Other languages
Basil speaks gRPC, so any language with gRPC tooling can drive it, and any stack with a JWT library can verify Basil-minted tokens. A dedicated Python client is roadmap; in the meantime the two patterns below cover every language.
Call the broker over gRPC
Generate a client from the protobufs and dial the broker's Unix socket:
- the SPIFFE Workload API protobufs for identity (X.509/JWT SVIDs), or
- Basil's own broker protos for secrets and crypto (
sign/encrypt/mint/ …).
The connection is a plain Unix-socket gRPC channel. The socket plus SO_PEERCRED is the security
boundary, so no client TLS certificate is involved. Run the client process under the identity you
want Basil to evaluate, because authorization resolves kernel-attested uid/gid evidence to a policy
subject and a client cannot impersonate.
For bridged transports, do not invent a parallel auth scheme. Use the
sealed invocation COSE fixture and canonical bytes. Rust helpers are
implemented, including protected Sign response verification/decryption and broker-backed
UnsealCose opening. The Go sealedinvocation package
(github.com/openbasil/basil-go/sealedinvocation) is also implemented: its BuildRequest and
OpenResponse build and open sealed COSE invocation messages broker-free, matching the checked
fixtures. The NATS bridge itself only couriers raw tagged COSE bytes
unchanged; it does not build or open them.
Every SPIFFE Workload API RPC must carry the metadata header workload.spiffe.io: true, or it fails
closed with InvalidArgument. The Go client page shows the metadata pattern; the
equivalent exists in every gRPC binding.
Verify Basil JWT-SVIDs anywhere
If you only need to verify tokens (a gateway, an application framework, a jsonwebtoken-style
library), you don't need gRPC or SPIFFE at all. Point your verifier at Basil's opt-in
JWKS / OIDC-discovery surface:
- (Optional) discover the issuer at
/.well-known/openid-configurationto learnjwks_uri. - Fetch the JWKS at
/jwks.json. - Select the key by the token's
kid. - Verify the RS256, ES256, or ES384 signature and the
audyou minted for. - Do not assert
issagainst the discovery issuer: a Basil JWT-SVID'sissis its SPIFFE id.
This works with the standard JWKS-aware verifier in essentially any ecosystem (Node, Python, Java, Go, .NET, …).
No source changes at all
For a service you can't modify, the spiffe-helper sidecar materializes the X.509-SVID, its private key, and the trust bundle as PEM files and keeps them fresh: a standard, maintained tool that solves rotation for you.
Where to go next
- JWKS HTTP surface: endpoints, rotation, and a worked verification example.
- Sealed invocations: transport-neutral COSE profile and fixture contract.
- Go client: a concrete instance of the gRPC and OIDC patterns above.
- Integration patterns: choosing native, sidecar, or pre-fetch.