Best Practices
| Practice | Why it matters |
|---|---|
| Give minimal permissions | Only assign the scopes each agent actually needs — never use wildcard or admin scopes |
| Keep tokens short-lived | Set token expiry between 15 minutes and 1 hour to limit exposure |
| Separate roles by task | Use different roles for different jobs (e.g., a read-only agent vs a write agent) |
| Monitor usage | Review delegated token activity in Enterprise Features > Logs to spot unusual behavior |
| Rotate credentials | Regenerate client secrets on a schedule; SPIRE handles certificate rotation automatically |
Troubleshooting
| Error | What happened | How to fix it |
|---|---|---|
insufficient_scope | The agent requested a permission it hasn't been granted | Check the client's allowed scopes and role bindings |
invalid_client | The agent's credentials are wrong or its client entry is deactivated | Verify the client status in Administration > Clients |
access_denied | The role binding is missing or has expired | Create or update the binding in Administration > RBAC > Role Bindings |
Token missing spiffe_id | The SPIRE agent isn't deployed | Deploy the SPIRE agent |
Next Steps
- Authorization Steps — Step-by-step guide for setting up authorization between agents
- RBAC Configuration — Set up roles, permissions, and scopes