Ensure the workload entry exists in SPIRE for the calling service with the appropriate selector
From the caller workload, obtain a JWT-SVID for a specific audience using the go-spiffe SDK: 'source.FetchJWTSVID(ctx, jwtsvid.Params{Audience: "spiffe://example.org/downstream"})' or via CLI: 'spire-agent api fetch jwt -audience spiffe://example.org/downstream -socketPath /run/spire/sockets/agent.sock'
Pass the JWT in the Authorization header: 'Authorization: Bearer <JWT_SVID_TOKEN>'
On the receiving service, validate using go-spiffe: 'jwtsvid.ParseAndValidate(token, jwtSource, []string{"spiffe://example.org/downstream"})' which checks signature, expiry, and audience
Inspect the validated SVID's ID field ('svid.ID.String()') to authorize based on the caller's SPIFFE ID
Handle token rotation by re-fetching the JWT-SVID before each outbound request, as JWT-SVIDs have a short TTL (typically 5 minutes)
Known gotchas
JWT-SVIDs have a much shorter TTL than X.509-SVIDs (typically 5 minutes vs. 1 hour) and cannot be renewed; callers must fetch a fresh token per request or per short interval
The audience must exactly match the SPIFFE ID registered for the receiving workload; a mismatch causes validation failure even if the signature is valid
JWT-SVIDs are bearer tokens — they confer identity without a TLS channel binding; combine with mTLS or transport security to prevent token theft and replay
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp