UberEther announces partnership with Onboard.id: the world's first automated application onboarding tool for agencies and enterprises →
Main Menu

From Long-Lived API Keys to Short-Lived SVIDs: Implementing SPIFFE Identity for Agentic Systems

Why your .env file is the problem

Every agentic platform in production today has a credential management story, and most of those stories rhyme. An agent process — whether it’s a LangChain orchestrator, a Bedrock Agent, an MCP-host pattern, or something custom — needs to authenticate to upstream LLM providers, downstream tools, vector stores, and a long tail of SaaS APIs. The default solution is the same one we’ve seen in every CI/CD pipeline for the last fifteen years: long-lived API keys stuffed into environment variables, secrets managers, or Kubernetes Secrets, loaded at process startup, treated as bearer credentials until somebody remembers to rotate them.

This pattern is uniquely dangerous in agentic systems. The agent ratio (agents-per-human) is one to two orders of magnitude higher than the service-account ratio enterprise IAM teams are used to managing. The keys live in process memory of workloads that, by design, ingest untrusted input (prompts, tool results, retrieved documents) and act on it. The blast radius of a single leaked key is wider because agents typically have access to more downstream systems than a typical microservice.

SPIFFE — the Secure Production Identity Framework for Everyone — was built to fix exactly this class of problem for workloads. Treat your agent as a workload and you inherit the fix.

This article goes deep on what SPIFFE actually provides, the three SVID types, how SPIRE implements issuance, and the deployment pattern that gets you from .env files to short-lived, attested, cryptographically verifiable agent identities.

The SPIFFE model in five parts

SPIFFE is a CNCF-graduated open standard. It defines five primitives that together solve workload identity:

  1. SPIFFE ID. A URI in the form spiffe://trust-domain/workload-path that uniquely identifies a workload within a trust domain. The path is opaque to SPIFFE itself — its semantics are defined by the issuing organization. An agentic deployment might use spiffe://uberether.com/agents/onboardid/registration-wizard/<instance-id>.
  2. Trust Domain. A logical security boundary, identified by a fully qualified domain name. All SVIDs issued within a trust domain are verifiable against a common set of root keys. Trust domains are the natural unit of federation: when two organizations need workloads to interoperate, they exchange trust bundles for each other’s trust domains.
  3. SVID — SPIFFE Verifiable Identity Document. A cryptographically verifiable document that binds a SPIFFE ID to a public key. SPIFFE defines three SVID formats: X.509-SVID, JWT-SVID, and the newer WIT-SVID. (More on each below.)
  4. Workload API. A localhost-only Unix domain socket (typically /var/run/spire/sockets/agent.sock) through which a workload requests its SVIDs at runtime. The Workload API is the lynchpin of the model: it is the single point at which the platform attests the workload’s identity and hands it a freshly-minted credential.
  5. Trust Bundle and Federation. A JSON Web Key Set (per RFC 7517) containing the public keys used to verify SVIDs in a trust domain. Federation is established by exchanging trust bundles across trust domains, typically via SPIFFE Bundle Endpoints.

SPIRE is the reference implementation. A SPIRE deployment has a server (which issues SVIDs and holds the signing keys) and one or more agents (which run on worker nodes, perform local workload attestation, and broker requests to the server). When an agent process makes a call to the local Workload API socket, the SPIRE agent identifies which process is calling — using kernel-level attestation primitives (PID, namespace, executable hash, Kubernetes pod metadata, AWS instance identity, etc.) — and asks the SPIRE server for an SVID for that workload’s SPIFFE ID.

The critical property: no secrets are distributed to the workload out of band. The credential is minted on demand, scoped to the workload, and rotated continuously. A leaked SVID has a half-life of minutes, not months.

 

Figure 1. SPIFFE issuance and credential flow. SVID flows are dashed; identity issuance flows are solid. Each downstream system validates against the trust domain’s Bundle Endpoint.

SVID types: X.509, JWT, and WIT

The choice of SVID format determines what protocols you can use the credential with. Let’s walk through all three.

X.509-SVID

An X.509-SVID is an X.509 leaf certificate with the SPIFFE ID encoded in a URI Subject Alternative Name. The certificate is signed by a trust domain CA whose root is published in the trust bundle. The credential is used in the same way as any other client certificate: present it during a TLS handshake, the server validates the chain, extracts the SPIFFE ID from the URI SAN, and uses that as the authenticated identity.

A real X.509-SVID has the structure shown in the OAuth SPIFFE Client Authentication draft:

X.509-SVIDs are the right credential when the authentication channel is TLS — workload-to-workload mTLS, OAuth Mutual-TLS Client Authentication (RFC 8705), service mesh sidecars (Istio, Linkerd, Consul Connect). They’re the most mature SVID type and have the broadest tooling support.

JWT-SVID

A JWT-SVID is a JSON Web Token signed by the trust domain. The SPIFFE ID is encoded in the sub claim. The minimum required claim set is sub, aud, and exp. A JWT-SVID for an agent might look like:

JWT-SVIDs are the right credential when the authentication channel is not TLS — HTTP requests where you want to attach a bearer credential, OAuth client authentication via assertion (RFC 7521), and any case where the relying party can validate a JWT but cannot terminate mTLS against the workload directly. They are bearer tokens, which means anyone who obtains them can use them; the deployment mitigation is to keep them short-lived (minutes) and audience-bound (one AS per token).

WIT-SVID (Workload Identity Token)

The WIT-SVID is the newest of the three and the most architecturally interesting. It is the SPIFFE profile of the WIMSE Workload Identity Token defined in draft-ietf-wimse-workload-creds-00. Unlike a plain JWT-SVID, a WIT-SVID is key-bound: it contains a cnf (confirmation) claim with the workload’s public key, and the workload must prove possession of the corresponding private key whenever it presents the token.

A WIT-SVID looks like:

When the workload uses this token, it accompanies it with a Client Attestation PoP JWT signed by the private key referenced in cnf. The relying party validates both — the WIT-SVID (signed by the trust domain) and the PoP (signed by the workload’s own key) — closing the bearer-token loophole.

WIT-SVIDs are the right credential when you want JWT ergonomics without bearer-token risk. They’re the natural fit for agentic systems where tokens may flow through untrusted intermediaries (gateways, proxies, MCP relays) and you can’t rule out interception.

Attestation: the part most architects underestimate

The reason SPIFFE is more than just “JWTs from a smart CA” is workload attestation. When a process opens the Workload API socket and asks for its SVID, the SPIFFE agent doesn’t take the process’s word for what it is. It inspects local evidence — kernel namespaces, cgroup membership, executable on disk, AWS instance identity document, Kubernetes pod info from the kubelet, container image SHA — and matches that evidence against registration policies on the SPIFFE server.

The registration policy defines: “any process whose Kubernetes pod metadata matches namespace=agents, serviceAccount=onboardid-registration, image=registry.uberether.com/onboardid-wizard:v2.3.1, attested through the EKS node attestor running on a host with AWS instance role arn:aws:iam::123456789012:role/agent-host, shall be issued SVID spiffe://uberether.com/agents/onboardid/registration-wizard.”

This is the property that makes SVIDs more than just “rotated API keys.” A leaked SVID cannot be reused by a different process: when that process tries to refresh, the attestation will fail, and even if the leaked SVID is still valid by clock time, the original holder has rotated past it.

For agentic deployments, the attestation question becomes: what evidence are you willing to bind agent identity to? Container image hash is a strong attestor — but an LLM-driven agent that loads tools dynamically may have varying behavior under the same image. The pragmatic answer is layered attestation: bind the SPIFFE ID to the platform-level evidence (image, pod, host), and then use higher-level identity layers (transaction tokens, OAuth access tokens scoped per invocation) to discriminate within the workload identity.

Multiple SVIDs per agent: the governance unlock

A single agent often needs to authenticate to multiple distinct relying parties — your authorization server, your downstream APIs, a partner organization’s APIs, the LLM provider. A single workload can hold multiple SVIDs simultaneously, each scoped to a different audience.

Why this matters for governance: each SVID issuance is logged by the SPIRE server, and each SVID is tied to a specific SPIFFE ID and audience. You can answer the question “which agents are talking to which systems right now?” by querying the SPIRE registration database and the issuance log. You cannot answer that question if your agents authenticate via shared API keys, because the API key tells you nothing about which instance of which agent is using it.

For regulated environments — DoD IL5, FedRAMP High, financial services — this audit story is the difference between a workable assessment and a finding. The control mapping is direct: NIST 800-53 AC-2 (account management), AC-6 (least privilege), IA-2 (identification and authentication), AU-2 and AU-12 (audit events and content), all benefit from the SPIFFE issuance log as authoritative evidence.

Key distribution: the Bundle Endpoint pattern

A relying party validating an SVID needs the trust domain’s public keys. SPIFFE defines a Bundle Endpoint pattern (in SPIFFE_Federation.md) where each trust domain publishes a JWKS-formatted document at a stable HTTPS URL. The endpoint serves a document like:

The use parameter distinguishes which key validates which SVID type. The spiffe_refresh_hint tells consumers how often to poll for updates. Federation between two trust domains is established by configuring each side to fetch the other’s Bundle Endpoint and trust the keys it publishes.

An important deployment subtlety from the OAuth SPIFFE Client Authentication draft: the Bundle Endpoint URL is not derivable from the trust domain name. Trust domain example.org might publish its bundle at https://example.com/bundle.json. The relying party must be explicitly configured with the mapping; relying on DNS or well-known URLs is not part of the standard. This is a deliberate design choice — it prevents an attacker who controls DNS for example.org from also controlling the trust bundle.

The relying party should authenticate the Bundle Endpoint via WebPKI (regular TLS server certificate validation against the system trust store) — explicitly not via the SPIFFE trust bundle itself, which would create a chicken-and-egg problem.

A deployment pattern for agentic systems

A concrete reference pattern for putting SPIFFE under an agentic deployment:

  1. Stand up a trust domain. Choose an FQDN that scopes the domain (agents.example.com if you want a separate trust boundary from your existing workload identity domain). Deploy SPIRE server in HA mode. Decide on root key custody — SPIRE supports HSM-backed keys, AWS KMS, and disk-based for non-production.
  2. Define your attestation policy. For Kubernetes-hosted agents, use the k8s_psat node attestor and k8s workload attestor with selectors on namespace, service account, and image hash. For VM-hosted agents, use cloud-provider attestors (aws_iid, azure_msi, gcp_iit). For agents running on developer laptops or edge nodes, use join_token for bootstrap or platform-specific attestors.
  3. Choose SVID types per relying party. Service mesh sidecars consume X.509-SVIDs. OAuth authorization servers can consume any of the three but interact most cleanly with JWT-SVID or WIT-SVID via the draft-ietf-oauth-spiffe-client-auth profile. HTTP API endpoints behind a gateway typically consume JWT-SVID or WIT-SVID.
  4. Configure short SVID TTLs. SVIDs should rotate on the order of single-digit minutes for JWT/WIT and tens of minutes for X.509. The SPIFFE Workload API streams updates to subscribed workloads, so rotation is transparent — no restarts, no reconfiguration.
  5. Publish your Bundle Endpoint. A simple static HTTPS endpoint serving the SPIRE server’s bundle, refreshed on a schedule. WebPKI-secured. Document the URL out of band for federation partners.
  6. Wire SVIDs into your existing OAuth stack. This is the topic of the next article in this series — the draft-ietf-oauth-spiffe-client-auth profile lets your existing authorization server accept SVID-based client authentication, eliminating the need to distribute OAuth client secrets to agents.
  7. Decommission the long-lived API keys. This is the actual hard part of the migration. Audit every place where agents currently authenticate via static credentials, plan a phased cutover, retire the keys.

What good looks like

After the migration, an agent process behaves as follows on startup: it opens the Workload API socket, requests its SVIDs, receives one or more credentials tied to its SPIFFE ID and audiences, and uses those credentials for outbound authentication. It never sees a long-lived secret. If the process is restarted, the SVIDs are reissued — they were never persisted. If the process is compromised, the SVIDs the attacker steals expire in minutes, and the attacker cannot mint new ones because re-attestation will be performed against the platform.

This is the floor that workload identity has reached in non-agentic CI/CD. There is no technical reason agents shouldn’t be there too. The architectural decision is small: stop treating agents as a special kind of identity and start treating them as workloads that happen to be smarter than the average microservice.

The subsequent articles in this series cover the OAuth integration (draft-ietf-oauth-spiffe-client-auth), transaction tokens for preserving context across agent call chains, and CAEP-driven gateway revocation for runtime control. Each builds on the SPIFFE foundation laid out here.

Primary sources: SPIFFE specifications at spiffe.io; IETF drafts draft-ietf-wimse-arch-07, draft-ietf-wimse-workload-creds-00, draft-ietf-oauth-spiffe-client-auth-01; SPIRE documentation at spiffe.io/docs/latest/spire-about/.