Skill

service-to-service-mtls

Enforces SPIFFE/SPIRE plus mTLS for service-to-service authentication. Use when designing, building, or reviewing authentication between services, workloads, or machines in AI systems.

security

authentication

npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skills

Popularity

Stars

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/prodsec-skills:service-to-service-mtls

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

For service-to-service communication, the recommendation is to use SPIFFE/SPIRE+mTLS. This applies to all service-to-service scenarios including agent-to-agent and agent-to-MCP-server communications.

SKILL.md

69 lines · ~695 tokens

Similar Skills

agent-to-agent-auth

Enforces SPIFFE/SPIRE plus mTLS for authenticating agent-to-agent communication. Use when designing or reviewing multi-agent system security.

prodsec-skills

Mutual TLS Design

Guides Mutual TLS (mTLS) design for authenticating services in microservices, zero trust networks, and service meshes. Covers internal CAs, short-lived certs, SPIFFE.

1 file

harness-claude

mtls-configuration

38.2k

Configures mutual TLS (mTLS) for zero-trust service-to-service communication using Istio PeerAuthentication and DestinationRules. Use for securing services, certificate management, and TLS debugging.

antigravity-awesome-skills

Stats

LanguagePython

Stars28

Forks2

MaintenanceExcellent

Last CommitMay 20, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

SPIFFE/SPIRE + mTLS for Service-to-Service Authentication

Security Requirement

For service-to-service communication, the recommendation is to use SPIFFE/SPIRE+mTLS. This applies to all service-to-service scenarios including agent-to-agent and agent-to-MCP-server communications.

What SPIFFE/SPIRE Provides

Workload identity: SPIFFE (Secure Production Identity Framework for Everyone) provides a standard for identifying workloads via SPIFFE IDs
Credential issuance: SPIRE (SPIFFE Runtime Environment) automatically issues and rotates X.509 certificates (SVIDs) for workloads
No credential exchange over network: SPIRE handles attestation locally, eliminating the need to transmit credentials
Mutual authentication: Both parties in a connection verify each other's identity via mTLS

SPIFFE ID Format

spiffe://<trust-domain>/<workload-path>

Examples:

spiffe://example.com/inference-engine/prod
spiffe://example.com/mcp-server/tools-api
spiffe://example.com/agent/data-analyst

SPIFFE ID Extraction

At the application level, extract the SPIFFE ID from the TLS certificate to authenticate and authorize the service:

from cryptography import x509

def extract_spiffe_id(peer_certificate):
    cert = x509.load_der_x509_certificate(peer_certificate)
    for ext in cert.extensions:
        if ext.oid == x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME:
            san = ext.value
            for uri in san.get_values_for_type(x509.UniformResourceIdentifier):
                if uri.startswith("spiffe://"):
                    return uri
    return None

Service Mesh Integration

Service meshes (e.g., Istio/Envoy) may extract the SPIFFE ID automatically and expose it as:

x-forwarded-client-cert headers
RBAC principals in authorization policies

This can simplify application-level integration.

Implementation Checklist

Deploy SPIRE server in the infrastructure
Deploy SPIRE agents on each node/host running services
Register each service as a workload entry with a unique SPIFFE ID
Configure services to obtain SVIDs from the local SPIRE agent
Implement mTLS for all service-to-service connections
Extract SPIFFE ID from peer certificates for authorization decisions
Define authorization policies based on SPIFFE IDs
Monitor SVID rotation and certificate health
If using a service mesh, configure it to extract and propagate SPIFFE IDs

service-to-service-mtls

Popularity

Invocation

Context Preview

SKILL.md

Similar Skills

Help us improve

Help us improve

Find plugins for your project

service-to-service-mtls

Popularity

Invocation

Context Preview

SKILL.md

SPIFFE/SPIRE + mTLS for Service-to-Service Authentication

Security Requirement

What SPIFFE/SPIRE Provides

SPIFFE ID Format

SPIFFE ID Extraction

Service Mesh Integration

Implementation Checklist

Similar Skills

Help us improve

SPIFFE/SPIRE + mTLS for Service-to-Service Authentication

Security Requirement

What SPIFFE/SPIRE Provides

SPIFFE ID Format

SPIFFE ID Extraction

Service Mesh Integration

Implementation Checklist