Biscuit

Biscuit is a capabilities-based, decentralized authorization token leveraging public key cryptography and Datalog for policy enforcement.

Biscuit is a modern cryptographic token designed for distributed authorization in microservices architectures. Unlike traditional tokens, it allows for decentralized validation (any node verifies with a public key) and offline delegation (attenuation), meaning a token holder can create a new, restricted token without contacting the issuer. The core authorization logic is defined using Datalog, a logic programming language, which is embedded directly in the token. This design eliminates the need for a central authorization server query on every request, significantly reducing network traffic and latency while providing granular, flexible rights management via verifiable attenuation blocks.

https://biscuitsec.org/