decorative dotted pattern

Workload authentication simplified

Without secrets to protect or public keys to distribute

Kliento brings service accounts to the Internet

Think AWS roles, Azure managed identities, Kubernetes service accounts and GCP service accounts, but for the entire Internet.

api@prod.customer.app
wordpress@company.blog
api.customer.com
customer.app
repo@org.github.io
Token bundle illustration

Kliento credentials are self-contained

Kliento is powered by VeraId, a DNSSEC-based protocol that attributes digital signatures to domain names.

Kliento token bundles are short-lived VeraId signatures, which contain the entire trust chain, so no public keys need to be configured or retrieved.

Server-side verification

Servers verify token bundles locally, without accessing remote servers or configuring trusted public keys.

JavaScript servers can use @veraid/kliento. For example, an HTTP server would verify token bundles as follows:

import { TokenBundle } from '@veraid/kliento';

// Replace with a unique identifier for your server
const AUDIENCE = 'https://api.example.com';

// Verify "Authorization: Kliento <token-bundle>" request header
async function verifyTokenBundle(authHeaderValue: string) {
    const tokenBundle = TokenBundle.deserialiseFromAuthHeader(authHeaderValue);
    return await tokenBundle.verify(AUDIENCE);
}

Upon successful verification, your server obtains the subjectId of the client (e.g. staging@customer.app) and any claims present. You decide what claims are supported and how they're used.

Integrate Kliento in your server

Client integration

The easiest way to integrate Kliento is to obtain pre-configured token bundles from VeraId Authority by leveraging your existing workflow identity (e.g. GCP service account, GitHub workflow).

JS clients can use @veraid/authority-credentials to automate the provisioning of token bundles. For example, the authFetch() function below shows how to use this library to make authenticated requests.

import { initExchangerFromEnv } from '@veraid/authority-credentials';

// Replace with the actual URL for exchanging credentials
const EXCHANGE_ENDPOINT = new URL('https://veraid-authority.example/creds/123');

// Replace 'GITHUB' with the exchanger you want
const exchanger = initExchangerFromEnv('GITHUB');

// Make requests that use the Kliento token bundle
export async function authFetch(request: Request) {
  const { credential: tokenBundle } = await exchanger.exchange(EXCHANGE_ENDPOINT);
  const headers = { 'Authorization': `Kliento ${tokenBundle.toString('base64')}` }
  return fetch(request, { headers })
}

Token bundles remain valid for up to an hour and can be used multiple times.

As an alternative to using your workflow identity and VeraId Authority, you could generate such bundles locally with your own private keys.

Integrate Kliento in your client
your-org/your-repo
your-repo@your-company.com
k8s-api-service-account
api@staging.example.com
/subscriptions/.../userAssignedIdentities/backend
your-company.com
queue@123.iam.gserviceaccount.com
queue@prod.example.com
arn:aws:iam::12345:role/wordpress
blog@example.com
your-org/your-repo
repo@example.com
acme-api.vercel.app
api@acme.com
your-org/your-repo
your-repo@your-company.com
k8s-api-service-account
api@staging.example.com
/subscriptions/.../userAssignedIdentities/backend
your-company.com
queue@123.iam.gserviceaccount.com
queue@prod.example.com
arn:aws:iam::12345:role/wordpress
blog@example.com
your-org/your-repo
repo@example.com
acme-api.vercel.app
api@acme.com

Alternatives

Features Kliento API keys JWTs SPIFFE
No long-lived secrets
No public key distribution
Open, vendor-neutral protocol
Open source implementations
Compare Kliento to alternatives

Try it yourself!

Run Kliento with your own domain name on your own computer.

Try Kliento locally