What is a SPIFFE Bundle?

Trust anchors for workload identity

A SPIFFE bundle is a JWKS document that contains the trust anchors—typically X.509 CA certificates—for a trust domain. Workloads use these certificates to verify the identity of other workloads within the same trust domain or across federated trust domains.

Why do bundle endpoints matter?

Bundle endpoints allow trust domains to share their trust anchors over HTTPS, enabling federation between independent SPIRE deployments. This is especially important in large organizations where multiple teams or environments each run their own SPIRE server and need to establish cross-domain trust without manual certificate exchange.

Why validate your bundle endpoint?

A misconfigured bundle endpoint can silently break federation. Validation catches common problems before they cause outages:

• Expiring or already-expired CA certificates in the bundle
• Missing metadata such as spiffe_refresh_hint or spiffe_sequence_number
• TLS misconfigurations that prevent other SPIRE servers from fetching the bundle
• Malformed JWKS that won't parse on the consuming side