Watch SatGate Mint exchange a workload identity token for a capability-bearing macaroon. No secrets to manage. No tokens to rotate. The identity is the credential.
Mock IdP issues an RS256-signed JWT (like K8s, AWS, or Okta would)
Verifies JWT via JWKS → matches policy → mints capability token
The macaroon passes gateway verification. Agent can now call tools.
1. Get an identity token:
curl -X POST https://satgate-mock-idp.fly.dev/token \
-H "Content-Type: application/json" \
-d '{"preset":"research-agent"}'2. Exchange for a macaroon:
curl -X POST https://cloud.satgate.io/api/mint/exchange \
-H "Content-Type: application/json" \
-d '{"credentials":"<paste-jwt-here>"}'3. Verify the macaroon:
curl -X POST https://cloud.satgate.io/api/mint/verify \ -H "Authorization: Bearer <paste-macaroon-here>"
Mock IdP: satgate-mock-idp.fly.dev · Presets: /presets · OIDC: /.well-known/openid-configuration