Workload authentication simplified
Without secrets to protect or public keys to distribute
Kliento brings service accounts to the Internet
Think AWS roles, Azure managed identities, Kubernetes service accounts and GCP service accounts, but for the entire Internet.
api@prod.customer.app
wordpress@company.blog
api.customer.com
customer.app
repo@org.github.io
Kliento credentials are self-contained
Kliento is powered by VeraId, a DNSSEC-based protocol that attributes digital signatures to domain names.
Kliento token bundles are short-lived VeraId signatures, which contain the entire trust chain, so no public keys need to be configured or retrieved.
Server-side verification
Servers verify token bundles locally, without accessing remote servers or configuring trusted public keys.
Upon successful verification, your server obtains the subjectId of the client (e.g.
staging@customer.app) and any claims present. You decide what claims
are supported and how they're used.
Client integration
The easiest way to integrate Kliento is to obtain pre-configured token bundles from VeraId Authority by leveraging your existing workflow identity (e.g. GCP service account, GitHub workflow).
Token bundles remain valid for up to an hour and can be used multiple times.
As an alternative to using your workflow identity and VeraId Authority, you could generate such bundles locally with your own private keys.
Alternatives
| Features | Kliento | API keys | JWTs | SPIFFE |
|---|---|---|---|---|
| No long-lived secrets | ||||
| No public key distribution | ||||
| Open, vendor-neutral protocol | ||||
| Open source implementations |
User- and developer-friendly authentication based on DNS.
Copyright 2022-2025 by Relaycorp.