Open-source trust for APIs and machine identity

Verify who is calling what, replace long-lived shared secrets with short-lived credentials, and keep an evidence-grade audit trail for every critical action.

Get started View on GitHub

License Apache-2.0

Repository trustplane-dev/trustplane-auth

Core Capabilities

Prove every request

Bind identity and authorization to the request itself, not just to a static key.

Keep credentials short-lived

Issue scoped, temporary credentials after verification instead of passing around long-lived secrets.

Enforce at the boundary

Apply controls where requests enter provider systems, gateways, or service edges.

Audit decisions, not just outcomes

Keep verifiable records of what was approved, verified, issued, denied, and why.

Quickstart in minutes

Clone the repo, build the CLI, and issue your first verified passport.

Read the Wiki →

bash

git clone https://github.com/trustplane-dev/trustplane-auth.git
cd trustplane-auth

# Build the CLI
make build

# Issue a sample passport
./bin/trustplane issue \
  --subject spiffe://example.local/ns/default/sa/demo \
  --audience example-api \
  --trust-domain example.local

Built in public

Track releases, read the roadmap, open an issue, or pick up a good-first issue. If trust is the product, the project itself should be inspectable.

Issues

Contributing