Credentials

This page covers the types of credentials issued by Cofide Connect, and how to obtain them.

Credential types

Cofide Connect issues workload credentials as SPIFFE Verifiable Identity Documents (SVIDs). Two SVID formats are supported: X.509-SVID and JWT-SVID.

X.509-SVID

X.509-SVIDs are short-lived X.509 certificates with the workload’s SPIFFE ID embedded in the Subject Alternative Name (SAN) field. They operate at the transport layer and are the primary format for mutual TLS (mTLS) authentication between workloads.

Key characteristics:

Proof-of-possession: the workload proves possession of a private key during the TLS handshake, providing strong replay resistance
Supports both encryption and authentication
Cannot pass transparently through TLS-terminating intermediaries

X.509-SVIDs are best suited to service-to-service communication where TLS is available end-to-end.

JWT-SVID

JWT-SVIDs are signed JSON Web Tokens (JWTs) containing the workload’s SPIFFE ID in the sub claim. They operate at the application layer and are suited to scenarios where transport-layer TLS is not universally available.

Key characteristics:

Bearer token: no proof-of-possession; the token itself grants access
Stateless validation: can be validated by verifying its signature and claims (e.g., expiry) without contacting the issuer
Compatible with TLS-terminating intermediaries
Can be used by intermediate proxies for application-layer routing decisions

JWT-SVIDs are best suited to Layer 7 routing scenarios, heterogeneous or legacy environments without universal TLS support, and integration with third-party identity systems such as OpenID Connect (OIDC).

Obtaining credentials

Workloads obtain SVIDs through the SPIFFE Workload API, a local gRPC endpoint provided by the SPIFFE agent running on the same node. There are three main approaches to integrating with it.

Application-level integration

Applications can request SVIDs directly from the Workload API, giving full control over credential lifecycle from within the workload itself.

Cofide provides cofide-sdk-go, an open-source SDK that wraps Go’s net/http to make this straightforward. It is built on top of go-spiffe and handles SVID rotation automatically with minimal code changes required. See the cofide-sdk-go page for more information.

The SPIFFE community also provides libraries for other languages, including Java, Rust, and Python.

Sidecar

The sidecar pattern decouples SVID management from application code entirely. A dedicated component runs alongside the workload and retrieves SVIDs from the Workload API. The sidecar typically uses the SVIDs in one of several ways:

SVIDs are made directly available to the application, often as files on a shared volume.
The sidecar operates as a proxy, upgrading incoming and/or outgoing connections to use TLS.
The sidecar operates as a proxy, injecting JWT-SVIDs as HTTP headers into outgoing requests and/or validating JWT-SVIDs in incoming requests.

Cofide provides spiffe-enable, a Kubernetes mutating admission webhook that automatically injects sidecar components into pods. See the spiffe-enable page for more information.

Service mesh

Service meshes such as Istio handle identity issuance and mTLS transparently, without requiring changes to application code or deployment configuration. Istio is SPIFFE-compliant and can federate with Cofide Connect, enabling secure communication across trust zones in multi-cluster and multi-cloud environments. See the Istio page for more information.