SPIRE · JSON Structure
Spire Svid Structure
SPIFFE Verifiable Identity Document issued by SPIRE to attest workload identity.
Type:
Properties: 0
AuthenticationCloud NativeGraduatedIdentitySecurityZero Trust
SVID is a JSON Structure definition published by SPIRE.
Meta-schema:
JSON Structure
{
"name": "SVID",
"description": "SPIFFE Verifiable Identity Document issued by SPIRE to attest workload identity.",
"fields": [
{
"name": "type",
"type": "string",
"description": "SVID type: x509 or jwt.",
"enum": ["x509", "jwt"],
"required": true
},
{
"name": "spiffe_id",
"type": "string",
"description": "The SPIFFE ID URI encoded in the SVID (e.g., spiffe://example.org/workload/frontend).",
"required": true
},
{
"name": "hint",
"type": "string",
"description": "Optional hint to distinguish between multiple SVIDs when a workload has more than one matching entry.",
"required": false
},
{
"name": "x509_svid",
"type": "object",
"description": "X.509-SVID payload — present when type is x509.",
"required": false,
"fields": [
{
"name": "cert_chain",
"type": "array",
"description": "Ordered list of DER-encoded (base64) X.509 certificates from leaf to last intermediate.",
"required": true
},
{
"name": "private_key",
"type": "string",
"description": "DER-encoded (base64) private key. Delivered only by the Workload API.",
"required": false
},
{
"name": "expiry_time",
"type": "integer",
"description": "Unix timestamp (seconds) when the X.509-SVID expires.",
"required": true
}
]
},
{
"name": "jwt_svid",
"type": "object",
"description": "JWT-SVID payload — present when type is jwt.",
"required": false,
"fields": [
{
"name": "token",
"type": "string",
"description": "Compact serialized JWT string (header.payload.signature).",
"required": true
},
{
"name": "expiry_time",
"type": "integer",
"description": "Unix timestamp (seconds) when the JWT-SVID expires.",
"required": true
},
{
"name": "issued_at",
"type": "integer",
"description": "Unix timestamp (seconds) when the JWT-SVID was issued.",
"required": false
}
]
}
]
}