Workloads¶
A Workload is a registered application or service that authenticates to retrieve secrets at runtime via an API call. Unlike Couriers (which write secrets to files) or Bridges (which cache secrets in memory for local consumers), Workloads call an API endpoint to retrieve secrets on demand — making them well-suited for applications that need to resolve secrets dynamically rather than at startup.
Workloads can authenticate against two targets:
- Zaita SaaS — the cloud platform, reached at
https://<tenant>.zaita.io. Requires live platform connectivity on every call. - A Bridge — an on-premises agent that exposes the same API endpoints and serves secrets from its local in-memory cache. Does not require a live SaaS connection at retrieval time.
Role required: Managing Workloads requires the Secrets Administrator or Super Administrator role.
Authentication Methods¶
Workloads support six authentication methods. The appropriate method depends on where the Workload runs and what identity infrastructure is available.
| Method | Best For |
|---|---|
client_secret |
Simple environments; applications with no cloud identity provider |
pki_certificate |
Environments with existing X.509 PKI infrastructure |
azure_jwt |
Applications running in Azure with Managed Identity or Workload Identity Federation |
azure_arc |
Workloads running on Azure Arc-enrolled on-premises or edge servers |
spiffe_spire |
Service meshes and environments using SPIFFE/SPIRE for workload identity |
oidc_oauth2 |
Applications using a generic OIDC/OAuth2 identity provider |
Where possible, prefer the credential-less methods (azure_jwt, azure_arc, spiffe_spire, oidc_oauth2) over client_secret and pki_certificate. Credential-less authentication eliminates the need to rotate long-lived secrets and reduces the risk of credential leakage.
See Authentication for configuration details for each method.
Workload API Endpoints¶
Once registered and granted access, a Workload can call the following endpoints to retrieve secrets. These endpoints are identical whether the target is the SaaS platform or a Bridge — only the base URL changes.
| Method | Endpoint | Description |
|---|---|---|
GET |
/api/v1/workload/lockers |
List all Lockers the Workload has access to |
POST |
/api/v1/workload/lockers/{lockerUuid}/download |
Download secrets from a single Locker |
POST |
/api/v1/workload/lockers/download-all |
Download secrets from all accessible Lockers |
Secrets are returned as plaintext JSON over the TLS-secured connection. The TLS channel (authenticated via the Workload's credentials) provides confidentiality and integrity in transit. No additional encryption layer or public key exchange is required — the Workload can consume the response directly without any local decryption step.
This differs from Courier and Bridge delivery, where secrets are re-encrypted with an ECDH-derived key before leaving the platform so that only the holder of the corresponding private key can decrypt them.
Authenticating Against a Bridge¶
When a Workload targets a Bridge, it authenticates to https://<bridge-host>/api/v1/workload/... using the same credentials it would use against the SaaS. The Bridge validates the credentials locally using synced credential data (bcrypt hashes, certificate fingerprints, or IdP configuration) received from the platform during its heartbeat cycle.
Access Rule¶
A Workload can access a Locker via a Bridge if and only if both of the following are true:
- The Workload has been granted access to that Locker (via the Locker's Workload Access tab).
- That Locker is assigned to the Bridge's cache (via the Locker's Bridge Cache tab).
No additional portal configuration is required. The Bridge automatically serves the intersection of these two existing assignments.
If a Workload requests a Locker that satisfies only one condition — for example, the Locker is cached on the Bridge but the Workload has no access grant — the Bridge returns an authorisation error, and the attempt is logged.
Comparing Delivery Methods¶
| Method | Delivery | Persistence | Requires Live SaaS Connection |
|---|---|---|---|
| Workload → SaaS | Direct API call, JSON response | None (transient) | Yes, on every call |
| Workload → Bridge | API call to Bridge, served from local cache | None (transient) | No — Bridge cache survives SaaS outages |
| Courier | Written to file on schedule | File on disk | Yes, on each scheduled run |
| Bridge (Courier/in-memory) | In-memory cache | Until Bridge restarts | No — cache survives SaaS outages |
For guidance on choosing the right delivery method, see Introduction to Secrets Management.
Next Steps¶
- Setting up Workloads — create Workloads and grant Locker access.
- Authentication — detailed configuration for all six authentication methods.
- Best Practices for Workloads — guidance on method selection and access scoping.