JWT-SVID Issuance

Acquire a signed JWT token encoding a SPIFFE ID via the Workload API (SPIFFE JWT-SVID spec §2). JWT-SVIDs are an alternative to X.509-SVIDs designed for HTTP/gRPC-based authentication where presenting a client certificate is impractical (e.g., L7 proxies, API gateways). The workload specifies the intended audience, and SPIRE Server mints a signed JWT with the workload's SPIFFE ID as the subject. JWT-SVIDs are short-lived (typically 5 minutes) and audience-bound.

Try in Looking Glass
JWT TokenShort-Lived

Sequence Diagram

Click any step for details

WorkloadAgentServerSigner1FetchJWTSVID Request2Agent Forwards to SPIRE Server3JWT-SVID Generation and Signing4JWT-SVID Delivery to Workload
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
FetchJWTSVID Request
WorkloadSPIRE Agent
2
Agent Forwards to SPIRE Server
SPIRE AgentSPIRE Server
3
JWT-SVID Generation and Signing
SPIRE ServerJWT Signer
4
JWT-SVID Delivery to Workload
SPIRE AgentWorkload

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Core specs

· The specifications that define this protocol.

Security & privacy

· Dedicated security and privacy considerations.