SPIFFE · Capability

SPIFFE Workload Identity

Workflow capability for SPIFFE-based workload identity and federation operations. Combines the SPIFFE Federation Bundle Endpoint for cross-domain trust bundle retrieval with identity verification workflows. Designed for platform engineers and security teams implementing zero-trust workload authentication using SPIFFE/SPIRE identity infrastructure.

Run with Naftiko SPIFFEIdentitySecurityZero TrustFederationWorkload IdentitymTLS

What You Can Do

GET
Get trust bundle — Retrieve the SPIFFE trust bundle for a trust domain
/v1/bundle

MCP Tools

get-trust-bundle

Retrieve the SPIFFE trust bundle (JWKS) for a given trust domain. Used to validate X.509-SVIDs and JWT-SVIDs issued by that trust domain.

read-only

APIs Used

spiffe-federation

Capability Spec

workload-identity.yaml Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "SPIFFE Workload Identity"
  description: >-
    Workflow capability for SPIFFE-based workload identity and federation operations.
    Combines the SPIFFE Federation Bundle Endpoint for cross-domain trust bundle
    retrieval with identity verification workflows. Designed for platform engineers
    and security teams implementing zero-trust workload authentication using
    SPIFFE/SPIRE identity infrastructure.
  tags:
    - SPIFFE
    - Identity
    - Security
    - Zero Trust
    - Federation
    - Workload Identity
    - mTLS
  created: "2026-05-02"
  modified: "2026-05-02"

capability:
  consumes:
    - import: spiffe-federation
      location: ./shared/federation.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: spiffe-workload-identity-api
      description: "Unified REST API for SPIFFE workload identity and federation workflows."
      resources:
        - path: /v1/bundle
          name: trust-bundle
          description: "SPIFFE trust bundle management"
          operations:
            - method: GET
              name: get-trust-bundle
              description: "Retrieve the SPIFFE trust bundle for a trust domain"
              call: "spiffe-federation.get-trust-bundle"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: spiffe-workload-identity-mcp
      transport: http
      description: "MCP server for AI-assisted SPIFFE workload identity and federation management."
      tools:
        - name: get-trust-bundle
          description: "Retrieve the SPIFFE trust bundle (JWKS) for a given trust domain. Used to validate X.509-SVIDs and JWT-SVIDs issued by that trust domain."
          hints:
            readOnly: true
            openWorld: false
          call: "spiffe-federation.get-trust-bundle"
          outputParameters:
            - type: object
              mapping: "$."