[neupatr]

So the idea in the paper is that you store a version token (aka. zookie) next to every object version. When you ask Zanzibar if a user is allowed to modify it, the request contains the stored token. Then you get a new token with a successful response that you store with the new version. This guarantees that a user can only access 1. objects they have access to and 2. objects they don't have access to but only at versions they once had access to. The second case only occurs until an ACL update propagates around the globe and through all distributed caches. In our opinion that can be added later on (the proto definitions already account for that), although it is a breaking change of course. One important point is that Keto can be operated locally as well, which means there are no database sync delays. This is the only mode it supports right now, and it does not need the zookies for that.