SPIRE website screenshot

SPIRE

SPIRE (SPIFFE Runtime Environment) is the reference implementation of the SPIFFE standard, providing a toolchain for establishing trust between software systems across a wide variety of hosting platforms through automated attestation and workload identity distribution. SPIRE manages a certificate authority, performs node and workload attestation, and issues SVIDs to workloads through the SPIFFE Workload API.

4 APIs 0 Features
AuthenticationCloud NativeGraduatedIdentitySecurityZero Trust

APIs

SPIRE Workload API

The SPIRE Agent exposes the SPIFFE Workload API as a Unix domain socket, allowing workloads running on the same node to request their X.509-SVIDs and JWT-SVIDs without requiring...

SPIRE Server API

The SPIRE Server exposes a gRPC API used by administrators and the SPIRE Agent to manage registration entries, node attestation, bundle federation, and server health. It allows ...

SPIRE Agent API

The SPIRE Agent runs on each node and handles workload attestation, caching SVIDs, and serving the Workload API. It exposes a health check endpoint and communicates with the SPI...

SPIRE OIDC Discovery API

SPIRE includes an OIDC Discovery Provider that serves an OpenID Connect discovery document and JSON Web Key Set (JWKS) endpoint, enabling workloads to present JWT-SVIDs to syste...

Collections

GraphQL

SPIRE GraphQL API

Spire is a global maritime and aviation intelligence company using satellite data. The API covers vessel tracking (AIS), flight tracking (ADSB), weather intelligence, maritime t...

GRAPHQL

Pricing Plans

Spire Plans Pricing

3 plans

PLANS

Rate Limits

Spire Rate Limits

5 limits

RATE LIMITS

FinOps

Spire Finops

FINOPS

Event Specifications

SPIRE Workload API Events

The SPIRE Workload API is a gRPC streaming interface exposed by the SPIRE Agent on each node, through which workloads request and receive SPIFFE Verifiable Identity Documents (S...

ASYNCAPI

Semantic Vocabularies

Spire Context

0 classes · 9 properties

JSON-LD

API Governance Rules

SPIRE API Rules

9 rules · 3 errors 5 warnings 1 info

SPECTRAL

JSON Structure

Spire Registration Structure

0 properties

JSON STRUCTURE

Spire Svid Structure

0 properties

JSON STRUCTURE

Example Payloads

Spire Get Jwks Example

2 fields

EXAMPLE

Spire Get Liveness Example

2 fields

EXAMPLE

Spire Get Readiness Example

2 fields

EXAMPLE

Resources

🔗
Website
Website
🔗
Documentation
Documentation
🚀
GettingStarted
GettingStarted
👥
GitHubOrganization
GitHubOrganization
👥
GitHubRepository
GitHubRepository
🔗
Community
Community
🔗
Slack
Slack
📰
Blog
Blog
📄
ChangeLog
ChangeLog
🔗
Security
Security
👥
StackOverflow
StackOverflow
🔗
JSONSchema
JSONSchema
🔗
JSONSchema
JSONSchema
🔗
JSONStructure
JSONStructure
🔗
JSONStructure
JSONStructure
🔗
JSONLD
JSONLD
🔗
SpectralRules
SpectralRules
🔗
Capabilities
Capabilities
🔗
Vocabulary
Vocabulary

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: SPIRE OIDC Discovery Provider API
  version: '1.0'
items:
- info:
    name: Discovery
    type: folder
  items:
  - info:
      name: SPIRE Get OpenID Connect discovery document
      type: http
    http:
      method: GET
      url: https://{domain}/.well-known/openid-configuration
    docs: Returns the OpenID Connect discovery document describing the OIDC provider's configuration. The document includes
      the issuer URL, JWKS URI, supported response types, subject types, and supported signing algorithms. This endpoint is
      used by OIDC-compatible systems to auto-configure themselves to validate JWT-SVIDs issued by SPIRE. The path prefix
      can be customized via the server_path_prefix option.
- info:
    name: Keys
    type: folder
  items:
  - info:
      name: SPIRE Get JSON Web Key Set
      type: http
    http:
      method: GET
      url: https://{domain}/keys
    docs: Returns the JSON Web Key Set (JWKS) containing the public keys used to verify JWT-SVIDs issued by SPIRE. The keys
      are derived from the SPIRE trust bundle and are automatically rotated as SPIRE rotates its signing keys. Consumers must
      re-fetch this endpoint periodically to stay current with key rotations. Supported signing algorithms include RS256,
      ES256, and ES384.
bundled: true