It's a really well designed distributed system for calculating access control decisions at scale. It makes a specific authorization CAP tradeoff that allows for consistency around access checks to different "versions" of a piece of content, allowing older content to be protected by checks served from read replicas and cache.
Full disclosure: I am a co-founder of a company building and hosting a Zanzibar implementation as a service: https://authzed.com
In the case of Authzed, we provide a gRPC API [0] which can be used from any application or language that supports gRPC, as well as designed client libraries for specific languages [1] to make integration even easier.
Applications primarily integrate by making Check requests [2] at any point in which a protected resource is being accessed and Write requests [3] at any point in which permissions are granted or removed.
OAuth is just an identity tool (to say a login is a certain person). Zanzibar can be seen more as a ACL system that you can put across your system. So it is there to validate that a given user is able to access any specific resource.
It's the first I'm hearing about it.
Is it Oauth for everything?