SPIRE · Schema
SPIRE SVID
Schema representing SPIFFE Verifiable Identity Documents (SVIDs) issued by SPIRE, including X.509-SVIDs and JWT-SVIDs. SVIDs are the primary credential format used by SPIRE to assert workload identities as SPIFFE IDs.
AuthenticationCloud NativeGraduatedIdentitySecurityZero Trust
Properties
| Name | Type | Description |
|---|---|---|
| type | string | The SVID type, either x509 for an X.509-SVID carrying a certificate chain or jwt for a JWT-SVID carrying a signed JSON Web Token. |
| spiffe_id | string | The SPIFFE ID encoded in this SVID, identifying the workload within a trust domain. Must conform to the spiffe:// URI scheme and include the trust domain and a workload path. |
| hint | string | Optional hint string provided by SPIRE to help workloads distinguish between multiple SVIDs with different SPIFFE IDs when multiple registration entries match. |
| x509_svid | object | |
| jwt_svid | object |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://spiffe.io/schemas/spire/svid.json",
"title": "SPIRE SVID",
"description": "Schema representing SPIFFE Verifiable Identity Documents (SVIDs) issued by SPIRE, including X.509-SVIDs and JWT-SVIDs. SVIDs are the primary credential format used by SPIRE to assert workload identities as SPIFFE IDs.",
"type": "object",
"required": ["type", "spiffe_id"],
"properties": {
"type": {
"type": "string",
"description": "The SVID type, either x509 for an X.509-SVID carrying a certificate chain or jwt for a JWT-SVID carrying a signed JSON Web Token.",
"enum": ["x509", "jwt"]
},
"spiffe_id": {
"type": "string",
"format": "uri",
"pattern": "^spiffe://[^/]+/.+$",
"description": "The SPIFFE ID encoded in this SVID, identifying the workload within a trust domain. Must conform to the spiffe:// URI scheme and include the trust domain and a workload path."
},
"hint": {
"type": "string",
"description": "Optional hint string provided by SPIRE to help workloads distinguish between multiple SVIDs with different SPIFFE IDs when multiple registration entries match."
},
"x509_svid": {
"$ref": "#/$defs/X509SVID"
},
"jwt_svid": {
"$ref": "#/$defs/JWTSVID"
}
},
"$defs": {
"X509SVID": {
"type": "object",
"description": "An X.509-SVID consisting of a certificate chain and corresponding private key material. The leaf certificate encodes the SPIFFE ID in the Subject Alternative Name URI field.",
"required": ["cert_chain", "expiry_time"],
"properties": {
"cert_chain": {
"type": "array",
"description": "Ordered list of DER-encoded X.509 certificates forming the SVID chain, beginning with the leaf certificate that encodes the SPIFFE ID and ending with the last intermediate before the trust bundle root.",
"items": {
"type": "string",
"contentEncoding": "base64",
"description": "DER-encoded X.509 certificate."
},
"minItems": 1
},
"private_key": {
"type": "string",
"contentEncoding": "base64",
"description": "DER-encoded private key corresponding to the public key in the leaf certificate. Present only when the Workload API delivers key material to the workload."
},
"expiry_time": {
"type": "integer",
"description": "Unix timestamp (seconds since epoch) indicating when this X.509-SVID expires. Workloads should refresh their SVID before this time.",
"minimum": 0
}
}
},
"JWTSVID": {
"type": "object",
"description": "A JWT-SVID consisting of a signed JSON Web Token carrying the SPIFFE ID as the subject claim. Used for authentication to systems supporting OIDC token validation.",
"required": ["token", "expiry_time"],
"properties": {
"token": {
"type": "string",
"pattern": "^[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+$",
"description": "The compact serialized JWT string in the format header.payload.signature."
},
"expiry_time": {
"type": "integer",
"description": "Unix timestamp (seconds since epoch) indicating when this JWT-SVID expires. Corresponds to the exp claim in the JWT payload.",
"minimum": 0
},
"issued_at": {
"type": "integer",
"description": "Unix timestamp (seconds since epoch) indicating when this JWT-SVID was issued. Corresponds to the iat claim in the JWT payload.",
"minimum": 0
}
}
},
"RegistrationEntry": {
"type": "object",
"description": "A SPIRE registration entry that defines the SPIFFE ID to be issued to workloads matching a specific set of selectors. Entries are managed by administrators via the SPIRE Server API.",
"required": ["spiffe_id", "parent_id", "selectors"],
"properties": {
"id": {
"type": "string",
"description": "Globally unique identifier for this registration entry, assigned by SPIRE Server on creation.",
"example": "11111111-1111-1111-1111-111111111111"
},
"spiffe_id": {
"$ref": "#/$defs/SPIFFEID"
},
"parent_id": {
"$ref": "#/$defs/SPIFFEID"
},
"selectors": {
"type": "array",
"description": "List of selectors that must all match on an attested node or workload for this entry to apply. Selectors are type:value pairs such as unix:uid:1000 or k8s:pod-label:app:frontend.",
"items": {
"$ref": "#/$defs/Selector"
},
"minItems": 1
},
"ttl": {
"type": "integer",
"description": "Time-to-live in seconds for SVIDs issued using this entry. Overrides the server default TTL when set.",
"minimum": 0
},
"dns_names": {
"type": "array",
"description": "Optional list of DNS SANs to include in X.509-SVIDs issued for this entry, in addition to the SPIFFE ID URI SAN.",
"items": {
"type": "string",
"format": "hostname"
}
},
"downstream": {
"type": "boolean",
"description": "When true, indicates this entry represents a downstream SPIRE Server that will receive trust bundle updates via the bundle endpoint."
},
"expires_at": {
"type": "integer",
"description": "Optional Unix timestamp after which this registration entry is no longer valid. SVIDs will not be issued for expired entries.",
"minimum": 0
},
"federation_with": {
"type": "array",
"description": "List of trust domain names that workloads matching this entry should federate with, receiving foreign trust bundle material.",
"items": {
"type": "string",
"description": "Trust domain name, e.g., example.org"
}
},
"admin": {
"type": "boolean",
"description": "When true, workloads matching this entry can perform administrative operations on the SPIRE Server API."
},
"store_svid": {
"type": "boolean",
"description": "When true, the SVID issued for this entry is stored in the agent's SVID store plugin rather than being returned via the Workload API."
},
"hint": {
"type": "string",
"description": "Optional hint to identify this entry's SVID when a workload receives multiple SVIDs."
},
"created_at": {
"type": "integer",
"description": "Unix timestamp indicating when this registration entry was created.",
"minimum": 0
},
"revision_number": {
"type": "integer",
"description": "Monotonically increasing revision number for this entry, incremented on each update.",
"minimum": 0
}
}
},
"SPIFFEID": {
"type": "object",
"description": "A parsed SPIFFE ID consisting of a trust domain and a path component.",
"required": ["trust_domain", "path"],
"properties": {
"trust_domain": {
"type": "string",
"description": "The trust domain portion of the SPIFFE ID, e.g., example.org.",
"example": "example.org"
},
"path": {
"type": "string",
"description": "The path portion of the SPIFFE ID following the trust domain, e.g., /workload/frontend.",
"pattern": "^/.*",
"example": "/workload/frontend"
}
}
},
"Selector": {
"type": "object",
"description": "A selector is a type:value pair used during workload or node attestation to match registration entries. Examples include unix:uid:1000, k8s:ns:default, and aws:instance-profile:arn:aws:iam::123:instance-profile/spire.",
"required": ["type", "value"],
"properties": {
"type": {
"type": "string",
"description": "The attestor or selector plugin type, such as unix, k8s, aws, gcp, azure, docker, or x509pop.",
"example": "k8s"
},
"value": {
"type": "string",
"description": "The selector value specific to the type, such as ns:default for k8s or uid:1000 for unix.",
"example": "ns:default"
}
}
},
"Bundle": {
"type": "object",
"description": "A SPIFFE trust bundle containing the root CA certificates and JWT signing keys for a trust domain. Bundles are used to verify SVIDs presented by workloads in that trust domain.",
"required": ["trust_domain"],
"properties": {
"trust_domain": {
"type": "string",
"description": "The trust domain this bundle belongs to.",
"example": "example.org"
},
"x509_authorities": {
"type": "array",
"description": "List of DER-encoded X.509 root CA certificates that form the X.509 trust anchor for this trust domain.",
"items": {
"type": "object",
"properties": {
"asn1": {
"type": "string",
"contentEncoding": "base64",
"description": "DER-encoded X.509 certificate."
},
"tainted": {
"type": "boolean",
"description": "When true, this authority has been marked as tainted and SVIDs signed by it are no longer trusted."
}
}
}
},
"jwt_authorities": {
"type": "array",
"description": "List of JWT signing public keys that can be used to verify JWT-SVIDs issued for this trust domain.",
"items": {
"type": "object",
"properties": {
"public_key": {
"type": "string",
"contentEncoding": "base64",
"description": "DER-encoded public key material for JWT verification."
},
"key_id": {
"type": "string",
"description": "Key identifier (kid) matching the kid header of JWT-SVIDs signed with this key."
},
"expires_at": {
"type": "integer",
"description": "Unix timestamp when this JWT authority expires.",
"minimum": 0
},
"tainted": {
"type": "boolean",
"description": "When true, this JWT authority has been marked as tainted."
}
}
}
},
"refresh_hint": {
"type": "integer",
"description": "Suggested number of seconds after which consumers should re-fetch this bundle to check for updates.",
"minimum": 0
},
"sequence_number": {
"type": "integer",
"description": "Monotonically increasing sequence number for this bundle, incremented on each update.",
"minimum": 0
}
}
},
"Agent": {
"type": "object",
"description": "Represents an attested SPIRE Agent node known to the SPIRE Server. Agents are authenticated via node attestation and receive their own X.509-SVID from the server.",
"required": ["id", "attestation_type"],
"properties": {
"id": {
"$ref": "#/$defs/SPIFFEID"
},
"attestation_type": {
"type": "string",
"description": "The node attestor plugin type used to attest this agent, such as k8s_sat, aws_iid, gcp_iit, azure_msi, or join_token.",
"example": "k8s_sat"
},
"x509svid_expires_at": {
"type": "integer",
"description": "Unix timestamp indicating when the agent's current X.509-SVID expires.",
"minimum": 0
},
"x509svid_serial_number": {
"type": "string",
"description": "Serial number of the agent's current X.509-SVID certificate."
},
"banned": {
"type": "boolean",
"description": "When true, this agent has been banned and is no longer permitted to attest or receive SVIDs."
},
"selectors": {
"type": "array",
"description": "List of selectors produced by the node attestor for this agent, used to match node-scoped registration entries.",
"items": {
"$ref": "#/$defs/Selector"
}
},
"can_reattest": {
"type": "boolean",
"description": "When true, this agent supports re-attestation using the same attestation method."
}
}
}
}
}