Capability tokens · 4 active
Each capability authorizes a specific service to request signatures with this key. Time-boxed, rate-limited, revocable.
| BEARER | SCOPE | ISSUED BY | EXPIRES | RATE LIMIT | USED · 24h | |
|---|---|---|---|---|---|---|
| edge-pool-us-west | threshold-sign · app.example.com | did:grid:pub:mk2…r4 | 60d (rolling) | 1k/hr | 30268 | |
| edge-pool-eu | threshold-sign · app.example.com | did:grid:pub:mk2…r4 | 60d (rolling) | 1k/hr | 15134 | |
| edge-pool-apac | threshold-sign · app.example.com | did:grid:pub:mk2…r4 | 60d (rolling) | 500/hr | 3417 | |
| acme-bridge | renew-cert · app.example.com | did:grid:pub:mk2…r4 | 1d (one-shot) | 1/d | 0 |
Rate limit policy
Per-cap rate cap
Maximum sigs/hr a single capability can request, regardless of what you grant it.
Burst allowance
Extra sigs allowed in a 60s burst above the rate.
Auto-throttle on anomaly
If signature rate exceeds historical p99, automatically reduce to p95 and notify.
Revoked capabilities · last 30 days
| BEARER | SCOPE | REVOKED | REASON |
|---|---|---|---|
| old-edge-pool-iad | threshold-sign | 8d ago | pool decommissioned |
| staging-edge | threshold-sign | 22d ago | expired naturally |