On SPIRE server A (trust domain example-a.org), expose the bundle endpoint with HTTPS: configure 'bundle_endpoint { address = "0.0.0.0" port = 8443 }' and 'federation { bundle_endpoint_url = "https://spire-a.example-a.org:8443" refresh_hint = 5m }'
On SPIRE server B, configure federation with server A by adding to the federates_with block: 'federates_with "example-a.org" { bundle_endpoint_url = "https://spire-a.example-a.org:8443" bundle_endpoint_profile { https_spiffe { endpoint_spiffe_id = "spiffe://example-a.org/spire/server" } } }'
Start both servers; they exchange bundles over the HTTPS endpoint and refresh on the configured interval
Create a workload entry on server B with 'federates_with = ["example-a.org"]' so workloads on B receive the trust bundle for domain A in their X.509 context
Fetch a JWT-SVID from a workload on domain A with audience 'spiffe://example-b.org/service'; the workload on B validates it using the federated bundle
Verify bundle refresh is working: 'spire-server bundle list' on server B should show server A's bundle with a non-expired refresh timestamp
Known gotchas
Both servers must use valid TLS certificates for the bundle endpoint; self-signed certs require explicit bootstrap bundle configuration using 'spire-server bundle show' output exchanged out-of-band initially
The refresh_hint is advisory only; the actual refresh interval is determined by the server serving the bundle based on its rotation schedule — set refresh_hint shorter than the CA rotation interval
Workload entries with federates_with only cause the federated bundle to be included in SVID responses; the workload must still use a JWT-SVID validation library that checks the correct trust domain for cross-domain auth
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp