A TypeScript library for working with SPIFFE workload identities.
This package provides convenient helpers for integrating SPIFFE workload identities into TypeScript applications. Instead of dealing with Workload API protocol details, you can enjoy ready-to-use credentials and trust bundles.
The package is published as @jeengbe/spiffe. Versions follow Semantic Versioning.
The client connects to the Workload API over gRPC. If no host parameter is provided, the client will attempt to connect to process.env.SPIFFE_ENDPOINT_SOCKET, or fall back to unix:///tmp/spire-agent/public/api.sock if that also isn't available.
const spiffe = new SpiffeClientImpl();To work with JWT-SVIDs, the client implements the SpiffeJwtClient interface.
Use getJwt() in client applications to fetch a JSON Web Token for the specified audience.
declare const spiffe: SpiffeJwtClient;
async function fetchData(url) {
const token = await spiffe.getJwt('orders-api');
return await fetch(url, {
headers: { authorization: `Bearer ${token}` },
});
}On the server, use validateJwt() to validate an incoming JWT-SVID bearer token.
declare const spiffe: SpiffeJwtClient;
async function authenticateRequest(req) {
const token = extractBearer(req.headers['Authorization']);
return spiffe.validateJwt('orders-api', token);
}The Node.js ecosystem is not ready for short-lived rotating X.509 client certificates yet.
TODO: Contribute upstream (nodejs/TSC#1843)