The stable version of the specification is at SPECIFICATIONS.md. The currently in development version is on the dev branch.
See https://www.biscuitsec.org/docs/why-biscuit/.
Biscuit tokens can be created, attenuated, inspected and authorized from your browser: https://www.biscuitsec.org/docs/tooling/
You can follow the next steps on the roadmap.
Current status:
- the credentials language, cryptographic primitives and serialization format are done
- we have implementations for biscuits v2 in
- Rust
- Web Assembly (based on the Rust version)
- Python (based on the Rust version)
- Haskell
- we have implementations for biscuits v1 in
- a website with documentation and an interactive playground is live at https://biscuitsec.org
- Currently deploying to real world use cases such as Apache Pulsar at Clever Cloud
- looking for an audit of the token's design, cryptographic primitives and implementations
- provide use cases that we can test the token on (some specific kind of checks, auth delegation, etc)
- cryptographic design audit: we need reviews of algorithms, their usage and implementation in various languages
- add support for biscuit v2 to java and go implementations
SPECIFICATIONS.mdis the description of Biscuit, its format and behaviourbiscuit-web-key/is a specification for publishing biscuit public keysDESIGN.mdholds the initial ideas about what Biscuit should beexperimentations/holds initial code examples for the crypographic schemes and caveat language.code/biscuit-poc/contains an experimental version of Biscuit, built to explore API issues
Licensed under Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
logo by Mathias Adam
originally created at Clever Cloud
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be licensed as above, without any additional terms or conditions.