CONCEPT Cited by 1 source

Discharge token

A discharge token is the companion Macaroon that satisfies a third-party caveat. The permissions Macaroon says "valid only if accompanied by a discharge from authority X"; the discharge token is authority X's attestation, cryptographically bound to the caveat, that the required condition holds.

At Fly.io

Fly.io's login flow produces a discharge that attests "this caller is an authenticated user in such-and-such organization"; the main Fly.io Macaroon contains a third-party caveat pointing at the auth service; together they authorize operations. (Source: sources/2025-03-27-flyio-operationalizing-macaroons.)

Properties

• Short-lived. Discharges typically have expirations — that's how Fly.io bounds session lifetime without changing the permissions token.
• Bindable further. Like any Macaroon, the discharge can be attenuated by its holder before use.
• Separable. Service tokens can be engineered to not require a discharge (via the third-party-caveat-strip API) — the caveat can be removed by tkdb once the original discharge has been presented.

Seen in

• sources/2025-03-27-flyio-operationalizing-macaroons — canonical wiki instance; discharge tokens satisfy the authN third-party caveat on every Fly.io user Macaroon.

Related

• concepts/macaroon-token
• concepts/third-party-caveat
• concepts/authorization-vs-authentication-token