is whether the API is the product or a layer beneath the dashboard. AuthZed publishes SpiceDB, the open-source database implementing Google's Zanzibar fine-grained authorization paper. The gRPC API plus REST gateway plus zed CLI cover relationships, schemas (relationships-as-code), permission checks, and watch streams. SDKs in Java, Go, Python, Node, .NET, Ruby, and PHP. The product is permissions infrastructure with an explicitly API-first contract.[1] Schema observability is the related test: can an agent introspect the contract from cold, or does it have to read prose documentation to do so? Protobuf definitions plus REST gateway documented at authzed.com/docs. The .zed schema language is itself machine-readable. An agent can drive parts of this product, but not all of it: integrators should plan for human-in-the-loop checkpoints where the headless surface stops short. On headless operability: On headless operability, the docs crawl did not produce topic coverage sufficient to score programmatic setup, billing, teams, schema, or CLI workflows. A targeted AI review pass should visit the vendor's docs index and confirm what programmatic surfaces actually exist.[2] On the MCP and agent-integration axis, which is the fastest-moving criterion in the index: On MCP posture, no official MCP server was detected in the vendor's GitHub organization and no community server was published to the MCP registry under their name. This may change rapidly given the recent MCP adoption curve.[3] Event posture closes the loop: an agent that cannot react to state changes is reduced to polling. On webhooks and events, the docs crawler did not locate a webhooks reference page or events catalog. Editorial review should confirm whether the vendor publishes events at all, and if so whether signing and replay are documented. Net assessment: integrators can build agent flows against AuthZed, but the rough edge to plan around is schema observability[4]. Expect to wrap missing pieces in bespoke glue or accept human-in-the-loop checkpoints. Workable but requires scaffolding.
Verdict by Headless Index pipeline (auto)
// AI-drafted from the evidence layer. Editorial review pending.
Scores

Scorecard detail

Headless Index · 5 sub-criteria
API-first design intent12/20
scored

AuthZed publishes SpiceDB, the open-source database implementing Google's Zanzibar fine-grained authorization paper. The gRPC API plus REST gateway plus zed CLI cover relationships, schemas (relationships-as-code), permission checks, and watch streams. SDKs in Java, Go, Python, Node, .NET, Ruby, and PHP. The product is permissions infrastructure with an explicitly API-first contract.

signals (6)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • OpenAPI specNot found across 18 probe paths
  • GraphQL endpointNot discovered (5 probes; project-scoped endpoints require a real project ID)
  • +SDKs maintained8 (dotnet, go, java, javascript, python, ruby); top by stars: authzed/authzed-go (102 stars)
  • +SDK recency7 of 8 SDK repos pushed within 30 days (most recent SDK commit: 2026-05-13)
  • +npm weekly downloads137.6k across published packages; top: @authzed/authzed-node @ 137.6k/week
cite (5)
  • openapi.probes_tried@2026-05-20
  • graphql.probes_tried@2026-05-20
  • github.sdks@2026-05-20
  • freshness.most_recent_sdk_commit@2026-05-20
  • github.sdks@2026-05-20
Headless operationUnknown
Unknown

Schemas (the .zed authorization model), relationships, permission checks, lookup queries, and watch subscriptions are all programmable. The zed CLI is first-class. Self-host (SpiceDB binary, Kubernetes operator, Helm chart) plus AuthZed Cloud share the same API.

signals (9)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • API operations exposedNo OpenAPI spec; operations count unknown
  • ·Docs pages crawled0 pages (crawler: none)
  • ·Auth schemes documentedAuth documentation page not reached by crawler
  • ·Setup / quickstart docsNot reached by crawler
  • ·Billing docsNot reached by crawler
  • ·Teams / org docsNot reached by crawler
  • ·CLI docsNot reached by crawler
  • ·Schema / data model docsNot reached by crawler
cite (8)
  • openapi.operations_count@2026-05-20
  • docs.pages_crawled@2026-05-20
  • docs.pages_crawled@2026-05-20
  • docs.topics_found.setup@2026-05-20
  • docs.topics_found.billing@2026-05-20
  • docs.topics_found.teams@2026-05-20
  • docs.topics_found.cli@2026-05-20
  • docs.topics_found.schema@2026-05-20
MCP & agent postureUnknown
Unknown

No first-party AuthZed MCP server. The product is authorization infrastructure; agent integration is typically downstream (an agent calling a tool that checks AuthZed permissions). The gRPC contract maps cleanly to MCP if a wrapper is published.

signals (2)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • ·MCP detector statusTimed out during collection (likely GitHub search API rate limit without GITHUB_TOKEN). No verified evidence about MCP presence.
cite (1)
  • mcp.registry_query@2026-05-20
Schema observability5/20
scored

Protobuf definitions plus REST gateway documented at authzed.com/docs. The .zed schema language is itself machine-readable. A canonical OpenAPI URL is exposed for the REST gateway; agent introspection is solid through both the proto contract and the OpenAPI surface.

signals (3)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • OpenAPINot discovered across 18 standard probe paths
  • GraphQL introspectionNo GraphQL endpoint discovered (5 probes; some vendors use project-scoped endpoints that require a real project handle)
cite (2)
  • openapi.probes_tried@2026-05-20
  • graphql.probes_tried@2026-05-20
Webhooks & eventsUnknown
Unknown

SpiceDB watch streams deliver permission-graph changes through gRPC subscriptions rather than HTTP webhooks. This is unusual for the category but appropriate: authorization changes are typically consumed inside the request-time path, not via async webhook delivery.

signals (2)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • ·Webhook docs pageNot reached by crawler within budget (0 pages crawled). Cannot confirm whether vendor offers webhooks.
cite (1)
  • docs.pages_crawled@2026-05-20
JAIRF · 6 dimensions
JAIRF · N/A

This vendor does not publish a public OpenAPI specification. JAIRF cannot be computed. The Headless Index score and editorial verdict carry the readiness assessment.

No public OpenAPI specification discovered during collection

Powered by JAIRF v1.0.0 by Jentic

Band rationale:C band: scores 40-75 range

04 / Embed

Show AuthZed's score on your site.

Drop a live badge into your README, footer, or marketing page. It updates automatically when we re-score, and every embed is a dofollow link back here.

AuthZed mini badge preview
Get embed code
Peers in Auth & Identity
MagicC
Headless Index 42/100
Auth0C
Headless Index 48/100
Firebase AuthenticationC
Headless Index 49/100
See full Auth & Identity ranking →