Connect

spicedb_watch

Available in: Cloud, Self-Managed

Consumes messages from the Watch API of a SpiceDB instance. This input is useful if you have downstream applications that need to react to real-time changes in data managed by SpiceDB.

Introduced in version 4.39.0.

  • Common

  • Advanced

inputs:
  label: ""
  spicedb_watch:
    endpoint: "" # No default (required)
    bearer_token: ""
    cache: "" # No default (required)
inputs:
  label: ""
  spicedb_watch:
    endpoint: "" # No default (required)
    bearer_token: ""
    max_receive_message_bytes: 4MB
    cache: "" # No default (required)
    cache_key: authzed.com/spicedb/watch/last_zed_token
    tls:
      enabled: false
      skip_cert_verify: false
      enable_renegotiation: false
      root_cas: ""
      root_cas_file: ""
      client_certs: []

Authentication

For this input to authenticate with your SpiceDB instance, you must provide:

Configure a cache

You must use a cache resource to store the ZedToken (ID) of the latest message consumed and acknowledged by this input. Ideally, the cache should persist across restarts. This means that every time the input is initialized, it starts reading from the newest data updates. The following example uses a redis cache.

# Example
input:
  label: ""
  spicedb_watch:
    endpoint: grpc.authzed.com:443
    bearer_token: ""
    cache: "spicedb_cache"
cache_resources:
  - label: "spicedb_cache"
    redis:
      url: redis://:6379

To learn more about cache configuration, see Resources and the Caches section, which includes a range of cache components.

Fields

bearer_token

The SpiceDB bearer token to use to authenticate with your SpiceDB instance.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

# Examples:
bearer_token: t_your_token_here_1234567deadbeef

cache

The cache resource that you must configure to store the ZedToken (ID) of the last message processed. The ZedToken is stored in the cache within the ACK function of the message. This means that a ZedToken is only stored when a message is successfully routed through all processors and outputs in the data pipeline.

Type: string

cache_key

The key identifier to use when storing the ZedToken (ID) of the last message received.

Type: string

Default: authzed.com/spicedb/watch/last_zed_token

endpoint

The endpoint of your SpiceDB instance.

Type: string

# Examples:
endpoint: grpc.authzed.com:443

max_receive_message_bytes

The maximum message size (in bytes) this input can receive. If a message exceeds this limit, an rpc error is written to the Redpanda Connect logs.

Type: string

Default: 4MB

# Examples:
max_receive_message_bytes: 100MB

# ---

max_receive_message_bytes: 50mib

tls

Configure Transport Layer Security (TLS) settings to secure network connections. This includes options for standard TLS as well as mutual TLS (mTLS) authentication where both client and server authenticate each other using certificates. Key configuration options include enabled to enable TLS, client_certs for mTLS authentication, root_cas/root_cas_file for custom certificate authorities, and skip_cert_verify for development environments.

Type: object

tls.client_certs[]

A list of client certificates for mutual TLS (mTLS) authentication. Configure this field to enable mTLS, authenticating the client to the server with these certificates.

You must set tls.enabled: true for the client certificates to take effect.

Certificate pairing rules: For each certificate item, provide either:

  • Inline PEM data using both cert and key or

  • File paths using both cert_file and key_file.

Mixing inline and file-based values within the same item is not supported.

Type: object

Default: []

# Examples:
client_certs:
  - cert: foo
    key: bar


# ---

client_certs:
  - cert_file: ./example.pem
    key_file: ./example.key

tls.client_certs[].cert

A plain text certificate to use.

Type: string

Default: ""

tls.client_certs[].cert_file

The path of a certificate to use.

Type: string

Default: ""

tls.client_certs[].key

A plain text certificate key to use.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

tls.client_certs[].key_file

The path of a certificate key to use.

Type: string

Default: ""

tls.client_certs[].password

A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format.

Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

# Examples:
password: foo

# ---

password: ${KEY_PASSWORD}

tls.enable_renegotiation

Whether to allow the remote server to request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation.

Requires version 3.45.0 or later.

Type: bool

Default: false

tls.enabled

Whether custom TLS settings are enabled.

Type: bool

Default: false

tls.root_cas

Specify a root certificate authority to use (optional). This is a string that represents a certificate chain from the parent-trusted root certificate, through possible intermediate signing certificates, to the host certificate. Use either this field for inline certificate data or root_cas_file for file-based certificate loading.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

# Examples:
root_cas: |-
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

tls.root_cas_file

Specify the path to a root certificate authority file (optional). This is a file, often with a .pem extension, which contains a certificate chain from the parent-trusted root certificate, through possible intermediate signing certificates, to the host certificate. Use either this field for file-based certificate loading or root_cas for inline certificate data.

Type: string

Default: ""

# Examples:
root_cas_file: ./root_cas.pem

tls.skip_cert_verify

Whether to skip server-side certificate verification. Set to true only for testing environments as this reduces security by disabling certificate validation. When using self-signed certificates or in development, this may be necessary, but should never be used in production. Consider using root_cas or root_cas_file to specify trusted certificates instead of disabling verification entirely.

Type: bool

Default: false