Authzed’s Open Source Trojan Horse: How 4,500 GitHub Stars Became a Sales Team

Authzed’s Open Source Trojan Horse: How 4,500 GitHub Stars Became a Sales Team

Most companies open source a limited version of their product to generate leads. Jacob Moshenko gave away the entire thing.

In a recent episode of Category Visionaries, Jacob Moshenko, CEO and Co-founder of Authzed, explained how SpiceDB—their fully functional, production-grade authorization system—became the foundation of their entire go-to-market strategy. Not a stripped-down trial. Not a feature-limited community edition. The actual product that enterprises could run forever without paying a dollar.

“We have something like 4500 stars on GitHub now for our main open source product, SpiceDB,” Jake shared. Those stars weren’t vanity metrics or marketing fluff. They represented qualified prospects at various stages of a self-service evaluation process that replaced what most companies would call a sales team.

The Infrastructure Trust Problem

To understand why Authzed’s approach works, you need to understand the unique challenge of selling infrastructure software. Unlike SaaS applications where users can evaluate features through a demo, infrastructure requires deep technical integration into critical systems. No engineering team will adopt a black-box solution for authorization—the permissions layer that controls who can access what across their entire application.

Traditional sales tactics fail spectacularly in this context. Cold emails from SDRs trying to book demos with staff engineers generate more eye rolls than meetings. Product marketing that oversimplifies the technical complexity signals that the vendor doesn’t understand the problem. And freemium models with artificial limitations create friction exactly when engineers are trying to validate the solution.

Jake recognized this fundamental mismatch between how infrastructure companies typically sell and how infrastructure buyers actually evaluate. The solution wasn’t to fix the sales process—it was to eliminate it entirely by making the evaluation process completely self-service through open source.

Open Source as Sales Infrastructure

SpiceDB wasn’t released as an open-source project to generate awareness or build community goodwill. It was architected as the first stage of Authzed’s sales funnel. The difference is subtle but critical.

Most companies treat open source as top-of-funnel marketing. They release a limited version, hope it generates GitHub stars and blog mentions, then try to convert users to paid plans through feature gates or usage limits. The open-source project exists to feed the commercial product.

Authzed inverted this model. SpiceDB is the commercial product, just self-hosted. Jake described the customer journey: “They’ll come and they’ll find us through looking for authorization or looking for some kind of Google Zanzibar type thing. They’ll download our open source project, they’ll mess around with it for a little bit, and then they’ll decide they need support or they need the SaaS version of it.”

The key insight is what happens during that “mess around with it” phase. Engineers aren’t just kicking tires—they’re solving real authorization problems. They’re integrating SpiceDB into development environments. They’re testing it against their specific use cases. They’re running it in staging. Some are even deploying it to production.

By the time they reach out to Authzed’s commercial team, they’ve already completed technical validation. The sales conversation focuses entirely on managed hosting, enterprise support, and SLA guarantees—not whether the product works.

The Qualification Funnel

This approach creates a natural qualification mechanism that traditional sales processes struggle to replicate. Not everyone who downloads SpiceDB becomes a customer, but everyone who becomes a customer has already proven they understand the problem deeply enough to evaluate the solution.

Jake was explicit about who benefits from this model: “The people who really benefit most from our product are people who have already been burned once or twice trying to build something in house.” These aren’t curious developers casually exploring authorization options. They’re engineers who’ve experienced the pain of rebuilding permissions systems multiple times and are desperately seeking an alternative.

The open-source model filters for this exact profile. Junior engineers exploring authorization concepts might download SpiceDB, experiment briefly, and move on. That’s fine—they weren’t qualified buyers anyway. Senior engineers who’ve rebuilt authorization systems and recognize the patterns SpiceDB implements will invest the time to truly evaluate it. Those are the engineers who eventually become champions for adopting Authzed commercially.

The Economics of Giving It Away

The obvious question: why would anyone pay for something they can get free? Jake’s answer reveals sophisticated thinking about infrastructure economics.

First, running production infrastructure requires operational overhead. Even with open source, someone needs to maintain servers, handle upgrades, monitor performance, and respond to incidents. For companies with small engineering teams or limited infrastructure experience, this overhead exceeds the cost of a managed service.

Second, enterprise buyers value support and SLAs. When authorization is critical infrastructure, having direct access to the team that built it isn’t a nice-to-have—it’s essential risk management. Jake noted their average contract value sits around $50,000 annually, reflecting the value enterprises place on guaranteed support.

Third, the managed service includes features that matter to enterprises but not to individual developers: advanced analytics, audit logging, compliance reporting, and integration with enterprise identity systems. These aren’t artificial limitations—they’re genuinely different requirements between self-hosted and managed deployments.

The conversion model works because by the time companies are ready to pay, they’re not evaluating whether SpiceDB solves their problem—they’ve already validated that. They’re making a build-versus-buy decision about operations, and the math favors buying.

The Content Flywheel

Open source created a secondary benefit Authzed didn’t initially anticipate: a content moat. Every company using SpiceDB—whether as paying customers or open-source users—potentially generates content that reinforces Authzed’s authority.

Jake explained their search strategy: “If you search for Google Zanzibar, which is the paper that kind of kicked all this stuff off, there’s a good chance that we’re on the first page of that.” This wasn’t from paid search or aggressive SEO. It came from the accumulated content around SpiceDB—documentation, blog posts, conference talks, and community discussions.

The open-source community amplified Authzed’s reach without requiring marketing spend. Engineers writing about their authorization implementations mentioned SpiceDB. Conference speakers discussing Google Zanzibar referenced it. Technical blog posts about permissions systems linked to it. Each mention reinforced Authzed’s position as the go-to implementation of modern authorization patterns.

The Anti-Outbound Validation

The clearest validation of this strategy came from what didn’t work. “We don’t do any outbound whatsoever. We’ve tried it a couple of times and it really doesn’t work for us at all,” Jake admitted.

This wasn’t a philosophical stance or a resource constraint—it was an empirical observation. Traditional outbound sales actively hurt Authzed’s positioning. Cold emails from salespeople contradicted their developer-first brand. Aggressive follow-up damaged relationships with engineers who were already in self-service evaluation. The economics simply didn’t work when the open-source funnel generated better qualified leads at lower cost.

Jake noted their retention validated the approach: “The churn in the people we actually sell to is pretty much zero.” When customers spend months evaluating via open source before purchasing, they don’t churn after a few quarters. They’ve already validated fit thoroughly.

The Replicability Question

Can every infrastructure company adopt this model? Jake’s experience suggests some constraints. First, the product must be genuinely valuable as open source. If the self-hosted version can’t solve real problems, it won’t generate the evaluation depth needed. Second, the commercial differentiation must be operational rather than functional. If key features are gated, the model collapses back into freemium.

Third, and perhaps most importantly, founders must accept longer sales cycles in exchange for higher quality deals. Authzed’s approach requires patience. Prospects take months evaluating SpiceDB before commercial conversations begin. For founders optimizing for rapid revenue growth, this feels painfully slow. For those optimizing for customer quality and retention, it’s perfect.

The Trojan Horse Payoff

Jake built SpiceDB as a trojan horse: something valuable enough to get inside engineering organizations without resistance, comprehensive enough to prove its worth, and foundational enough that once adopted, switching becomes costly.

The result was 25 enterprise customers, approximately $10M in ARR, and zero churn—all without outbound sales. The GitHub stars weren’t marketing metrics. They were a sales team that worked 24/7, qualified perfectly, and never sent a bad cold email.