Spire Agent — Customer Integration Guide
Deploy the Spire Agent on your infrastructure to give your workloads cryptographic identities (SPIFFE SVIDs) for mTLS and JWT-based authorization.
How It Works
┌─────────────────────────────────────────────────────────────┐
│ Your Infrastructure (K8s / Docker / VM) │
│ │
│ ┌──────────────┐ Unix Socket ┌──────────────────────┐ │
│ │ Your App │◄──────────────►│ Spire Agent │ │
│ │ + SDK │ gRPC Workload │ (1 per node/host) │ │
│ └──────────────┘ API └──────────┬───────────┘ │
│ │ │
└──────────────────────────────────────────────┼──────────────┘
│ HTTPS (outbound only)
▼
┌──────────────────┐
│ Spire Server │
│ AuthSec Cloud │
└──────────────────┘
Your workloads never talk to the Spire Server directly. The SDK talks to the agent over a local Unix socket; the agent handles all communication.
What You Need
| From AuthSec | You Provide |
|---|---|
| Tenant ID (UUID) | Infrastructure (Kubernetes v1.24+, Docker, or Linux VM) |
| Cluster name (optional, for multi-cluster K8s) | Outbound HTTPS to prod.api.authsec.ai:443 |
| Agent container image (public registry) |
Network Requirements
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Spire Agent | prod.api.authsec.ai | 443 | HTTPS | Attestation, SVID issuance, renewal |
| Spire Agent (K8s only) | Kubernetes API server | 443 | HTTPS | TokenReview, pod metadata |
No inbound ports required. The agent initiates all connections outbound.
Next Steps
- Deploy the Spire Agent — Install the agent on your infrastructure
- Register Workload Entries — Register your services as clients
- Integrate the SDK — Add SPIFFE identity to your workloads
- Reference — SDK API, certificate rotation, and selector reference