Happy slice of mcp pizzaMCP.pizza
Fire in da houseTop Tip:Paying $100+ per month for Perplexity, MidJourney, Runway, ChatGPT and other tools is crazy - get all your AI tools in one site starting at $15 per month with Galaxy AI Fire in da houseCheck it out free

spicedb-mcp

MCP.Pizza Chef: DGuhr

spicedb-mcp is an experimental MCP server that integrates SpiceDB with LLMs to answer access control and audit-related questions. It leverages SpiceDB's APIs like LookupSubjects, LookupResources, ReadRelationships, and CheckBulkPermissions to provide real-time, policy-driven access insights. Designed for security-focused workflows, it runs a SpiceDB environment via Docker Compose and supports clients like Claude Desktop for seamless LLM interaction.

Use This MCP server To

Query access permissions using natural language via LLMs Perform before-the-fact access audits with real-time data Lookup subjects and resources in SpiceDB through LLM queries Check bulk permissions programmatically via MCP integration Integrate access control insights into AI-driven workflows Test and prototype access control policies with LLM feedback

README

SpiceDB MCP-Server

This is a highly experimental Model Context Protocol Server to let your llm use SpiceDB to answer access- and before the fact audit-related questions (as defined by NIST in this PDF, Section 3.1.2.3). It spins up an example spicedb environment using docker compose, and then uses the MCP-C#-SDK and the SpiceDB-C#-SDK to call LookupSubjects, LookupResources, ReadRelationships and CheckBulkPermissions under the hood. I used Claude Desktop as MCP client, so you'll need a (free) account there, too, or use another client.

Accompanying Blogpost

You can find the accompanying Post here, walking you through the implementation, and adds some lessons learned. There are also some more broad thoughts on MCP security at the bottom you might find interesting. Feel free to reach out if you want to talk.

What it does

Here you can see an example of the output using Claude Desktop (this was done while developing, might not resemble the latest execution paths. Then again, determinism is not guaranteed altogether with AI, so who cares ;-) ):

Table view:

tableview.png

Graph view:

graphview.png

Running the Code

  • Install .net 9
  • cd SpiceDB-MCP and there, use dotnet run to start the code once. then break using e.g. ctrl+c.
  • add the appropriate config for Claude dekstop to integrate the server.

Claude config

You need to integrate the MCP server into Claude. On MacOS, you need a file claude_config.json located in ~/Library/Application\ Support/Claude/. If the file does not exist, create it. Then post / add the following json - change the Path to where the solution is located, for me it's for example /Users/dguhr/git/dguhr/SpiceDB-MCP/SpiceDB-MCP.

{
    "mcpServers": {
        "spicedb": {
            "command": "dotnet",
            "args": [
                "run",
                "--project",
                "/PATH/TO/SOLUTION",
                "--no-build"
            ],
            "env": {
                "SPICEDB_PSK": "testkey"
            }
        }
    }
}

Caution

As of now this project uses the MCP C#-SDK v0.1.0-preview.2 NuGet-Package. This package has a bug (or, maybe, the claude desktop client - see this Issue I created), so the spawned dotnet-processes DO NOT GET TERMINATED correctly. So after using, you want to run ps aux | grep dotnet or similar and kill the spawned dotnet processes.

Starting up a local SpiceDB environment with Model and Schema

The docker-compose.yaml loads the schema and test relations from the bootstrap folder, so all you need to do is

docker compose --env-file .env up -d

Startup

Start Claude desktop (free version suffices, you'd need an account though) as MCP client (or use another one, which is the nice part ;-)).

Ask e.g. the following questions:

  • who has access to document pay1?
  • What documents does the CTO have access to?
  • Who has access to search2?
  • Has smallteammember1 read-access to smallprojectdoc3 and smallprojectdoc1?
  • I wanna know who in my company has what permission to access what and why. Please visualize it as graph and as table.

Note that especially for the last question, the LLM often wants to use ReadRelationships and GetSchema only. I tried to mitigate that behaviour, but it still uses it a lot. Any description improvements are welcome ;-) Also note that sometimes it has problems creating a react-based graph (when it uses react). Indeterminism hooray. You can surely create a better prompt, telling it what library to use etc. - I'll leave that as an exercise for the reader.

p.s. Keep in mind this is an experiment, so the model may not be fully great. Didn't put much thought into it. You can change it with your model/relations by changing the contents of the yaml files in the bootstrap directory.

ZED CLI-usage

If you wanna use zed, install zed locally - see docs.

then set the context: zed context set dev :50051 "testkey" --insecure

then use it: zed context use dev

and make some calls, e.g. get the schema: zed schema read

or get all members of a team: zed permission lookup-subjects team:smallprojectteam member user

or get everyone who has access to a document: zed permission lookup-subjects document:pay1 view user

or check which documents a user has access to: zed permission lookup-resources document view user:CTO

Change code and see changes take effect

If you wanna build something out of this, make sure you run "dotnet run" in your console of choice after you made your changes, and restart Claude Desktop so it takes the new Version into account. This workflow feels bumpy, and I hope it gets improved in the future.

spicedb-mcp FAQ

How does spicedb-mcp interact with SpiceDB?
It uses SpiceDB's C# SDK to call key APIs like LookupSubjects and CheckBulkPermissions for access control queries.
What is required to run spicedb-mcp?
You need Docker Compose to spin up the SpiceDB environment and an MCP client like Claude Desktop to interact with the server.
Can spicedb-mcp handle real-time access control queries?
Yes, it processes live queries to provide up-to-date access and audit information.
Is spicedb-mcp production-ready?
No, it is highly experimental and intended for prototyping and exploration of MCP with SpiceDB.
Which MCP clients are compatible with spicedb-mcp?
It works with any MCP client, including Claude Desktop, and can be adapted to others.
Does spicedb-mcp support bulk permission checks?
Yes, it supports CheckBulkPermissions to evaluate multiple permissions efficiently.
Where can I learn more about spicedb-mcp implementation?
The accompanying blog post at innoq.com provides detailed insights and lessons learned.
How secure is spicedb-mcp?
Security considerations are discussed in the blog post, emphasizing scoped and observable model interactions.