Watch SatGate Mint exchange a workload identity token for a capability-bearing macaroon. No secrets to manage. No tokens to rotate. The identity is the credential.
Mock IdP issues an RS256-signed JWT (like K8s, AWS, or Okta would)
Verifies JWT via JWKS โ matches policy โ mints capability token
The macaroon passes gateway verification. Agent can now call tools.
FAQ
The demo shows an AI agent exchanging workload identity for a scoped macaroon capability token with budget, expiry, policy, and verification data.
Capability tokens let teams give agents narrow, revocable, budget-aware API authority instead of broad static API keys.
Macaroon caveats let delegated agent credentials become more constrained by route, budget, expiry, call count, and delegation policy while preserving cryptographic verification.
SatGate Mint exchanges workload identity for scoped, expiring, budget-aware capability tokens instead of handing agents broad static API keys that must be manually rotated.
A minted agent credential should include workload identity, tenant, agent, task or workflow, route scope, budget caveats, expiry, delegation limits, audit fields, and revocation policy.
1. Get an identity token:
curl -X POST https://satgate-mock-idp.fly.dev/token \
-H "Content-Type: application/json" \
-d '{"preset":"research-agent"}'2. Exchange for a macaroon:
curl -X POST https://cloud.satgate.io/api/mint/exchange \
-H "Content-Type: application/json" \
-d '{"credentials":"<paste-jwt-here>"}'3. Verify the macaroon:
curl -X POST https://cloud.satgate.io/api/mint/verify \ -H "Authorization: Bearer <paste-macaroon-here>"
Mock IdP: satgate-mock-idp.fly.dev ยท Presets: /presets ยท OIDC: /.well-known/openid-configuration