Share Article
Related Post
Want to get rid of OAuth client secrets? SPIFFE holds the key.
Want to know how? That is what the new OAuth SPIFFE Client Authentication draft spells out.
Want to dig into it with us? Come to the Identiverse 2026 session where Nancy Cam-Winget from Cisco and I will walk through what the draft does and why we think it matters.
Why This Matters
Cloud-native services, automated workloads, and AI agents are driving an explosion of non-human identities. Yet many of them still depend on long-lived OAuth client secrets.
That’s a problem.
Secrets have to be issued, distributed, stored, rotated, and recovered when something inevitably goes wrong. They create operational overhead and unnecessary risk.
The OAuth SPIFFE Client Authentication draft takes a different approach. Instead of authenticating OAuth clients with shared secrets, it allows workloads to use the SPIFFE credentials they already have.
No separate client secret. No secret distribution problem. No secret rotation problem.
Want the Details?
We’re not inventing a new protocol. We’re building on existing OAuth standards and showing how SPIFFE identities can be used for OAuth client authentication across modern environments.
If you’re interested in OAuth, SPIFFE, workload identity, or securing AI agents, join us on June 16 2PM in Mandalay Bay 1 for:
We’ll cover the motivation behind the draft, how it works, and where we think this can take OAuth next.
See you at Identiverse!
Recent Blogs
May 15, 2026
AI
The Agentic Era Just Got the Authentication Model It Needs
March 26, 2026
Real-World Lessons