Extenders

Enterprise builds of SpiceDB support additional behavior provided by an extension point called Extender.

Extenders include:

Both Cloud and Dedicated provide dashboards for configuring functionality powered by Extenders, but you might be interested to learn more if you're exploring Self-Hosted.

Flags

Flag	Description	Default
--extender-audit-batch-size-limit	defines the maximum number of audit events to be processed as a unit	`10000`
--extender-audit-buffer-size	defines the size of the audit log buffer that holds events to be processed by workers	`1000000`
--extender-audit-buffer-window	defines maximum amount of time events are buffered before being pushed	`1s`
--extender-audit-disabled-on-methods strings	list of comma-separated, fully-qualified API methods to disable events for. Watch API is always excluded (e.g. `/authzed.api.v1.PermissionsService/CheckPermission`)
--extender-audit-initial-retry-interval duration	sets the first retry backoff in case of a failure to push audit events to the backend	`1s`
--extender-audit-max-retry-interval duration	sets the maximum backoff duration in case of failure to push events	`30s`
--extender-audit-retry-randomizer-factor	sets the randomization factor for the backoff duration - this helps prevent thundering herds on event push errors	`0.5`
--extender-audit-stream-name	defines the name of the target stream/topic (e.g. Kafka Topic, Kinesis Stream...)	`spicedb`
--extender-audit-target-configuration	target-type specific configuration	`[]`
--extender-audit-target-endpoint-url string	defines the URL of target endpoint to ingest audit events. If left unspecified, some types will try to determine automatically (e.g. AWS SDK)
--extender-audit-target-type	defines the type of target to ingest audit events	`noop`
--extender-audit-worker-count	defines the number of worker goroutines to process audit events (default 5)
--extender-authzed-fgam-endpoint	defines the external SpiceDB endpoint used to authorize operations for the authzed-fgam extender. If a file:// endpoint is provided, server is run embedded with static configuration
--extender-authzed-fgam-preshared-key	defines the external SpiceDB preshared key used to authorize operations for the authzed-fgam extender. Ignored if endpoint is local (file://)
--extender-enabled	enables one or more extenders out of [authzed-fgam spicedb-enterprise-serverversion authzed-audit usage].

Expedited Support Feature Maturity