2019-01-02 16:23:30 +03:00
# Biscuit authentication token
2019-01-18 18:52:11 +03:00
[](https://gitter.im/CleverCloud/biscuit?utm_source=badge& utm_medium=badge& utm_campaign=pr-badge& utm_content=badge)
2019-01-07 14:22:56 +03:00
< img src = "https://raw.githubusercontent.com/CleverCloud/biscuit/master/assets/brown.png" width = "300" >
2019-01-07 14:19:08 +03:00
*logo by [Mathias Adam ](http://www.madgraphism.com/ )*
2019-01-02 16:23:30 +03:00
Biscuit is a (in development) authentication token for microservices
architectures with the following properties:
2019-01-08 23:44:23 +03:00
- distributed authorization: any node could validate the token only with public
information;
- offline delegation: a new, valid token can be created from another one by
attenuating its rights, by its holder, without communicating with anyone;
- capabilities based: authorization in microservices should be tied to rights
related to the request, instead of relying to an identity that might not make
sense to the verifier;
2019-02-26 18:59:59 +03:00
- flexible rights managements: the token uses a logic language to specify attenuation
and add bounds on ambient data;
2019-01-08 23:44:23 +03:00
- small enough to fit anywhere (cookies, etc).
2019-01-02 16:23:30 +03:00
Non goals:
2019-01-08 23:44:23 +03:00
- This is not a new authentication protocol. Biscuit tokens can be used as
opaque tokens delivered by other systems such as OAuth.
- Revocation: while tokens come with expiration dates, revocation requires
external state management.
2019-03-18 19:34:22 +03:00
You can follow the next setps on the [roadmap ](https://github.com/CleverCloud/biscuit/issues/12 ).
How to help us?
- provide use cases that we can test the token on (some specific kind of caveats, auth delegation, etc)
- cryptographic design audit: we need to decide on a cryptographic scheme that will be strong enough
