{"id":"d5a408c7-563e-4916-8d52-315e0eb0005e","task":"Issue and validate a SPIFFE JWT-SVID for service-to-service authorization in an HTTP header","domain":"spiffe.io","steps":["Ensure the workload entry exists in SPIRE for the calling service with the appropriate selector","From the caller workload, obtain a JWT-SVID for a specific audience using the go-spiffe SDK: 'source.FetchJWTSVID(ctx, jwtsvid.Params{Audience: \"spiffe://example.org/downstream\"})' or via CLI: 'spire-agent api fetch jwt -audience spiffe://example.org/downstream -socketPath /run/spire/sockets/agent.sock'","Pass the JWT in the Authorization header: 'Authorization: Bearer <JWT_SVID_TOKEN>'","On the receiving service, validate using go-spiffe: 'jwtsvid.ParseAndValidate(token, jwtSource, []string{\"spiffe://example.org/downstream\"})' which checks signature, expiry, and audience","Inspect the validated SVID's ID field ('svid.ID.String()') to authorize based on the caller's SPIFFE ID","Handle token rotation by re-fetching the JWT-SVID before each outbound request, as JWT-SVIDs have a short TTL (typically 5 minutes)"],"gotchas":["JWT-SVIDs have a much shorter TTL than X.509-SVIDs (typically 5 minutes vs. 1 hour) and cannot be renewed; callers must fetch a fresh token per request or per short interval","The audience must exactly match the SPIFFE ID registered for the receiving workload; a mismatch causes validation failure even if the signature is valid","JWT-SVIDs are bearer tokens — they confer identity without a TLS channel binding; combine with mTLS or transport security to prevent token theft and replay"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:37.183Z"},"url":"https://mcp.waymark.network/r/d5a408c7-563e-4916-8d52-315e0eb0005e"}