## Frontegg ReBac Engine Setup

The Frontegg **Relationship-Based Access Control (ReBac)** engine provides fine-grained authorization for your application. This guide covers setting up the ReBac engine for both local development and production environments.

New Architecture
This setup uses the latest ReBac architecture powered by **SpiceDB**. The sync job continuously synchronizes your authorization schema and relationships from Frontegg to your local SpiceDB instance. For migration from the legacy Entitlements Agent, see the [Migration Guide](/ciam/guides/authorization/entitlements/agent/migration).

## Architecture

| Component | Role |
|  --- | --- |
| **Frontegg Cloud** | Stores entity types, relations, and assignments |
| **Sync Job** | Pulls data from Frontegg → writes to SpiceDB (every 60s) |
| **SpiceDB** | Evaluates permission checks locally |
| **Your App** | Uses SDK to query SpiceDB for authorization decisions |


**Data Flow:**
`Frontegg Cloud` → `Sync Job` → `SpiceDB` ← `Your App (SDK)`

## Prerequisites

### All Environments

- Frontegg account with **ReBac feature enabled**
- Frontegg credentials (**Client ID** and **API Key**)
- **Node.js** v18+ (for SDK integration)


### Local Development Only

- **Docker** and **Docker Compose** ([Get Docker](https://docs.docker.com/get-started/get-docker/))


Why Docker for Local?
Docker Compose runs the full ReBac stack locally (CockroachDB, SpiceDB, Sync Job) with a single command. This eliminates the need to install and configure each component separately.

### Production Only

- **Container runtime** (Docker, Kubernetes, or your preferred orchestration platform)
- Existing **SpiceDB** instance (self-hosted or managed)
- Optional: **Helm** v3+ ([Install Helm](https://helm.sh/docs/intro/install/))


## Supported Versions

| Component | Version | Notes |
|  --- | --- | --- |
| SpiceDB | v1.42.1+ | Authorization engine |
| Zed CLI | v0.30.2+ | SpiceDB management CLI |
| @frontegg/e10s-client | v0.1.1+ | Node.js SDK |
| Node.js | v18+ | Runtime requirement |


## Local Development Setup

### Step 1: Get Your Credentials

You'll need the following environment variables:

| Variable | Description | Where to Find |
|  --- | --- | --- |
| `FRONTEGG_CLIENT_ID` | Your environment's Client ID | Portal → **Keys & domains** |
| `FRONTEGG_CLIENT_SECRET` | Your environment's API Key | Portal → **Keys & domains** |


br
![Env settings](/assets/manage-settings.048aa22ed02a6efcff729e98b31dec778cbacc261eaa9853bf9a9c801bff7679.71ab04f0.png)

br
### Step 2: Create Environment File

Create a `.env` file in your project root:


```shell
# Required Frontegg Configuration
FRONTEGG_CLIENT_ID=your-client-id
FRONTEGG_CLIENT_SECRET=your-api-key
FRONTEGG_URL=https://api.frontegg.com

# SpiceDB Configuration (defaults work for local development)
SPICEDB_GRPC_PRESHARED_KEY=spicedb
```

### Step 3: Create Docker Compose File

Create a `docker-compose.yml` file with the ReBac engine stack:


```yaml
version: "3.8"

services:
  spicedb-cockroachdb:
    image: cockroachdb/cockroach:latest
    ports:
      - "26257:26257"
    volumes:
      - spicedb-cockroachdb-data:/cockroach/cockroach-data
    command: ["start-single-node", "--insecure"]
    healthcheck:
      test: ["CMD", "/cockroach/cockroach", "sql", "--insecure", "--execute", "SELECT 1"]
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 10s
    environment:
      - PGUSER=root
      - PGPASSWORD=password
      - PGDATABASE=spicedb

  spicedb-create-db:
    image: cockroachdb/cockroach:latest
    command: ["sql", "--insecure", "--host=spicedb-cockroachdb:26257", "--execute=CREATE DATABASE IF NOT EXISTS spicedb;"]
    depends_on:
      spicedb-cockroachdb:
        condition: service_healthy
    restart: "no"

  spicedb-migrate:
    image: authzed/spicedb:v1.42.1
    command: ["datastore", "migrate", "head", "--datastore-engine=cockroachdb", "--datastore-conn-uri=postgres://root:password@spicedb-cockroachdb:26257/spicedb?sslmode=disable"]
    depends_on:
      spicedb-create-db:
        condition: service_completed_successfully
    restart: "no"

  spicedb:
    image: authzed/spicedb:v1.42.1
    ports:
      - "50051:50051"
    volumes:
      - spicedb-data:/data
    command: ["serve", "--datastore-engine=cockroachdb", "--datastore-conn-uri=postgres://root:password@spicedb-cockroachdb:26257/spicedb?sslmode=disable", "--log-level=info"]
    environment:
      - SPICEDB_GRPC_PRESHARED_KEY=${SPICEDB_GRPC_PRESHARED_KEY:-spicedb}
    healthcheck:
      test: ["CMD", "pgrep", "-f", "spicedb"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    depends_on:
      spicedb-migrate:
        condition: service_completed_successfully
      spicedb-cockroachdb:
        condition: service_healthy

  spicedb-sync:
    image: frontegg/entitlements-engine:latest
    environment:
      - FRONTEGG_CLIENT_ID=${FRONTEGG_CLIENT_ID}
      - FRONTEGG_CLIENT_SECRET=${FRONTEGG_CLIENT_SECRET}
      - FRONTEGG_URL=${FRONTEGG_URL:-https://api.frontegg.com}
      - SPICEDB_ADDRESS=spicedb:50051
      - SPICEDB_GRPC_PRESHARED_KEY=${SPICEDB_GRPC_PRESHARED_KEY:-spicedb}
    volumes:
      - spicedb-sync-logs:/var/log/spicedb-sync
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "pgrep", "-f", "sync-loop.sh"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    depends_on:
      - spicedb
      - spicedb-cockroachdb

volumes:
  spicedb-data:
  spicedb-sync-logs:
  spicedb-cockroachdb-data:
```

### Step 4: Start the ReBac Engine

Run the following command to start all services:


```shell
docker compose up -d
```

The sync job will automatically start fetching your authorization schema and relationships from Frontegg every **60 seconds**.

### Step 5: Verify Setup

Check that all services are running:


```shell
docker compose ps
```

You should see all services in a healthy state. The SpiceDB gRPC endpoint is now available at `localhost:50051`.

## Production Setup

The sync job runs as a container that connects to your SpiceDB instance. You can deploy it using any container orchestration platform. Below is an example using Helm charts for Kubernetes.

### Step 1: Add Frontegg Helm Repository


```shell
helm repo add frontegg https://charts.frontegg.com
helm repo update
```

### Step 2: Create Values File

Create a `values.yaml` file with your configuration:


```yaml
name: entitlements-engine
team: your-team

envID: production

image:
  repository: "frontegg/entitlements-engine"
  tag: "latest-withloop"

imagePullSecrets:
  - name: regcred

worker:
  enabled: true
  containerName: entitlements-engine
  replicaCount: 2
  autoscaling:
    enabled: true
    minReplicas: 2
    maxReplicas: 5
    targetCPUUtilizationPercentage: 70
  resources:
    requests:
      cpu: 200m
      memory: 512Mi
    limits:
      cpu: 1000m
      memory: 1024Mi

configmap:
  data:
    spicedbAddress: 'your-spicedb-address:50051'
    spicedbPresharedKey: "your-preshared-key"

externalSecret:
  enabled: true
  data:
    FRONTEGG_CLIENT_ID: "your-client-id"
    FRONTEGG_CLIENT_SECRET: "your-api-key"
```

### Step 3: Deploy with Helm


```shell
helm install entitlements-engine frontegg/entitlements-engine \
  -f values.yaml \
  --namespace entitlements \
  --create-namespace
```

### Recommended Rate Limits

For production environments, we recommend the following rate limits:

| Operation | Recommended Limit | Notes |
|  --- | --- | --- |
| Check Permissions | 10,000 req/min | Per SpiceDB instance |
| Lookup Resources | 1,000 req/min | Pagination recommended |
| Lookup Subjects | 1,000 req/min | Pagination recommended |


## SDK Integration

Once the ReBac engine is running, integrate the SDK into your application to perform permission checks.

For complete SDK documentation including installation, initialization, and query examples, see the [Node.js SDK Guide](/ciam/guides/authorization/entitlements/agent/nodejs).

## Creating Relations via Frontegg API

Relations between entities are managed through the Frontegg API. The sync job automatically synchronizes these to your local SpiceDB instance.

For complete API documentation including assign, unassign, and list operations, see the [Relations API Reference](https://developers.frontegg.com/api/entitlements).

Sync Delay
Relations created via the API are synchronized to your SpiceDB instance within **60 seconds** (default sync interval).

## Health Checks

### SpiceDB Health


```shell
grpcurl -plaintext localhost:50051 grpc.health.v1.Health/Check
```

### Sync Job Health

The sync job container exposes a health check that verifies the sync loop is running:


```shell
docker exec spicedb-sync pgrep -f sync-loop.sh
```

## Next Steps

- [ReBac Configuration](/ciam/guides/authorization/rebac) - Define entity types and configure relations
- [Migration Guide](/ciam/guides/authorization/entitlements/agent/migration) - Migrate from legacy Entitlements Agent