diff --git a/go.mod b/go.mod
index 50ad0590..5b054699 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.19
 
 require (
 	github.com/authzed/authzed-go v0.7.0
-	github.com/authzed/grpcutil v0.0.0-20220104222419-f813f77722e5
+	github.com/authzed/grpcutil v0.0.0-20230109193425-40ce0530e048
 	github.com/gin-gonic/gin v1.8.1
 	github.com/google/uuid v1.3.0
 	github.com/nats-io/nats.go v1.19.0
diff --git a/go.sum b/go.sum
index c2093de2..59e40323 100644
--- a/go.sum
+++ b/go.sum
@@ -198,6 +198,8 @@ github.com/authzed/authzed-go v0.7.0 h1:etnzHUAIyxGiEaFYJPYkHTHzxCYWEGzZQMgVLe4x
 github.com/authzed/authzed-go v0.7.0/go.mod h1:bmjzzIQ34M0+z8NO9SLjf4oA0A9Ka9gUWVzeSbD0E7c=
 github.com/authzed/grpcutil v0.0.0-20220104222419-f813f77722e5 h1:sZM7XzdyuLyxj7pC/g7uX+XAqZ7m6NMxZzuQRovgBPw=
 github.com/authzed/grpcutil v0.0.0-20220104222419-f813f77722e5/go.mod h1:rqjY3zyK/YP7NID9+B2BdIRRkvnK+cdf9/qya/zaFZE=
+github.com/authzed/grpcutil v0.0.0-20230109193425-40ce0530e048 h1:pBStde+5xTAEFP5gGkOMbnDbpCHg1hAWBv7N0VEnDMY=
+github.com/authzed/grpcutil v0.0.0-20230109193425-40ce0530e048/go.mod h1:rqjY3zyK/YP7NID9+B2BdIRRkvnK+cdf9/qya/zaFZE=
 github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
 github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
 github.com/aws/aws-sdk-go v1.15.27/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
diff --git a/internal/spicedbx/client.go b/internal/spicedbx/client.go
index 5f1f529b..ae5e0071 100644
--- a/internal/spicedbx/client.go
+++ b/internal/spicedbx/client.go
@@ -2,6 +2,7 @@ package spicedbx
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/authzed/authzed-go/v1"
 	"github.com/authzed/grpcutil"
@@ -33,9 +34,17 @@ func NewClient(cfg Config, enableTracing bool) (*authzed.Client, error) {
 		)
 
 		if cfg.VerifyCA {
-			clientOpts = append(clientOpts, grpcutil.WithSystemCerts(grpcutil.VerifyCA))
+			opt, err := grpcutil.WithSystemCerts(grpcutil.VerifyCA)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load system certificates: %w", err)
+			}
+			clientOpts = append(clientOpts, opt)
 		} else {
-			clientOpts = append(clientOpts, grpcutil.WithSystemCerts(grpcutil.SkipVerifyCA))
+			opt, err := grpcutil.WithSystemCerts(grpcutil.SkipVerifyCA)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load system certificates: %w", err)
+			}
+			clientOpts = append(clientOpts, opt)
 		}
 	}