Confirm the SPIRE server is running and the agent is attested: 'spire-server bundle show -format pem' should return the trust bundle
Register a workload entry binding a SPIFFE ID to a Unix UID selector: 'spire-server entry create -spiffeID spiffe://example.org/myapp -parentID spiffe://example.org/spire/agent/k8s_sat/default/node1 -selector unix:uid:1000'
Add a DNS SAN to the entry so the issued X.509-SVID includes a DNS name for TLS compatibility: 'spire-server entry create -spiffeID spiffe://example.org/myapp -parentID spiffe://example.org/spire/agent/k8s_sat/default/node1 -selector unix:uid:1000 -dns myapp.example.org'
From the workload process (running as UID 1000), call the Workload API via the Unix socket: 'spiffe-helper' or use the go-spiffe library 'workloadapi.NewClient(ctx, workloadapi.WithAddr("unix:///run/spire/sockets/agent.sock"))'
The SVID bundle returned contains the X.509-SVID certificate, private key, and trust bundle; extract and use for mTLS
Watch for SVID rotation by subscribing to the Workload API stream rather than polling; go-spiffe's 'WatchX509Context' handles this automatically
Known gotchas
The parentID in a workload entry must be the exact SPIFFE ID of the SPIRE agent node attestation identity; using a mismatched parentID causes the agent to never deliver SVIDs for that entry
DNS SANs in SPIRE entries are informational additions to the X.509-SVID; the SPIFFE URI SAN is always authoritative for identity — relying solely on DNS SAN for identity is an anti-pattern
The Workload API socket is only accessible to workloads that match a registered selector; a process that does not match any entry receives an empty SVID response, not an error
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp