Skip to content


Switch branches/tags

go-spiffe (v2)

This library is a convenient Go library for working with SPIFFE.

It leverages the SPIFFE Workload API, providing high level functionality that includes:

  • Establishing mutually authenticated TLS (mTLS) between workloads powered by SPIFFE.
  • Obtaining and validating X509-SVIDs and JWT-SVIDs.
  • Federating trust between trust domains using SPIFFE bundles.
  • Bundle management.


See the Go Package documentation.

Quick Start


  1. Running SPIRE or another SPIFFE Workload API implementation.
  2. SPIFFE_ENDPOINT_SOCKET environment variable set to address of the Workload API (e.g. unix:///tmp/agent.sock). Alternatively the socket address can be provided programatically.

To create an mTLS server:

listener, err := spiffetls.Listen(ctx, "tcp", "", tlsconfig.AuthorizeAny())

To dial an mTLS server:

conn, err := spiffetls.Dial(ctx, "tcp", "", tlsconfig.AuthorizeAny())

The client and server obtain X509-SVIDs and X.509 bundles from the SPIFFE Workload API. The X509-SVIDs are presented by each peer and authenticated against the X.509 bundles. Both sides continue to be updated with X509-SVIDs and X.509 bundles streamed from the Workload API (e.g. secret rotation).


The examples directory contains rich examples for a variety of circumstances.