docs: add underscore prefix convention for private identifiers

ivanauth · claude · ivanauth · commit ded56ab7460e · 2025-12-01T15:39:25.000-05:00
Document the ability to use underscore prefixes for definitions, relations, and permissions to signal that they are private/internal. This is a naming convention that helps developers distinguish between public API and internal implementation details in their schemas. Related: authzed/spicedb#2733 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/pages/spicedb/concepts/schema.mdx b/pages/spicedb/concepts/schema.mdx
@@ -437,6 +437,46 @@ Examples:
   to a _computed_ set of subjects.
 </Callout>
 
+### Private/Internal Identifiers
+
+SpiceDB supports using an underscore (`_`) prefix for identifiers to establish a convention for marking definitions, relations, or permissions as "private" or "internal". This is a naming convention only—it does not enforce any access restrictions.
+
+This convention is useful for:
+
+- **Synthetic permissions**: Permissions that exist only to compose other permissions
+- **Internal relations**: Relations not meant to be directly referenced by application code
+- **Implementation details**: Parts of your schema that may change without affecting the public API
+
+```zed
+definition document {
+    relation viewer: user
+
+    // Private relation - used internally for permission composition
+    relation _internal_viewer: user
+
+    // Private synthetic permission
+    permission _can_view = viewer + _internal_viewer
+
+    // Public permission built on private components
+    permission view = _can_view
+}
+```
+
+<Callout type="info">
+  The underscore prefix is purely a naming convention to signal intent to other
+  developers. SpiceDB does not treat underscore-prefixed identifiers differently
+  at runtime—they can still be used in relationships and permission checks like
+  any other identifier.
+</Callout>
+
+#### Identifier Rules
+
+- Identifiers can begin with a lowercase letter (`a-z`) or underscore (`_`)
+- After the first character, identifiers can contain lowercase letters, numbers, and underscores
+- Identifiers must be 4-64 characters long and end with an alphanumeric character
+- Valid: `_private`, `_internal_relation`, `_helper123`
+- Invalid: `_` (too short), `_trailing_` (cannot end with underscore)
+
 ## Comments
 
 ### Documentation Comments
