PATTERN Cited by 1 source
Attenuate on use¶
Pattern¶
Before every API operation, narrow the token's privileges to the minimum the operation requires — by appending caveats client-side — and transmit only the narrowed token. The original broader token stays private to the caller; the network only ever sees least-privilege tokens.
This leverages Macaroons' distinguishing feature: offline attenuation. Thanks to the chained-HMAC construction, any holder can append a new caveat (reducing privilege) without contacting the authority — so this is a pure client-side transformation.
Fly.io's framing¶
"Macaroon tokens are bearer tokens (like JWTs) that use a cute chained-HMAC construction that allows an end-user to take any existing token they have and scope it down, all on their own. You can minimize your token before every API operation so that you're only ever transmitting the least amount of privilege needed for what you're actually doing, even if the token you were issued was an admin token." (Source: sources/2025-03-27-flyio-operationalizing-macaroons.)
What the caller gains¶
- Blast-radius reduction. A token captured mid-flight has only the privileges of that specific request, not the caller's full authority.
- Auditability. Each transmitted token encodes the operation it was meant for; the audit trail automatically carries operation-granularity intent.
- Zero authority round-trip. Attenuation is a client-side HMAC — no network cost.
When callers actually do it¶
Fly.io's honest admission: "users don't really take advantage of token features" — the attenuate-on-use discipline lands much harder on infrastructure-side callers (Fly.io internal services) than on human users. The value in the wild is weighted toward the internal-client side.
Two high-value use-cases Fly.io describes:
- Service-token binding — flyd receives a token from
tkdb's strip API and attenuates it to a specific Fly
Machine before handing it to a workload.
- API client libraries — minimize tokens before each call
to reduce the damage window of a token leak.
Contrast: JWT use¶
JWTs don't allow attenuation without re-issuance from the signer. Callers must either transmit the full-privilege token every time, or re-request scoped tokens from the issuer — incurring round-trips. Attenuate-on-use is uniquely natural for Macaroon-like chained-HMAC constructions.
Seen in¶
- sources/2025-03-27-flyio-operationalizing-macaroons — canonical wiki instance; primary-use pitch for Macaroons plus the service-token binding variant.