From e435e01e451cbad4e796d3b3c3e14c73609af4ad Mon Sep 17 00:00:00 2001
From: arndt-s <17650715+arndt-s@users.noreply.github.com>
Date: Mon, 16 Feb 2026 09:47:10 +0100
Subject: [PATCH] add broker api

Signed-off-by: arndt-s <17650715+arndt-s@users.noreply.github.com>
---
 Makefile                               |   2 +
 proto/spiffe/broker/api.pb.go          | 784 +++++++++++++++++++++++++
 proto/spiffe/broker/api.proto          | 158 +++++
 proto/spiffe/broker/api_grpc.pb.go     | 269 +++++++++
 proto/spiffe/reference/reference.pb.go | 175 ++++++
 proto/spiffe/reference/reference.proto |  17 +
 6 files changed, 1405 insertions(+)
 create mode 100644 proto/spiffe/broker/api.pb.go
 create mode 100644 proto/spiffe/broker/api.proto
 create mode 100644 proto/spiffe/broker/api_grpc.pb.go
 create mode 100644 proto/spiffe/reference/reference.pb.go
 create mode 100644 proto/spiffe/reference/reference.proto

diff --git a/Makefile b/Makefile
index 37c4692..13f4707 100644
--- a/Makefile
+++ b/Makefile
@@ -43,6 +43,8 @@ apiprotos := \
 	proto/spire/api/server/logger/v1/logger.proto \
 	proto/spire/api/server/trustdomain/v1/trustdomain.proto \
 	proto/spire/api/server/svid/v1/svid.proto \
+	proto/spiffe/reference/reference.proto \
+	proto/spiffe/broker/api.proto
 
 # Used to force some rules to run every time
 FORCE: ;
diff --git a/proto/spiffe/broker/api.pb.go b/proto/spiffe/broker/api.pb.go
new file mode 100644
index 0000000..5bd02ba
--- /dev/null
+++ b/proto/spiffe/broker/api.pb.go
@@ -0,0 +1,784 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.7
+// 	protoc        v6.30.2
+// source: spiffe/broker/api.proto
+
+package broker
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	anypb "google.golang.org/protobuf/types/known/anypb"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// The WorkloadReference message represents a single reference to a workload.
+// The reference field contains one of the standard reference types or
+// a vendor-specific extension type.
+type WorkloadReference struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. The reference payload. Can be one of the standard reference types
+	// (WorkloadPIDReference, KubernetesPodUIDReference) or a vendor-specific
+	// type.
+	Reference     *anypb.Any `protobuf:"bytes,1,opt,name=reference,proto3" json:"reference,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *WorkloadReference) Reset() {
+	*x = WorkloadReference{}
+	mi := &file_spiffe_broker_api_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *WorkloadReference) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*WorkloadReference) ProtoMessage() {}
+
+func (x *WorkloadReference) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_broker_api_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use WorkloadReference.ProtoReflect.Descriptor instead.
+func (*WorkloadReference) Descriptor() ([]byte, []int) {
+	return file_spiffe_broker_api_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *WorkloadReference) GetReference() *anypb.Any {
+	if x != nil {
+		return x.Reference
+	}
+	return nil
+}
+
+// The SubscribeToX509SVIDRequest message conveys parameters for requesting an X.509-SVID.
+type SubscribeToX509SVIDRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. Reference identifying the workload.
+	Reference     *WorkloadReference `protobuf:"bytes,1,opt,name=reference,proto3" json:"reference,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SubscribeToX509SVIDRequest) Reset() {
+	*x = SubscribeToX509SVIDRequest{}
+	mi := &file_spiffe_broker_api_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SubscribeToX509SVIDRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToX509SVIDRequest) ProtoMessage() {}
+
+func (x *SubscribeToX509SVIDRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_broker_api_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToX509SVIDRequest.ProtoReflect.Descriptor instead.
+func (*SubscribeToX509SVIDRequest) Descriptor() ([]byte, []int) {
+	return file_spiffe_broker_api_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *SubscribeToX509SVIDRequest) GetReference() *WorkloadReference {
+	if x != nil {
+		return x.Reference
+	}
+	return nil
+}
+
+// The SubscribeToX509SVIDResponse message carries X.509-SVIDs and related information,
+// including a list of bundles the workload may use for federating with foreign
+// trust domains.
+type SubscribeToX509SVIDResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. A list of X509SVID messages, each of which includes a single
+	// X.509-SVID, its private key, and the bundle for the trust domain.
+	Svids []*X509SVID `protobuf:"bytes,1,rep,name=svids,proto3" json:"svids,omitempty"`
+	// Optional. ASN.1 DER encoded certificate revocation lists.
+	Crl [][]byte `protobuf:"bytes,2,rep,name=crl,proto3" json:"crl,omitempty"`
+	// Optional. CA certificate bundles belonging to foreign trust domains that
+	// the workload should trust, keyed by the SPIFFE ID of the foreign trust
+	// domain. Bundles are ASN.1 DER encoded.
+	FederatedBundles map[string][]byte `protobuf:"bytes,3,rep,name=federated_bundles,json=federatedBundles,proto3" json:"federated_bundles,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields    protoimpl.UnknownFields
+	sizeCache        protoimpl.SizeCache
+}
+
+func (x *SubscribeToX509SVIDResponse) Reset() {
+	*x = SubscribeToX509SVIDResponse{}
+	mi := &file_spiffe_broker_api_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SubscribeToX509SVIDResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToX509SVIDResponse) ProtoMessage() {}
+
+func (x *SubscribeToX509SVIDResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_broker_api_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToX509SVIDResponse.ProtoReflect.Descriptor instead.
+func (*SubscribeToX509SVIDResponse) Descriptor() ([]byte, []int) {
+	return file_spiffe_broker_api_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *SubscribeToX509SVIDResponse) GetSvids() []*X509SVID {
+	if x != nil {
+		return x.Svids
+	}
+	return nil
+}
+
+func (x *SubscribeToX509SVIDResponse) GetCrl() [][]byte {
+	if x != nil {
+		return x.Crl
+	}
+	return nil
+}
+
+func (x *SubscribeToX509SVIDResponse) GetFederatedBundles() map[string][]byte {
+	if x != nil {
+		return x.FederatedBundles
+	}
+	return nil
+}
+
+// The X509SVID message carries a single SVID and all associated information,
+// including the X.509 bundle for the trust domain.
+type X509SVID struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. The SPIFFE ID of the SVID in this entry
+	SpiffeId string `protobuf:"bytes,1,opt,name=spiffe_id,json=spiffeId,proto3" json:"spiffe_id,omitempty"`
+	// Required. ASN.1 DER encoded certificate chain. MAY include
+	// intermediates, the leaf certificate (or SVID itself) MUST come first.
+	X509Svid []byte `protobuf:"bytes,2,opt,name=x509_svid,json=x509Svid,proto3" json:"x509_svid,omitempty"`
+	// Required. ASN.1 DER encoded PKCS#8 private key. MUST be unencrypted.
+	X509SvidKey []byte `protobuf:"bytes,3,opt,name=x509_svid_key,json=x509SvidKey,proto3" json:"x509_svid_key,omitempty"`
+	// Required. ASN.1 DER encoded X.509 bundle for the trust domain.
+	Bundle []byte `protobuf:"bytes,4,opt,name=bundle,proto3" json:"bundle,omitempty"`
+	// Optional. An operator-specified string used to provide guidance on how this
+	// identity should be used by a broker or workload when more than one SVID is
+	// returned. For example, `internal` and `external` to indicate an SVID for
+	// internal or external use, respectively.
+	Hint          string `protobuf:"bytes,5,opt,name=hint,proto3" json:"hint,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *X509SVID) Reset() {
+	*x = X509SVID{}
+	mi := &file_spiffe_broker_api_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *X509SVID) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*X509SVID) ProtoMessage() {}
+
+func (x *X509SVID) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_broker_api_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use X509SVID.ProtoReflect.Descriptor instead.
+func (*X509SVID) Descriptor() ([]byte, []int) {
+	return file_spiffe_broker_api_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *X509SVID) GetSpiffeId() string {
+	if x != nil {
+		return x.SpiffeId
+	}
+	return ""
+}
+
+func (x *X509SVID) GetX509Svid() []byte {
+	if x != nil {
+		return x.X509Svid
+	}
+	return nil
+}
+
+func (x *X509SVID) GetX509SvidKey() []byte {
+	if x != nil {
+		return x.X509SvidKey
+	}
+	return nil
+}
+
+func (x *X509SVID) GetBundle() []byte {
+	if x != nil {
+		return x.Bundle
+	}
+	return nil
+}
+
+func (x *X509SVID) GetHint() string {
+	if x != nil {
+		return x.Hint
+	}
+	return ""
+}
+
+// The SubscribeToX509BundlesRequest message conveys parameters for requesting X.509
+// bundles.
+type SubscribeToX509BundlesRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. Reference identifying the workload.
+	Reference     *WorkloadReference `protobuf:"bytes,1,opt,name=reference,proto3" json:"reference,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SubscribeToX509BundlesRequest) Reset() {
+	*x = SubscribeToX509BundlesRequest{}
+	mi := &file_spiffe_broker_api_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SubscribeToX509BundlesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToX509BundlesRequest) ProtoMessage() {}
+
+func (x *SubscribeToX509BundlesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_broker_api_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToX509BundlesRequest.ProtoReflect.Descriptor instead.
+func (*SubscribeToX509BundlesRequest) Descriptor() ([]byte, []int) {
+	return file_spiffe_broker_api_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *SubscribeToX509BundlesRequest) GetReference() *WorkloadReference {
+	if x != nil {
+		return x.Reference
+	}
+	return nil
+}
+
+// The SubscribeToX509BundlesResponse message carries a map of trust bundles the workload
+// should trust.
+type SubscribeToX509BundlesResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Optional. ASN.1 DER encoded certificate revocation lists.
+	Crl [][]byte `protobuf:"bytes,1,rep,name=crl,proto3" json:"crl,omitempty"`
+	// Required. CA certificate bundles belonging to trust domains that the
+	// workload should trust, keyed by the SPIFFE ID of the trust domain.
+	// Bundles are ASN.1 DER encoded.
+	Bundles       map[string][]byte `protobuf:"bytes,2,rep,name=bundles,proto3" json:"bundles,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SubscribeToX509BundlesResponse) Reset() {
+	*x = SubscribeToX509BundlesResponse{}
+	mi := &file_spiffe_broker_api_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SubscribeToX509BundlesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToX509BundlesResponse) ProtoMessage() {}
+
+func (x *SubscribeToX509BundlesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_broker_api_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToX509BundlesResponse.ProtoReflect.Descriptor instead.
+func (*SubscribeToX509BundlesResponse) Descriptor() ([]byte, []int) {
+	return file_spiffe_broker_api_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *SubscribeToX509BundlesResponse) GetCrl() [][]byte {
+	if x != nil {
+		return x.Crl
+	}
+	return nil
+}
+
+func (x *SubscribeToX509BundlesResponse) GetBundles() map[string][]byte {
+	if x != nil {
+		return x.Bundles
+	}
+	return nil
+}
+
+// The FetchJWTSVIDRequest message conveys parameters for requesting JWT-SVIDs.
+type FetchJWTSVIDRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. Reference identifying the workload.
+	Reference *WorkloadReference `protobuf:"bytes,1,opt,name=reference,proto3" json:"reference,omitempty"`
+	// Required. The audience(s) the workload intends to authenticate against.
+	Audience []string `protobuf:"bytes,2,rep,name=audience,proto3" json:"audience,omitempty"`
+	// Optional. The requested SPIFFE ID for the JWT-SVID. If unset, all
+	// JWT-SVIDs to which the workload is entitled are requested.
+	SpiffeId      string `protobuf:"bytes,3,opt,name=spiffe_id,json=spiffeId,proto3" json:"spiffe_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *FetchJWTSVIDRequest) Reset() {
+	*x = FetchJWTSVIDRequest{}
+	mi := &file_spiffe_broker_api_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *FetchJWTSVIDRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FetchJWTSVIDRequest) ProtoMessage() {}
+
+func (x *FetchJWTSVIDRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_broker_api_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use FetchJWTSVIDRequest.ProtoReflect.Descriptor instead.
+func (*FetchJWTSVIDRequest) Descriptor() ([]byte, []int) {
+	return file_spiffe_broker_api_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *FetchJWTSVIDRequest) GetReference() *WorkloadReference {
+	if x != nil {
+		return x.Reference
+	}
+	return nil
+}
+
+func (x *FetchJWTSVIDRequest) GetAudience() []string {
+	if x != nil {
+		return x.Audience
+	}
+	return nil
+}
+
+func (x *FetchJWTSVIDRequest) GetSpiffeId() string {
+	if x != nil {
+		return x.SpiffeId
+	}
+	return ""
+}
+
+// The FetchJWTSVIDResponse message conveys JWT-SVIDs.
+type FetchJWTSVIDResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. The list of returned JWT-SVIDs.
+	Svids         []*JWTSVID `protobuf:"bytes,1,rep,name=svids,proto3" json:"svids,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *FetchJWTSVIDResponse) Reset() {
+	*x = FetchJWTSVIDResponse{}
+	mi := &file_spiffe_broker_api_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *FetchJWTSVIDResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FetchJWTSVIDResponse) ProtoMessage() {}
+
+func (x *FetchJWTSVIDResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_broker_api_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use FetchJWTSVIDResponse.ProtoReflect.Descriptor instead.
+func (*FetchJWTSVIDResponse) Descriptor() ([]byte, []int) {
+	return file_spiffe_broker_api_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *FetchJWTSVIDResponse) GetSvids() []*JWTSVID {
+	if x != nil {
+		return x.Svids
+	}
+	return nil
+}
+
+// The JWTSVID message carries the JWT-SVID token and associated metadata.
+type JWTSVID struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. The SPIFFE ID of the JWT-SVID.
+	SpiffeId string `protobuf:"bytes,1,opt,name=spiffe_id,json=spiffeId,proto3" json:"spiffe_id,omitempty"`
+	// Required. Encoded JWT using JWS Compact Serialization.
+	Svid string `protobuf:"bytes,2,opt,name=svid,proto3" json:"svid,omitempty"`
+	// Optional. An operator-specified string used to provide guidance on how this
+	// identity should be used by a workload when more than one SVID is returned.
+	// For example, `internal` and `external` to indicate an SVID for internal or
+	// external use, respectively.
+	Hint          string `protobuf:"bytes,3,opt,name=hint,proto3" json:"hint,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *JWTSVID) Reset() {
+	*x = JWTSVID{}
+	mi := &file_spiffe_broker_api_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *JWTSVID) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*JWTSVID) ProtoMessage() {}
+
+func (x *JWTSVID) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_broker_api_proto_msgTypes[8]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use JWTSVID.ProtoReflect.Descriptor instead.
+func (*JWTSVID) Descriptor() ([]byte, []int) {
+	return file_spiffe_broker_api_proto_rawDescGZIP(), []int{8}
+}
+
+func (x *JWTSVID) GetSpiffeId() string {
+	if x != nil {
+		return x.SpiffeId
+	}
+	return ""
+}
+
+func (x *JWTSVID) GetSvid() string {
+	if x != nil {
+		return x.Svid
+	}
+	return ""
+}
+
+func (x *JWTSVID) GetHint() string {
+	if x != nil {
+		return x.Hint
+	}
+	return ""
+}
+
+// The SubscribeToJWTBundlesRequest message conveys parameters for requesting JWT bundles.
+type SubscribeToJWTBundlesRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. Reference identifying the workload.
+	Reference     *WorkloadReference `protobuf:"bytes,1,opt,name=reference,proto3" json:"reference,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SubscribeToJWTBundlesRequest) Reset() {
+	*x = SubscribeToJWTBundlesRequest{}
+	mi := &file_spiffe_broker_api_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SubscribeToJWTBundlesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToJWTBundlesRequest) ProtoMessage() {}
+
+func (x *SubscribeToJWTBundlesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_broker_api_proto_msgTypes[9]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToJWTBundlesRequest.ProtoReflect.Descriptor instead.
+func (*SubscribeToJWTBundlesRequest) Descriptor() ([]byte, []int) {
+	return file_spiffe_broker_api_proto_rawDescGZIP(), []int{9}
+}
+
+func (x *SubscribeToJWTBundlesRequest) GetReference() *WorkloadReference {
+	if x != nil {
+		return x.Reference
+	}
+	return nil
+}
+
+// The SubscribeToJWTBundlesResponse message conveys JWT bundles.
+type SubscribeToJWTBundlesResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. JWK encoded JWT bundles, keyed by the SPIFFE ID of the trust
+	// domain.
+	Bundles       map[string][]byte `protobuf:"bytes,1,rep,name=bundles,proto3" json:"bundles,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SubscribeToJWTBundlesResponse) Reset() {
+	*x = SubscribeToJWTBundlesResponse{}
+	mi := &file_spiffe_broker_api_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SubscribeToJWTBundlesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeToJWTBundlesResponse) ProtoMessage() {}
+
+func (x *SubscribeToJWTBundlesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_broker_api_proto_msgTypes[10]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeToJWTBundlesResponse.ProtoReflect.Descriptor instead.
+func (*SubscribeToJWTBundlesResponse) Descriptor() ([]byte, []int) {
+	return file_spiffe_broker_api_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *SubscribeToJWTBundlesResponse) GetBundles() map[string][]byte {
+	if x != nil {
+		return x.Bundles
+	}
+	return nil
+}
+
+var File_spiffe_broker_api_proto protoreflect.FileDescriptor
+
+const file_spiffe_broker_api_proto_rawDesc = "" +
+	"\n" +
+	"\x17spiffe/broker/api.proto\x12\rspiffe.broker\x1a\x19google/protobuf/any.proto\"G\n" +
+	"\x11WorkloadReference\x122\n" +
+	"\treference\x18\x01 \x01(\v2\x14.google.protobuf.AnyR\treference\"\\\n" +
+	"\x1aSubscribeToX509SVIDRequest\x12>\n" +
+	"\treference\x18\x01 \x01(\v2 .spiffe.broker.WorkloadReferenceR\treference\"\x92\x02\n" +
+	"\x1bSubscribeToX509SVIDResponse\x12-\n" +
+	"\x05svids\x18\x01 \x03(\v2\x17.spiffe.broker.X509SVIDR\x05svids\x12\x10\n" +
+	"\x03crl\x18\x02 \x03(\fR\x03crl\x12m\n" +
+	"\x11federated_bundles\x18\x03 \x03(\v2@.spiffe.broker.SubscribeToX509SVIDResponse.FederatedBundlesEntryR\x10federatedBundles\x1aC\n" +
+	"\x15FederatedBundlesEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\fR\x05value:\x028\x01\"\x94\x01\n" +
+	"\bX509SVID\x12\x1b\n" +
+	"\tspiffe_id\x18\x01 \x01(\tR\bspiffeId\x12\x1b\n" +
+	"\tx509_svid\x18\x02 \x01(\fR\bx509Svid\x12\"\n" +
+	"\rx509_svid_key\x18\x03 \x01(\fR\vx509SvidKey\x12\x16\n" +
+	"\x06bundle\x18\x04 \x01(\fR\x06bundle\x12\x12\n" +
+	"\x04hint\x18\x05 \x01(\tR\x04hint\"_\n" +
+	"\x1dSubscribeToX509BundlesRequest\x12>\n" +
+	"\treference\x18\x01 \x01(\v2 .spiffe.broker.WorkloadReferenceR\treference\"\xc4\x01\n" +
+	"\x1eSubscribeToX509BundlesResponse\x12\x10\n" +
+	"\x03crl\x18\x01 \x03(\fR\x03crl\x12T\n" +
+	"\abundles\x18\x02 \x03(\v2:.spiffe.broker.SubscribeToX509BundlesResponse.BundlesEntryR\abundles\x1a:\n" +
+	"\fBundlesEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\fR\x05value:\x028\x01\"\x8e\x01\n" +
+	"\x13FetchJWTSVIDRequest\x12>\n" +
+	"\treference\x18\x01 \x01(\v2 .spiffe.broker.WorkloadReferenceR\treference\x12\x1a\n" +
+	"\baudience\x18\x02 \x03(\tR\baudience\x12\x1b\n" +
+	"\tspiffe_id\x18\x03 \x01(\tR\bspiffeId\"D\n" +
+	"\x14FetchJWTSVIDResponse\x12,\n" +
+	"\x05svids\x18\x01 \x03(\v2\x16.spiffe.broker.JWTSVIDR\x05svids\"N\n" +
+	"\aJWTSVID\x12\x1b\n" +
+	"\tspiffe_id\x18\x01 \x01(\tR\bspiffeId\x12\x12\n" +
+	"\x04svid\x18\x02 \x01(\tR\x04svid\x12\x12\n" +
+	"\x04hint\x18\x03 \x01(\tR\x04hint\"^\n" +
+	"\x1cSubscribeToJWTBundlesRequest\x12>\n" +
+	"\treference\x18\x01 \x01(\v2 .spiffe.broker.WorkloadReferenceR\treference\"\xb0\x01\n" +
+	"\x1dSubscribeToJWTBundlesResponse\x12S\n" +
+	"\abundles\x18\x01 \x03(\v29.spiffe.broker.SubscribeToJWTBundlesResponse.BundlesEntryR\abundles\x1a:\n" +
+	"\fBundlesEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\fR\x05value:\x028\x012\xbd\x03\n" +
+	"\x03API\x12n\n" +
+	"\x13SubscribeToX509SVID\x12).spiffe.broker.SubscribeToX509SVIDRequest\x1a*.spiffe.broker.SubscribeToX509SVIDResponse0\x01\x12w\n" +
+	"\x16SubscribeToX509Bundles\x12,.spiffe.broker.SubscribeToX509BundlesRequest\x1a-.spiffe.broker.SubscribeToX509BundlesResponse0\x01\x12W\n" +
+	"\fFetchJWTSVID\x12\".spiffe.broker.FetchJWTSVIDRequest\x1a#.spiffe.broker.FetchJWTSVIDResponse\x12t\n" +
+	"\x15SubscribeToJWTBundles\x12+.spiffe.broker.SubscribeToJWTBundlesRequest\x1a,.spiffe.broker.SubscribeToJWTBundlesResponse0\x01B<Z:github.com/spiffe/spire-api-sdk/proto/spiffe/broker;brokerb\x06proto3"
+
+var (
+	file_spiffe_broker_api_proto_rawDescOnce sync.Once
+	file_spiffe_broker_api_proto_rawDescData []byte
+)
+
+func file_spiffe_broker_api_proto_rawDescGZIP() []byte {
+	file_spiffe_broker_api_proto_rawDescOnce.Do(func() {
+		file_spiffe_broker_api_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_spiffe_broker_api_proto_rawDesc), len(file_spiffe_broker_api_proto_rawDesc)))
+	})
+	return file_spiffe_broker_api_proto_rawDescData
+}
+
+var file_spiffe_broker_api_proto_msgTypes = make([]protoimpl.MessageInfo, 14)
+var file_spiffe_broker_api_proto_goTypes = []any{
+	(*WorkloadReference)(nil),              // 0: spiffe.broker.WorkloadReference
+	(*SubscribeToX509SVIDRequest)(nil),     // 1: spiffe.broker.SubscribeToX509SVIDRequest
+	(*SubscribeToX509SVIDResponse)(nil),    // 2: spiffe.broker.SubscribeToX509SVIDResponse
+	(*X509SVID)(nil),                       // 3: spiffe.broker.X509SVID
+	(*SubscribeToX509BundlesRequest)(nil),  // 4: spiffe.broker.SubscribeToX509BundlesRequest
+	(*SubscribeToX509BundlesResponse)(nil), // 5: spiffe.broker.SubscribeToX509BundlesResponse
+	(*FetchJWTSVIDRequest)(nil),            // 6: spiffe.broker.FetchJWTSVIDRequest
+	(*FetchJWTSVIDResponse)(nil),           // 7: spiffe.broker.FetchJWTSVIDResponse
+	(*JWTSVID)(nil),                        // 8: spiffe.broker.JWTSVID
+	(*SubscribeToJWTBundlesRequest)(nil),   // 9: spiffe.broker.SubscribeToJWTBundlesRequest
+	(*SubscribeToJWTBundlesResponse)(nil),  // 10: spiffe.broker.SubscribeToJWTBundlesResponse
+	nil,                                    // 11: spiffe.broker.SubscribeToX509SVIDResponse.FederatedBundlesEntry
+	nil,                                    // 12: spiffe.broker.SubscribeToX509BundlesResponse.BundlesEntry
+	nil,                                    // 13: spiffe.broker.SubscribeToJWTBundlesResponse.BundlesEntry
+	(*anypb.Any)(nil),                      // 14: google.protobuf.Any
+}
+var file_spiffe_broker_api_proto_depIdxs = []int32{
+	14, // 0: spiffe.broker.WorkloadReference.reference:type_name -> google.protobuf.Any
+	0,  // 1: spiffe.broker.SubscribeToX509SVIDRequest.reference:type_name -> spiffe.broker.WorkloadReference
+	3,  // 2: spiffe.broker.SubscribeToX509SVIDResponse.svids:type_name -> spiffe.broker.X509SVID
+	11, // 3: spiffe.broker.SubscribeToX509SVIDResponse.federated_bundles:type_name -> spiffe.broker.SubscribeToX509SVIDResponse.FederatedBundlesEntry
+	0,  // 4: spiffe.broker.SubscribeToX509BundlesRequest.reference:type_name -> spiffe.broker.WorkloadReference
+	12, // 5: spiffe.broker.SubscribeToX509BundlesResponse.bundles:type_name -> spiffe.broker.SubscribeToX509BundlesResponse.BundlesEntry
+	0,  // 6: spiffe.broker.FetchJWTSVIDRequest.reference:type_name -> spiffe.broker.WorkloadReference
+	8,  // 7: spiffe.broker.FetchJWTSVIDResponse.svids:type_name -> spiffe.broker.JWTSVID
+	0,  // 8: spiffe.broker.SubscribeToJWTBundlesRequest.reference:type_name -> spiffe.broker.WorkloadReference
+	13, // 9: spiffe.broker.SubscribeToJWTBundlesResponse.bundles:type_name -> spiffe.broker.SubscribeToJWTBundlesResponse.BundlesEntry
+	1,  // 10: spiffe.broker.API.SubscribeToX509SVID:input_type -> spiffe.broker.SubscribeToX509SVIDRequest
+	4,  // 11: spiffe.broker.API.SubscribeToX509Bundles:input_type -> spiffe.broker.SubscribeToX509BundlesRequest
+	6,  // 12: spiffe.broker.API.FetchJWTSVID:input_type -> spiffe.broker.FetchJWTSVIDRequest
+	9,  // 13: spiffe.broker.API.SubscribeToJWTBundles:input_type -> spiffe.broker.SubscribeToJWTBundlesRequest
+	2,  // 14: spiffe.broker.API.SubscribeToX509SVID:output_type -> spiffe.broker.SubscribeToX509SVIDResponse
+	5,  // 15: spiffe.broker.API.SubscribeToX509Bundles:output_type -> spiffe.broker.SubscribeToX509BundlesResponse
+	7,  // 16: spiffe.broker.API.FetchJWTSVID:output_type -> spiffe.broker.FetchJWTSVIDResponse
+	10, // 17: spiffe.broker.API.SubscribeToJWTBundles:output_type -> spiffe.broker.SubscribeToJWTBundlesResponse
+	14, // [14:18] is the sub-list for method output_type
+	10, // [10:14] is the sub-list for method input_type
+	10, // [10:10] is the sub-list for extension type_name
+	10, // [10:10] is the sub-list for extension extendee
+	0,  // [0:10] is the sub-list for field type_name
+}
+
+func init() { file_spiffe_broker_api_proto_init() }
+func file_spiffe_broker_api_proto_init() {
+	if File_spiffe_broker_api_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_spiffe_broker_api_proto_rawDesc), len(file_spiffe_broker_api_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   14,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_spiffe_broker_api_proto_goTypes,
+		DependencyIndexes: file_spiffe_broker_api_proto_depIdxs,
+		MessageInfos:      file_spiffe_broker_api_proto_msgTypes,
+	}.Build()
+	File_spiffe_broker_api_proto = out.File
+	file_spiffe_broker_api_proto_goTypes = nil
+	file_spiffe_broker_api_proto_depIdxs = nil
+}
diff --git a/proto/spiffe/broker/api.proto b/proto/spiffe/broker/api.proto
new file mode 100644
index 0000000..bf9c76c
--- /dev/null
+++ b/proto/spiffe/broker/api.proto
@@ -0,0 +1,158 @@
+syntax = "proto3";
+package spiffe.broker;
+option go_package = "github.com/spiffe/spire-api-sdk/proto/spiffe/broker;broker";
+
+import "google/protobuf/any.proto";
+
+service API {
+    /////////////////////////////////////////////////////////////////////////
+    // X509-SVID Profile
+    /////////////////////////////////////////////////////////////////////////
+
+    // Fetch X.509-SVIDs for all SPIFFE identities the referenced workload is
+    // entitled to, as well as related information like trust bundles. As this
+    // information changes, subsequent messages will be streamed from the server.
+    rpc SubscribeToX509SVID(SubscribeToX509SVIDRequest) returns (stream SubscribeToX509SVIDResponse);
+
+    // Fetch trust bundles of the referenced workload. Useful in situations that
+    // only need to validate SVIDs without obtaining an SVID for themself. As this
+    // information changes, subsequent messages will be streamed from the server.
+    rpc SubscribeToX509Bundles(SubscribeToX509BundlesRequest) returns (stream SubscribeToX509BundlesResponse);
+
+    /////////////////////////////////////////////////////////////////////////
+    // JWT-SVID Profile
+    /////////////////////////////////////////////////////////////////////////
+
+    // Fetch JWT-SVIDs for all SPIFFE identities the referenced workload is
+    // entitled to, for the requested audience. If an optional SPIFFE ID is
+    // requested, only the JWT-SVID for that SPIFFE ID is returned.
+    rpc FetchJWTSVID(FetchJWTSVIDRequest) returns (FetchJWTSVIDResponse);
+
+    // Fetches the JWT bundles, formatted as JWKS documents, keyed by the
+    // SPIFFE ID of the trust domain. As this information changes, subsequent
+    // messages will be streamed from the server.
+    rpc SubscribeToJWTBundles(SubscribeToJWTBundlesRequest) returns (stream SubscribeToJWTBundlesResponse);
+}
+
+// The WorkloadReference message represents a single reference to a workload.
+// The reference field contains one of the standard reference types or
+// a vendor-specific extension type.
+message WorkloadReference {
+    // Required. The reference payload. Can be one of the standard reference types
+    // (WorkloadPIDReference, KubernetesPodUIDReference) or a vendor-specific
+    // type.
+    google.protobuf.Any reference = 1;
+}
+
+
+// The SubscribeToX509SVIDRequest message conveys parameters for requesting an X.509-SVID.
+message SubscribeToX509SVIDRequest {
+    // Required. Reference identifying the workload.
+    WorkloadReference reference = 1;
+}
+
+// The SubscribeToX509SVIDResponse message carries X.509-SVIDs and related information,
+// including a list of bundles the workload may use for federating with foreign
+// trust domains.
+message SubscribeToX509SVIDResponse {
+    // Required. A list of X509SVID messages, each of which includes a single
+    // X.509-SVID, its private key, and the bundle for the trust domain.
+    repeated X509SVID svids = 1;
+
+    // Optional. ASN.1 DER encoded certificate revocation lists.
+    repeated bytes crl = 2;
+
+    // Optional. CA certificate bundles belonging to foreign trust domains that
+    // the workload should trust, keyed by the SPIFFE ID of the foreign trust
+    // domain. Bundles are ASN.1 DER encoded.
+    map<string, bytes> federated_bundles = 3;
+}
+
+// The X509SVID message carries a single SVID and all associated information,
+// including the X.509 bundle for the trust domain.
+message X509SVID {
+    // Required. The SPIFFE ID of the SVID in this entry
+    string spiffe_id = 1;
+
+    // Required. ASN.1 DER encoded certificate chain. MAY include
+    // intermediates, the leaf certificate (or SVID itself) MUST come first.
+    bytes x509_svid = 2;
+
+    // Required. ASN.1 DER encoded PKCS#8 private key. MUST be unencrypted.
+    bytes x509_svid_key = 3;
+
+    // Required. ASN.1 DER encoded X.509 bundle for the trust domain.
+    bytes bundle = 4;
+
+    // Optional. An operator-specified string used to provide guidance on how this
+    // identity should be used by a broker or workload when more than one SVID is
+    // returned. For example, `internal` and `external` to indicate an SVID for
+    // internal or external use, respectively.
+    string hint = 5;
+}
+
+// The SubscribeToX509BundlesRequest message conveys parameters for requesting X.509
+// bundles.
+message SubscribeToX509BundlesRequest {
+    // Required. Reference identifying the workload.
+    WorkloadReference reference = 1;
+}
+
+// The SubscribeToX509BundlesResponse message carries a map of trust bundles the workload
+// should trust.
+message SubscribeToX509BundlesResponse {
+    // Optional. ASN.1 DER encoded certificate revocation lists.
+    repeated bytes crl = 1;
+
+    // Required. CA certificate bundles belonging to trust domains that the
+    // workload should trust, keyed by the SPIFFE ID of the trust domain.
+    // Bundles are ASN.1 DER encoded.
+    map<string, bytes> bundles = 2;
+}
+
+// The FetchJWTSVIDRequest message conveys parameters for requesting JWT-SVIDs.
+message FetchJWTSVIDRequest {
+    // Required. Reference identifying the workload.
+    WorkloadReference reference = 1;
+
+    // Required. The audience(s) the workload intends to authenticate against.
+    repeated string audience = 2;
+
+    // Optional. The requested SPIFFE ID for the JWT-SVID. If unset, all
+    // JWT-SVIDs to which the workload is entitled are requested.
+    string spiffe_id = 3;
+}
+
+// The FetchJWTSVIDResponse message conveys JWT-SVIDs.
+message FetchJWTSVIDResponse {
+    // Required. The list of returned JWT-SVIDs.
+    repeated JWTSVID svids = 1;
+}
+
+// The JWTSVID message carries the JWT-SVID token and associated metadata.
+message JWTSVID {
+    // Required. The SPIFFE ID of the JWT-SVID.
+    string spiffe_id = 1;
+
+    // Required. Encoded JWT using JWS Compact Serialization.
+    string svid = 2;
+
+    // Optional. An operator-specified string used to provide guidance on how this
+    // identity should be used by a workload when more than one SVID is returned.
+    // For example, `internal` and `external` to indicate an SVID for internal or
+    // external use, respectively.
+    string hint = 3;
+}
+
+// The SubscribeToJWTBundlesRequest message conveys parameters for requesting JWT bundles.
+message SubscribeToJWTBundlesRequest {
+    // Required. Reference identifying the workload.
+    WorkloadReference reference = 1;
+}
+
+// The SubscribeToJWTBundlesResponse message conveys JWT bundles.
+message SubscribeToJWTBundlesResponse {
+    // Required. JWK encoded JWT bundles, keyed by the SPIFFE ID of the trust
+    // domain.
+    map<string, bytes> bundles = 1;
+}
\ No newline at end of file
diff --git a/proto/spiffe/broker/api_grpc.pb.go b/proto/spiffe/broker/api_grpc.pb.go
new file mode 100644
index 0000000..7d479ed
--- /dev/null
+++ b/proto/spiffe/broker/api_grpc.pb.go
@@ -0,0 +1,269 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.5.1
+// - protoc             v6.30.2
+// source: spiffe/broker/api.proto
+
+package broker
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	API_SubscribeToX509SVID_FullMethodName    = "/spiffe.broker.API/SubscribeToX509SVID"
+	API_SubscribeToX509Bundles_FullMethodName = "/spiffe.broker.API/SubscribeToX509Bundles"
+	API_FetchJWTSVID_FullMethodName           = "/spiffe.broker.API/FetchJWTSVID"
+	API_SubscribeToJWTBundles_FullMethodName  = "/spiffe.broker.API/SubscribeToJWTBundles"
+)
+
+// APIClient is the client API for API service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type APIClient interface {
+	// Fetch X.509-SVIDs for all SPIFFE identities the referenced workload is
+	// entitled to, as well as related information like trust bundles. As this
+	// information changes, subsequent messages will be streamed from the server.
+	SubscribeToX509SVID(ctx context.Context, in *SubscribeToX509SVIDRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SubscribeToX509SVIDResponse], error)
+	// Fetch trust bundles of the referenced workload. Useful in situations that
+	// only need to validate SVIDs without obtaining an SVID for themself. As this
+	// information changes, subsequent messages will be streamed from the server.
+	SubscribeToX509Bundles(ctx context.Context, in *SubscribeToX509BundlesRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SubscribeToX509BundlesResponse], error)
+	// Fetch JWT-SVIDs for all SPIFFE identities the referenced workload is
+	// entitled to, for the requested audience. If an optional SPIFFE ID is
+	// requested, only the JWT-SVID for that SPIFFE ID is returned.
+	FetchJWTSVID(ctx context.Context, in *FetchJWTSVIDRequest, opts ...grpc.CallOption) (*FetchJWTSVIDResponse, error)
+	// Fetches the JWT bundles, formatted as JWKS documents, keyed by the
+	// SPIFFE ID of the trust domain. As this information changes, subsequent
+	// messages will be streamed from the server.
+	SubscribeToJWTBundles(ctx context.Context, in *SubscribeToJWTBundlesRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SubscribeToJWTBundlesResponse], error)
+}
+
+type aPIClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewAPIClient(cc grpc.ClientConnInterface) APIClient {
+	return &aPIClient{cc}
+}
+
+func (c *aPIClient) SubscribeToX509SVID(ctx context.Context, in *SubscribeToX509SVIDRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SubscribeToX509SVIDResponse], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &API_ServiceDesc.Streams[0], API_SubscribeToX509SVID_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[SubscribeToX509SVIDRequest, SubscribeToX509SVIDResponse]{ClientStream: stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type API_SubscribeToX509SVIDClient = grpc.ServerStreamingClient[SubscribeToX509SVIDResponse]
+
+func (c *aPIClient) SubscribeToX509Bundles(ctx context.Context, in *SubscribeToX509BundlesRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SubscribeToX509BundlesResponse], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &API_ServiceDesc.Streams[1], API_SubscribeToX509Bundles_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[SubscribeToX509BundlesRequest, SubscribeToX509BundlesResponse]{ClientStream: stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type API_SubscribeToX509BundlesClient = grpc.ServerStreamingClient[SubscribeToX509BundlesResponse]
+
+func (c *aPIClient) FetchJWTSVID(ctx context.Context, in *FetchJWTSVIDRequest, opts ...grpc.CallOption) (*FetchJWTSVIDResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(FetchJWTSVIDResponse)
+	err := c.cc.Invoke(ctx, API_FetchJWTSVID_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *aPIClient) SubscribeToJWTBundles(ctx context.Context, in *SubscribeToJWTBundlesRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SubscribeToJWTBundlesResponse], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &API_ServiceDesc.Streams[2], API_SubscribeToJWTBundles_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[SubscribeToJWTBundlesRequest, SubscribeToJWTBundlesResponse]{ClientStream: stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type API_SubscribeToJWTBundlesClient = grpc.ServerStreamingClient[SubscribeToJWTBundlesResponse]
+
+// APIServer is the server API for API service.
+// All implementations must embed UnimplementedAPIServer
+// for forward compatibility.
+type APIServer interface {
+	// Fetch X.509-SVIDs for all SPIFFE identities the referenced workload is
+	// entitled to, as well as related information like trust bundles. As this
+	// information changes, subsequent messages will be streamed from the server.
+	SubscribeToX509SVID(*SubscribeToX509SVIDRequest, grpc.ServerStreamingServer[SubscribeToX509SVIDResponse]) error
+	// Fetch trust bundles of the referenced workload. Useful in situations that
+	// only need to validate SVIDs without obtaining an SVID for themself. As this
+	// information changes, subsequent messages will be streamed from the server.
+	SubscribeToX509Bundles(*SubscribeToX509BundlesRequest, grpc.ServerStreamingServer[SubscribeToX509BundlesResponse]) error
+	// Fetch JWT-SVIDs for all SPIFFE identities the referenced workload is
+	// entitled to, for the requested audience. If an optional SPIFFE ID is
+	// requested, only the JWT-SVID for that SPIFFE ID is returned.
+	FetchJWTSVID(context.Context, *FetchJWTSVIDRequest) (*FetchJWTSVIDResponse, error)
+	// Fetches the JWT bundles, formatted as JWKS documents, keyed by the
+	// SPIFFE ID of the trust domain. As this information changes, subsequent
+	// messages will be streamed from the server.
+	SubscribeToJWTBundles(*SubscribeToJWTBundlesRequest, grpc.ServerStreamingServer[SubscribeToJWTBundlesResponse]) error
+	mustEmbedUnimplementedAPIServer()
+}
+
+// UnimplementedAPIServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedAPIServer struct{}
+
+func (UnimplementedAPIServer) SubscribeToX509SVID(*SubscribeToX509SVIDRequest, grpc.ServerStreamingServer[SubscribeToX509SVIDResponse]) error {
+	return status.Errorf(codes.Unimplemented, "method SubscribeToX509SVID not implemented")
+}
+func (UnimplementedAPIServer) SubscribeToX509Bundles(*SubscribeToX509BundlesRequest, grpc.ServerStreamingServer[SubscribeToX509BundlesResponse]) error {
+	return status.Errorf(codes.Unimplemented, "method SubscribeToX509Bundles not implemented")
+}
+func (UnimplementedAPIServer) FetchJWTSVID(context.Context, *FetchJWTSVIDRequest) (*FetchJWTSVIDResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method FetchJWTSVID not implemented")
+}
+func (UnimplementedAPIServer) SubscribeToJWTBundles(*SubscribeToJWTBundlesRequest, grpc.ServerStreamingServer[SubscribeToJWTBundlesResponse]) error {
+	return status.Errorf(codes.Unimplemented, "method SubscribeToJWTBundles not implemented")
+}
+func (UnimplementedAPIServer) mustEmbedUnimplementedAPIServer() {}
+func (UnimplementedAPIServer) testEmbeddedByValue()             {}
+
+// UnsafeAPIServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to APIServer will
+// result in compilation errors.
+type UnsafeAPIServer interface {
+	mustEmbedUnimplementedAPIServer()
+}
+
+func RegisterAPIServer(s grpc.ServiceRegistrar, srv APIServer) {
+	// If the following call pancis, it indicates UnimplementedAPIServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&API_ServiceDesc, srv)
+}
+
+func _API_SubscribeToX509SVID_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(SubscribeToX509SVIDRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(APIServer).SubscribeToX509SVID(m, &grpc.GenericServerStream[SubscribeToX509SVIDRequest, SubscribeToX509SVIDResponse]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type API_SubscribeToX509SVIDServer = grpc.ServerStreamingServer[SubscribeToX509SVIDResponse]
+
+func _API_SubscribeToX509Bundles_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(SubscribeToX509BundlesRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(APIServer).SubscribeToX509Bundles(m, &grpc.GenericServerStream[SubscribeToX509BundlesRequest, SubscribeToX509BundlesResponse]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type API_SubscribeToX509BundlesServer = grpc.ServerStreamingServer[SubscribeToX509BundlesResponse]
+
+func _API_FetchJWTSVID_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(FetchJWTSVIDRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(APIServer).FetchJWTSVID(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: API_FetchJWTSVID_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(APIServer).FetchJWTSVID(ctx, req.(*FetchJWTSVIDRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _API_SubscribeToJWTBundles_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(SubscribeToJWTBundlesRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(APIServer).SubscribeToJWTBundles(m, &grpc.GenericServerStream[SubscribeToJWTBundlesRequest, SubscribeToJWTBundlesResponse]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type API_SubscribeToJWTBundlesServer = grpc.ServerStreamingServer[SubscribeToJWTBundlesResponse]
+
+// API_ServiceDesc is the grpc.ServiceDesc for API service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var API_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "spiffe.broker.API",
+	HandlerType: (*APIServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "FetchJWTSVID",
+			Handler:    _API_FetchJWTSVID_Handler,
+		},
+	},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "SubscribeToX509SVID",
+			Handler:       _API_SubscribeToX509SVID_Handler,
+			ServerStreams: true,
+		},
+		{
+			StreamName:    "SubscribeToX509Bundles",
+			Handler:       _API_SubscribeToX509Bundles_Handler,
+			ServerStreams: true,
+		},
+		{
+			StreamName:    "SubscribeToJWTBundles",
+			Handler:       _API_SubscribeToJWTBundles_Handler,
+			ServerStreams: true,
+		},
+	},
+	Metadata: "spiffe/broker/api.proto",
+}
diff --git a/proto/spiffe/reference/reference.pb.go b/proto/spiffe/reference/reference.pb.go
new file mode 100644
index 0000000..dbd39b9
--- /dev/null
+++ b/proto/spiffe/reference/reference.pb.go
@@ -0,0 +1,175 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.7
+// 	protoc        v6.30.2
+// source: spiffe/reference/reference.proto
+
+package reference
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// The WorkloadPIDReference message conveys a process id reference of a workload
+// running in the same environment.
+type WorkloadPIDReference struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. The process id of the workload. MUST be a positive integer.
+	Pid           int32 `protobuf:"varint,1,opt,name=pid,proto3" json:"pid,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *WorkloadPIDReference) Reset() {
+	*x = WorkloadPIDReference{}
+	mi := &file_spiffe_reference_reference_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *WorkloadPIDReference) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*WorkloadPIDReference) ProtoMessage() {}
+
+func (x *WorkloadPIDReference) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_reference_reference_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use WorkloadPIDReference.ProtoReflect.Descriptor instead.
+func (*WorkloadPIDReference) Descriptor() ([]byte, []int) {
+	return file_spiffe_reference_reference_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *WorkloadPIDReference) GetPid() int32 {
+	if x != nil {
+		return x.Pid
+	}
+	return 0
+}
+
+// The KubernetesPodUIDReference message conveys a Kubernetes pod UID reference of a
+// workload running in a Kubernetes cluster.
+type KubernetesPodUIDReference struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Required. The UID of the Kubernetes pod. MUST be a valid UUID string.
+	Uid           string `protobuf:"bytes,1,opt,name=uid,proto3" json:"uid,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *KubernetesPodUIDReference) Reset() {
+	*x = KubernetesPodUIDReference{}
+	mi := &file_spiffe_reference_reference_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *KubernetesPodUIDReference) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*KubernetesPodUIDReference) ProtoMessage() {}
+
+func (x *KubernetesPodUIDReference) ProtoReflect() protoreflect.Message {
+	mi := &file_spiffe_reference_reference_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use KubernetesPodUIDReference.ProtoReflect.Descriptor instead.
+func (*KubernetesPodUIDReference) Descriptor() ([]byte, []int) {
+	return file_spiffe_reference_reference_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *KubernetesPodUIDReference) GetUid() string {
+	if x != nil {
+		return x.Uid
+	}
+	return ""
+}
+
+var File_spiffe_reference_reference_proto protoreflect.FileDescriptor
+
+const file_spiffe_reference_reference_proto_rawDesc = "" +
+	"\n" +
+	" spiffe/reference/reference.proto\x12\x10spiffe.reference\"(\n" +
+	"\x14WorkloadPIDReference\x12\x10\n" +
+	"\x03pid\x18\x01 \x01(\x05R\x03pid\"-\n" +
+	"\x19KubernetesPodUIDReference\x12\x10\n" +
+	"\x03uid\x18\x01 \x01(\tR\x03uidBBZ@github.com/spiffe/spire-api-sdk/proto/spiffe/reference;referenceb\x06proto3"
+
+var (
+	file_spiffe_reference_reference_proto_rawDescOnce sync.Once
+	file_spiffe_reference_reference_proto_rawDescData []byte
+)
+
+func file_spiffe_reference_reference_proto_rawDescGZIP() []byte {
+	file_spiffe_reference_reference_proto_rawDescOnce.Do(func() {
+		file_spiffe_reference_reference_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_spiffe_reference_reference_proto_rawDesc), len(file_spiffe_reference_reference_proto_rawDesc)))
+	})
+	return file_spiffe_reference_reference_proto_rawDescData
+}
+
+var file_spiffe_reference_reference_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_spiffe_reference_reference_proto_goTypes = []any{
+	(*WorkloadPIDReference)(nil),      // 0: spiffe.reference.WorkloadPIDReference
+	(*KubernetesPodUIDReference)(nil), // 1: spiffe.reference.KubernetesPodUIDReference
+}
+var file_spiffe_reference_reference_proto_depIdxs = []int32{
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_spiffe_reference_reference_proto_init() }
+func file_spiffe_reference_reference_proto_init() {
+	if File_spiffe_reference_reference_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_spiffe_reference_reference_proto_rawDesc), len(file_spiffe_reference_reference_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_spiffe_reference_reference_proto_goTypes,
+		DependencyIndexes: file_spiffe_reference_reference_proto_depIdxs,
+		MessageInfos:      file_spiffe_reference_reference_proto_msgTypes,
+	}.Build()
+	File_spiffe_reference_reference_proto = out.File
+	file_spiffe_reference_reference_proto_goTypes = nil
+	file_spiffe_reference_reference_proto_depIdxs = nil
+}
diff --git a/proto/spiffe/reference/reference.proto b/proto/spiffe/reference/reference.proto
new file mode 100644
index 0000000..28e6cd3
--- /dev/null
+++ b/proto/spiffe/reference/reference.proto
@@ -0,0 +1,17 @@
+syntax = "proto3";
+package spiffe.reference;
+option go_package = "github.com/spiffe/spire-api-sdk/proto/spiffe/reference;reference";
+
+// The WorkloadPIDReference message conveys a process id reference of a workload
+// running in the same environment.
+message WorkloadPIDReference {
+    // Required. The process id of the workload. MUST be a positive integer.
+    int32 pid = 1;
+}
+
+// The KubernetesPodUIDReference message conveys a Kubernetes pod UID reference of a
+// workload running in a Kubernetes cluster.
+message KubernetesPodUIDReference {
+    // Required. The UID of the Kubernetes pod. MUST be a valid UUID string.
+    string uid = 1;
+}
\ No newline at end of file