How to Authenticate Services Across Clusters

When a service — or an AI agent — needs to call into another cluster, you need an answer to one question: how does the receiving side verify the caller is who they claim to be, without you wiring up cross-cluster certificates by hand?

MicroStax solves this with federated tokens: short-lived JWTs scoped to a specific target cluster, signed by the platform identity layer.

[!NOTE] The platform signs every token with a hybrid scheme — a classical signature for compatibility today, plus a post-quantum signature so the same token stays verifiable as cryptographic standards evolve. You don't have to think about it; the verification step is the same.

Generating a token

The fastest way to generate an ad-hoc token for testing or local scripting is via the VS Code interface or the MicroStax CLI.

Option A: VS Code Command Palette

1. Press Cmd/Ctrl + Shift + P.
2. Run MicroStax: Federate Identity Token...
3. Select the target Environment or Cluster from the menu.
4. The token is copied to your clipboard.

Option B: The CLI

Verify your current identity, then mint a token scoped to a target cluster:

# Verify the identity attached to your current session
microstax identity verify <your-current-token>

# Generate a federated token for a target cluster
microstax identity federate --service default --target stx-eu-west-cluster

Using the token

Inject the JWT into the Authorization: Bearer <token> header on outbound requests. That's it on the caller side.

[!IMPORTANT] Short-lived by design. Federated tokens expire quickly. For long-running service-to-service traffic, use the MicroStax Identity Controller to handle rotation automatically inside your mesh.

Next steps

• Security and compliance overview
• Identity API reference
• How MicroStax keeps identity valid as cryptography ages out