JWT-SVID Issuance
Acquire a signed JWT token encoding a SPIFFE ID via the Workload API (SPIFFE JWT-SVID spec §2). JWT-SVIDs are an alternative to X.509-SVIDs designed for HTTP/gRPC-based authentication where presenting a client certificate is impractical (e.g., L7 proxies, API gateways). The workload specifies the intended audience, and SPIRE Server mints a signed JWT with the workload's SPIFFE ID as the subject. JWT-SVIDs are short-lived (typically 5 minutes) and audience-bound.
JWT-SVID Issuance
Acquire a signed JWT token encoding a SPIFFE ID via the Workload API (SPIFFE JWT-SVID spec §2). JWT-SVIDs are an alternative to X.509-SVIDs designed for HTTP/gRPC-based authentication where presenting a client certificate is impractical (e.g., L7 proxies, API gateways). The workload specifies the intended audience, and SPIRE Server mints a signed JWT with the workload's SPIFFE ID as the subject. JWT-SVIDs are short-lived (typically 5 minutes) and audience-bound.
Sequence Diagram
Click any step for details
Step-by-Step Breakdown
Token Inspector
Specs for this flow
Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.