spiffe · srikalyan · Dec 26, 2025
@@ -64,6 +64,15 @@ message Entry {
 
     // When the entry was created (seconds since Unix epoch).
     int64 created_at = 15;
+
+    // Default JWT-SVID audience policy for audiences not explicitly configured.
+    // If unset (DEFAULT), maintains backwards compatible behavior (no JTI, caching enabled).
+    JWTSVIDAudiencePolicy jwt_svid_default_audience_policy = 16;
+
+    // Per-audience JWT-SVID policy overrides.
+    // Key is the audience string, value is the policy for that audience.
+    // Audiences not in this map use jwt_svid_default_audience_policy.
+    map<string, JWTSVIDAudiencePolicy> jwt_svid_audience_policies = 17;
 }
 
 // Field mask for Entry fields
@@ -109,4 +118,23 @@ message EntryMask {
 
     // created_at field mask
     bool created_at = 15;
+
+    // jwt_svid_default_audience_policy field mask
+    bool jwt_svid_default_audience_policy = 16;
+
+    // jwt_svid_audience_policies field mask
+    bool jwt_svid_audience_policies = 17;
+}
+
+// Policy for JWT-SVID behavior per audience.
+// Controls whether JTI claims are included and whether agent-side caching is used.
+enum JWTSVIDAudiencePolicy {
+    // Default behavior: no JTI claim, caching enabled. Backwards compatible.
+    JWT_SVID_AUDIENCE_POLICY_DEFAULT = 0;
+    // Auditable: JTI claim included for audit trails, caching still enabled.
+    // Verifiers can optionally enforce replay protection.
+    JWT_SVID_AUDIENCE_POLICY_AUDITABLE = 1;
+    // Unique: JTI claim included, caching disabled. Each request gets a fresh token.
+    // Use for strict replay protection requirements.
+    JWT_SVID_AUDIENCE_POLICY_UNIQUE = 2;
 }