Everything You Need for Token-Based Security
From key management to token forging, from verification to attenuation — a complete toolkit for production-grade Biscuit token infrastructure.
Create and manage cryptographic keypairs for signing, attenuating and verifying Biscuit tokens. The foundation of your token security infrastructure.
Validate incoming Biscuit tokens against defined rules and policies. Ensure only properly authorized requests reach your services.
Generate tokens from configurable templates with facts, rules and checks. Define once, forge consistently across your entire infrastructure.
Reduce token capabilities to grant only minimal required permissions. Fine-grained scope control for every API route.
Implement Role-Based Access Control using Biscuit tokens. Structured, flexible access mechanisms for secure role-based user management.
Integrate external data sources to enhance authorization decisions. Dynamic, context-aware access control powered by real-time data.
OAuth2 client_credentials flow with Biscuit tokens as access tokens. Standards-compliant authentication for machine-to-machine communication.
Extract user identity from Biscuit tokens and forward it to backend services. Seamless user identification without additional auth mechanisms.
Expose your public keys through .well-known/biscuit-web-keys endpoints. Enable third-party token verification with standard discovery.
Why Otoroshi Biscuit Studio?
Not just another auth layer. A complete Biscuit token management platform built for teams that take API security seriously.
Leverage a battle-tested, cloud-native API gateway. Get mTLS, service mesh, plugins, and admin UI out of the box. Your token security inherits enterprise-grade infrastructure.
Powered by Eclipse Biscuit tokens — cutting-edge cryptographic authorization combining public-key signatures with a logic-based policy language. Offline verification, no central authority needed.
Delegate permissions across organizational boundaries while maintaining strict policy control. Each delegation layer can only restrict, never expand — security by design.
Run on your infrastructure, keep your data where it belongs. Fully open source under Apache 2.0. Funded by the French Government under the France 2030 plan.
7 Otoroshi Plugins, Ready to Deploy
Drop-in plugins for your Otoroshi routes. Add Biscuit token security to any API endpoint in minutes, no code changes required.
Built for Real-World Security Scenarios
From startups to enterprises, secure your APIs with confidence.
Centralize token-based access control across all your API routes with cryptographic proof.
Go beyond simple API keys with policy-based, attenuated permissions for every endpoint.
Verify every request with offline cryptographic proof and auditable, embedded policies.
Delegate and attenuate permissions across service boundaries with compact, efficient tokens.
Ready to Secure Your APIs with Biscuit Tokens?
Get started in minutes. Open source, free forever.
This project was funded by the French Government under the France 2030 plan, operated by Cap Digital and Bpifrance, and is supported by the European Union – NextGenerationEU.
