Skip to content

SYSTEM Cited by 1 source

superfly/macaroon

github.com/superfly/macaroon is Fly.io's open-source Go Macaroon implementation. It's the library underneath Fly.io's internal token infrastructure (tkdb and Pet Semetary) and is the reference implementation for the Fly.io Macaroon architecture described on their blog.

"Most of the code is open source" (github.com/superfly/macaroon) (Source: sources/2025-03-27-flyio-operationalizing-macaroons.)

Scope

From the macaroon-thought.md design doc (linked from the source post), the library covers:

  • Token mint / verify primitives around the chained-HMAC construction.
  • Caveat plug-in interface"they have a user-serviceable plug-in interface." Users define their own caveat types in Go; the library handles encoding, chaining, and evaluation.
  • Third-party caveat support (concepts/third-party-caveat) — for off-box authorization checks and the discharge-token flow.
  • Offline attenuation (concepts/attenuation-offline) — adding caveats does not require contacting the authority, so it can happen on the caller at any point before transmission.

Why it's wiki-tracked

The library is reachable from a Fly.io blog post, but more importantly it's the substrate behind two wiki-tracked services (tkdb and petsem) and is the concrete shape behind the Macaroon-related concepts the wiki extracts from the Fly.io corpus. Having a single system page lets those concepts link to the real implementation rather than hand-waving "a macaroon library."

Seen in

Last updated · 200 distilled / 1,178 read