Crate spiffe

Expand description

Client library for the SPIFFE Workload API.

Provides standards-compliant access to SPIFFE identities and trust material. Supports fetching and watching X.509 and JWT SVIDs and trust bundles using strongly typed APIs aligned with the SPIFFE specifications.

§Quick Start

For X.509-based workloads, use X509Source (requires the x509-source feature):

use spiffe::{bundle::BundleSource, TrustDomain, X509Source};

let source = X509Source::new().await?;
let _svid = source.svid()?;
let trust_domain = TrustDomain::try_from("example.org")?;
let _bundle = source
    .bundle_for_trust_domain(&trust_domain)?
    .ok_or("missing bundle")?;

For JWT-based workloads, use JwtSource (requires the jwt-source feature):

use spiffe::{bundle::BundleSource, TrustDomain, JwtSource};

let source = JwtSource::new().await?;
let _jwt_svid = source.get_jwt_svid(&["service-a", "service-b"]).await?;
let trust_domain = TrustDomain::try_from("example.org")?;
let _bundle = source
    .bundle_for_trust_domain(&trust_domain)?
    .ok_or("missing bundle")?;

For direct Workload API access, use WorkloadApiClient (requires a workload-api-* feature):

use spiffe::WorkloadApiClient;

let client = WorkloadApiClient::connect_env().await?;
let _jwt_svid = client.fetch_jwt_svid(&["audience"], None).await?;

§Feature Matrix

The crate has no default features — everything is opt-in.

Most users should enable x509-source (for X.509 workloads), jwt-source (for JWT workloads), or a workload-api-* bundle (for direct Workload API access). The granular features exist to let you minimize dependency surface when you only need X.509 or only need JWT.

Feature	Description
`x509`	X.509 SVID and bundle types + parsing (gates heavy ASN.1/X.509 deps)
`transport`	Endpoint parsing (no runtime deps)
`transport-grpc`	gRPC connector
`jwt`	JWT SVID and bundle types + parsing
`jwt-verify-rust-crypto`	Offline JWT verification (rust-crypto backend)
`jwt-verify-aws-lc-rs`	Offline JWT verification (aws-lc-rs backend)
`logging`	Log-based observability
`tracing`	Tracing-based observability

§Workload API bundles

These features enable the async Workload API client (WorkloadApiClient). Choose the smallest bundle that matches your use case:

Feature	Includes
`workload-api-x509`	Workload API client + X.509 support (no JWT)
`workload-api-jwt`	Workload API client + JWT support (no X.509)
`workload-api`	Workload API client with both X.509 + JWT support
`workload-api-full`	Alias/bundle for both X.509 + JWT support (same capability as `workload-api`)

§Advanced / compositional

Feature	Description
`workload-api-core`	Workload API infrastructure only (transport/proto/client plumbing; no X.509/JWT parsing/types)
`x509-source`	High-level X.509 watcher/caching built on the Workload API
`jwt-source`	High-level JWT watcher/caching built on the Workload API

Notes:

The x509 feature gates heavy X.509 parsing dependencies.
For direct Workload API usage, use workload-api-x509 or workload-api-jwt when you only need one, and workload-api (or workload-api-full) when you need both.

§X.509

use spiffe::{TrustDomain, X509Source};
use spiffe::bundle::BundleSource;

let source = X509Source::new().await?;
let _svid = source.svid()?;
let trust_domain = TrustDomain::try_from("example.org")?;
let _bundle = source
    .bundle_for_trust_domain(&trust_domain)?
    .ok_or("missing bundle")?;

For JWT-based workloads, use JwtSource (requires the jwt-source feature):

use spiffe::{bundle::BundleSource, TrustDomain, JwtSource};

let source = JwtSource::new().await?;
let _jwt_svid = source.get_jwt_svid(&["service-a", "service-b"]).await?;
let trust_domain = TrustDomain::try_from("example.org")?;
let _bundle = source
    .bundle_for_trust_domain(&trust_domain)?
    .ok_or("missing bundle")?;

For advanced configuration, see the x509_source and jwt_source modules.

Re-exports§

pub use crate::spiffe_id::SpiffeId;
pub use crate::spiffe_id::SpiffeIdError;
pub use crate::spiffe_id::TrustDomain;
pub use crate::svid::jwt::JwtSvid;
pub use crate::svid::jwt::JwtSvidError;
pub use crate::svid::x509::X509Svid;
pub use crate::svid::x509::X509SvidError;
pub use crate::bundle::jwt::JwtBundle;
pub use crate::bundle::jwt::JwtBundleError;
pub use crate::bundle::jwt::JwtBundleSet;
pub use crate::bundle::x509::X509Bundle;
pub use crate::bundle::x509::X509BundleError;
pub use crate::bundle::x509::X509BundleSet;
pub use crate::workload_api::X509Context;
pub use crate::workload_api::WorkloadApiClient;
pub use crate::workload_api::WorkloadApiError;
pub use crate::x509_source::ReconnectConfig as X509ReconnectConfig;
pub use crate::x509_source::ResourceLimits as X509ResourceLimits;
pub use crate::x509_source::X509Source;
pub use crate::x509_source::X509SourceBuilder;
pub use crate::x509_source::X509SourceError;
pub use crate::x509_source::X509SourceUpdates;
pub use crate::jwt_source::JwtSource;
pub use crate::jwt_source::JwtSourceBuilder;
pub use crate::jwt_source::JwtSourceError;
pub use crate::jwt_source::JwtSourceUpdates;
pub use crate::jwt_source::ReconnectConfig;
pub use crate::jwt_source::ReconnectConfig as JwtReconnectConfig;
pub use crate::jwt_source::ResourceLimits;
pub use crate::jwt_source::ResourceLimits as JwtResourceLimits;

Modules§

bundle: X.509 bundle and JWT bundle types.
cert: Certificate and PrivateKey types and helpers.
constants: Module defining constants used within the Rust-Spiffe library.
jwt_source: JWT Source: high-level watcher/caching abstraction for JWT bundles.
spiffe_id: SPIFFE-ID and TrustDomain types compliant with the SPIFFE standard.
svid: X.509-SVID and JWT-SVID types.
transport: Transport primitives (endpoint parsing, optional gRPC connector).
workload_api: A client to interact with the SPIFFE Workload API to fetch X.509 and JWT materials.
x509_source: X.509 Source: high-level watcher/caching abstraction.

Crate spiffe

Crate spiffe Copy item path

§Quick Start

§Feature Matrix

§Workload API bundles

§Advanced / compositional

§X.509

Re-exports§

Modules§

Crate spiffe