Skip to main content

Application Identities

Each workload — application or agent — that talks to Catalyst carries an Application Identity (App ID). App IDs are the unit of access control: components, managed services, and MCP servers all express access in terms of App IDs.

Catalyst issues each App ID a SPIFFE-based, cryptographically verifiable identity — a short-lived X.509 SVID, automatically rotated — used by the data plane to mutually authenticate every call between workloads and to backing infrastructure, with no shared secrets. An application binds to its App ID using an API token at startup, but the SPIFFE identity is what secures runtime communication.

For day-2 operations on App IDs, see App IDs. For how App IDs bind to MCP authentication, see MCP authentication.

Last updated on