PE
Protocol Explorer
CB4A

CB4A — Credential Broker for Agents

Model B (Token Minting): An AI agent obtains a short-lived, DPoP-bound access token via the Credential Broker for Agents protocol. A Policy Decision Point (PDP) and Credential Delivery Point (CDP) collaborate so that neither holds unilateral power — the PDP never touches credentials, and the CDP never makes policy decisions.

draft-hartman-cb4a-00
AI AgentSPIRE AgentPolicy Decision PointCredential Delivery PointTarget API1GET /workload-api/svid2002POST /credential-request3POST /approve4200 OK — DPoP Token Issued5GET /api/resource6200 OK — Resource Response
GET unix:///tmp/spire-agent/public/api.sock/workload-api/svid200

The AI Agent bootstraps its cryptographic identity by calling the SPIFFE Workload API served by a local SPIRE Agent (over a Unix domain socket). SPIRE verifies the workload's OS-level attributes and issues a short-lived X.509 SVID — a certificate whose Subject Alternative Name encodes the SPIFFE ID. This SVID is the agent's proof-of-identity for all subsequent CB4A interactions.

The private key for the SVID is generated on-node by the SPIRE Agent and never transmitted anywhere — only the certificate (public key + SPIFFE ID) is returned.

SVIDs have short TTLs (typically 1 hour) and are automatically rotated by the SPIRE Agent before expiry.

The Workload API is exposed over a Unix domain socket, limiting access to processes on the same host — an additional OS-level access control layer.

1 / 6
speed

Step 1: GET /workload-api/svid

Request / response
GETunix:///tmp/spire-agent/public/api.sock/workload-api/svid
Content-Type?

application/grpc

X-Spiffe-Workload-Api

1

Cryptographic Signature

Construction Steps

1. 1. Node Attestation
SPIRE Agent on the host proves its identity to the SPIRE Server using a node-specific attestor (e.g., Kubernetes Service Account Token, TPM, or cloud IAM). The SPIRE Server verifies and registers the node.
2. 2. Workload Attestation
When the workload (AI Agent process) calls the Workload API, the SPIRE Agent inspects OS kernel attributes (process UID, cgroup membership, k8s pod labels) to confirm the caller's identity matches a registered entry.
3. 3. SVID Issuance
SPIRE Server mints an X.509-SVID: a short-lived X.509 certificate with a SubjectAlternativeName of type URI set to the SPIFFE ID. The private key is generated by the SPIRE Agent and never leaves the node.
4. 4. Resulting SPIFFE ID
spiffe://example.org/agent/task-runner-7f9b2

This URI unambiguously identifies the workload across all SPIFFE-aware infrastructure.

Signature Base String

Node Attestation: TPM/k8s-sat → Workload Attestation: process UID + cgroup → SVID issued

Signing Key

SPIRE Server CA (X.509)

Signature Output

spiffe://example.org/agent/task-runner-7f9b2