tl;dr: The authentication token is a huge entrance into infrastructure managed by Salt. Treat it with the utmost care.
SpiroFS does not authenticate or encrypt its storage.
Authentication & Authorization
SpiroFS uses macaroons as the basis of its authentication. While the tooling to utilize the more advanced features, it does mean that limitations of a token are cryptographically baked-in to the token.
SpiroFS does not use third-party caveats. Its first-party caveats are a JSON-formatted object, where the keys are limiter names and the values are arguments to those limiters.
not_before: int or float, disallows if the current Unix timestamp is less than the argument
not_after: int or float, disallows if the current Unix timestamp is greater than the argument
project_allow: list of strings, disallows if the current project is not in the argument
project_deny: list of string, disallows if the current project is in the argument
Part of macaroons is a master secret. This is generated automatically on first
use. It is generated via a cryptographically-suitable source for the system
os.urandom()). It is stored next to the Salt Master's private