Docs Connect Components Inputs spicedb_watch spicedb_watch Available in: Cloud, Self-Managed Consumes messages from the Watch API of a SpiceDB instance. This input is useful if you have downstream applications that need to react to real-time changes in data managed by SpiceDB. Introduced in version 4.39.0. Common Advanced # Common configuration fields, showing default values input: label: "" spicedb_watch: endpoint: grpc.authzed.com:443 # No default (required) bearer_token: "" cache: "" # No default (required) # All configuration fields, showing default values input: label: "" spicedb_watch: endpoint: grpc.authzed.com:443 # No default (required) bearer_token: "" max_receive_message_bytes: 4MB cache: "" # No default (required) cache_key: authzed.com/spicedb/watch/last_zed_token tls: enabled: false skip_cert_verify: false enable_renegotiation: false root_cas: "" root_cas_file: "" client_certs: [] Authentication For this input to authenticate with your SpiceDB instance, you must provide: The endpoint of the SpiceDB instance A bearer token Configure a cache You must use a cache resource to store the ZedToken (ID) of the latest message consumed and acknowledged by this input. Ideally, the cache should persist across restarts. This means that every time the input is initialized, it starts reading from the newest data updates. The following example uses a redis cache. # Example input: label: "" spicedb_watch: endpoint: grpc.authzed.com:443 bearer_token: "" cache: "spicedb_cache" cache_resources: - label: "spicedb_cache" redis: url: redis://:6379 To learn more about cache configuration, see Resources and the Caches section, which includes a range of cache components. Fields bearer_token The SpiceDB bearer token to use to authenticate with your SpiceDB instance. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" # Examples: bearer_token: t_your_token_here_1234567deadbeef cache The cache resource that you must configure to store the ZedToken (ID) of the last message processed. The ZedToken is stored in the cache within the ACK function of the message. This means that a ZedToken is only stored when a message is successfully routed through all processors and outputs in the data pipeline. Type: string cache_key The key identifier to use when storing the ZedToken (ID) of the last message received. Type: string Default: authzed.com/spicedb/watch/last_zed_token endpoint The endpoint of your SpiceDB instance. Type: string # Examples: endpoint: grpc.authzed.com:443 max_receive_message_bytes The maximum message size (in bytes) this input can receive. If a message exceeds this limit, an rpc error is written to the Redpanda Connect logs. Type: string Default: 4MB # Examples: max_receive_message_bytes: 100MB max_receive_message_bytes: 50mib tls Override system defaults with custom TLS settings. Type: object tls.client_certs[] A list of client certificates to use. For each certificate specify values for either the cert and key fields, or cert_file and key_file fields. Type: object Default: [] # Examples: client_certs: - cert: foo key: bar - cert_file: ./example.pem key_file: ./example.key tls.client_certs[].cert A plain text certificate to use. Type: string Default: "" tls.client_certs[].cert_file The path of a certificate to use. Type: string Default: "" tls.client_certs[].key A plain text certificate key to use. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" tls.client_certs[].key_file The path of a certificate key to use. Type: string Default: "" tls.client_certs[].password A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format. Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" # Examples: password: foo password: ${KEY_PASSWORD} tls.enable_renegotiation Whether to allow the remote server to request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation. Requires version 3.45.0 or later. Type: bool Default: false tls.enabled Whether custom TLS settings are enabled. Type: bool Default: false tls.root_cas Specify a certificate authority to use (optional). This is a string that represents a certificate chain from the parent trusted root certificate, through possible intermediate signing certificates, to the host certificate. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" # Examples: root_cas: |- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- tls.root_cas_file Specify the path to a root certificate authority file (optional). This is a file, often with a .pem extension, which contains a certificate chain from the parent trusted root certificate, through possible intermediate signing certificates, to the host certificate.certificate. Type: string Default: "" # Examples: root_cas_file: ./root_cas.pem tls.skip_cert_verify Whether to skip server-side certificate verification. Type: bool Default: false Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution 🎉 Thanks for your feedback! socket_server splunk