Client libraries overview 

    Everything talks to Basil the same way: gRPC over a local Unix socket, with the kernel attesting who's calling. There's no bearer token and no network endpoint by default. The socket is the security boundary, and Basil resolves the peer's kernel-attested uid/gid evidence to a policy subject before authorizing a call. A client cannot impersonate: run it under the identity you want Basil to evaluate.

    The two APIs 

    APIWhat it does
    Broker APISecrets and crypto: sign/verify/encrypt/decrypt/get/set/rotate/list/mint/issue-cert, plus admin (status/health/ready/reload/explain/revoke).
    SPIFFE Workload APIIssues X.509-SVID and JWT-SVID identity documents over the same socket, on the standard SPIFFE contract.

    How to talk to Basil today 

    ClientStatusHow
    RustimplementedThe basil crate: async Client and sync BlockingClient. SPIFFE via the upstream spiffe (rust-spiffe) crate.
    GoimplementedThe github.com/openbasil/basil-go module: broker client, SPIFFE helpers, and streaming encryption.
    Other languagesvia gRPCAny language with gRPC tooling can generate a client from the protobufs and call the broker over the socket.
    No source changesvia sidecarThe spiffe-helper sidecar materializes an mTLS identity for a service you can't recompile.
    Sealed invocationsimplementedOpt-in COSE profile with protected Rust Sign responses and bridged-transport fixtures.
    NATS bridgeimplementedSeparate basil-nats-bridge courier binary for raw COSE request/reply over NATS.
    📝 Verifying Basil-minted JWTs without SPIFFE

    A plain verifier (a gateway, an app framework, a jsonwebtoken-style library) can validate a Basil-minted JWT-SVID off the opt-in JWKS / OIDC-discovery surface. No SPIFFE plumbing needed. Fetch the JWKS, pick the key by kid, verify the RS256/ES256/ES384 signature and aud.

    Where to go next