Biscuit authorization

Biscuit is an authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language

Get started

Open-source Apache-2.0 License. Specification

Decentralized verification

Biscuit tokens are signed with public key cryptography: any application knowing the public key can verify the token

Offline attenuation

If you hold a valid token, you can generate a new one with less rights, like restricting write access or adding an expiration date

Datalog policies

Authorization policies are written in a logic language. They can be provided by the application, or transported by the token (attenuation)

Capabilities or Access control lists

Biscuit is naturally suited for capabilities based authorization, by carrying a token customized for the request. But you can also provide verification side ACLs as Datalog


All tokens come with unique revocation identifiers, that can be used to reject that token and all the tokens attenuated from it


Biscuit is implemented in Rust, Haskell, Go, Java, WebAssembly, C... All you need for a new implementation is a Protobuf generator and Ed25519 signing. The specification comes with a list of predefined test cases

See it live

Test authorization policies in Datalog: