Welcome to the world of decentralized verification with Biscuit tokens. These tokens are signed with public key cryptography, allowing any application with the public key to verify the token.
With Biscuit tokens, offline attenuation is possible. If you hold a valid token, you can generate a new one with fewer rights, such as restricting write access or adding an expiration date.
Authorization policies in Biscuit are written in a logic language, known as Datalog. These policies can be provided by the application or transported by the token through attenuation.
Capabilites or Access control lists are naturally suited for Biscuit-based authorizations. The token is customized for the request, but verification side ACLs can also be provided as Datalog.
Revocation of Biscuit tokens is easily implemented, as all tokens come with unique revocation identifiers that can be used to reject that token and all tokens attenuated from it.
Not only is Biscuit powerful, it is also portable. It is implemented in various languages, including Rust, Haskell, Go, Java, WebAssembly, and C. All you need for a new implementation is a Protobuf generator and Ed25519 signing. The specification also comes with a list of predefined test cases. » …