Skip to content

Adoption & Ecosystem

Who uses it

The project's ADOPTERS.md lists these end users with noted contributions (ADOPTERS.md:7-19): Anthem, Bloomberg, ByteDance, Duke Energy, GitHub, Netflix, Niantic, Pinterest, Square, Twilio, Uber, Unity Technologies, and Z Lab Corporation. The CNCF graduation announcement separately named Anthem, GitHub, Netflix, Niantic, Pinterest, and Uber as production end users.

The table below lists adopters that have a public case study or talk.

OrganisationUse caseSource
AWSmTLS with SPIFFE/SPIRE in App Mesh on EKSAWS blog
AnthemZero trust framework using SPIFFE and SPIREupshotstories
AnthropicSPIRE-issued JWT-SVID plus the SPIRE OIDC Discovery Provider authenticate workloads to the Claude APIAnthropic docs
BloombergTPM-based node attestationtalk
UberIntegration with the workload schedulertalk
SquaremTLS identities for hybrid infrastructure and LambdaSquare blog

Adoption signals

Measured from gh api repos/spiffe/spire on 2026-06-23:

  • GitHub stars: 2,407; forks: 623; watchers: 79.
  • Contributors: 222 (last page number from repos/spiffe/spire/contributors?per_page=1).
  • Repository created 2017-08-11; latest release v1.15.1 on 2026-05-28.

SPIRE is a CNCF Graduated project, which required a Cure53 third-party security audit and a CNCF TAG Security review (CNCF announcement).

Ecosystem

Integrations and adjacent tools listed in ADOPTERS.md:41-67: Envoy (SVID delivery over SDS), Istio, Linkerd, Consul, Dapr, cert-manager's csi-driver-spiffe, Sigstore Fulcio, Tekton Chains, HashiCorp Vault, Traefik, Tornjak (a management UI for SPIRE), and the go-spiffe library. The SPIRE OIDC Discovery Provider exposes JWT-SVIDs as OIDC tokens so external systems such as cloud IAM can consume them.

Alternatives

SPIRE's distinguishing traits are pluggable multi-stage attestation (node plus workload), both X509-SVID and JWT-SVID, cross-trust-domain federation, secretless bootstrap, and vendor-neutral SPIFFE compliance.

AlternativeDiffers by
Istio Citadel / istiodUses SPIFFE IDs but runs its own CA scoped to the mesh; SPIRE is mesh-independent and spans VMs, bare metal, and Lambda
HashiCorp Vault PKIGeneral secret store and PKI with no attestation of who may request a key; attestation is SPIRE's core
AWS IAM Roles Anywhere / GCP Workload IdentityScoped to a single cloud; SPIRE unifies multi-cloud and on-prem under one trust domain with federation
Teleport Machine ID / cert-manager aloneIssue certificates but do not implement the SPIFFE SVID, Workload API, and federation standards