syntax = "proto3";
package spire.api.types;
option go_package = "github.com/spiffe/spire-api-sdk/proto/spire/api/types";

import "spire/api/types/spiffeid.proto";

// X.509 SPIFFE Verifiable Identity Document. It contains the raw X.509
// certificate data as well as a few denormalized fields for convenience.
message X509SVID {
    // Certificate and intermediates required to form a chain of trust back to
    // the X.509 authorities of the trust domain (ASN.1 DER encoded).
    repeated bytes cert_chain = 1;

    // SPIFFE ID of the SVID.
    spire.api.types.SPIFFEID id = 2;

    // Expiration timestamp (seconds since Unix epoch).
    int64 expires_at = 3;

    // Optional. An operator-specified string used to provide guidance on how this
    // identity should be used by a workload when more than one SVID is returned.
    // For example, `internal` and `external` to indicate an SVID for internal or
    // external use, respectively.
    string hint = 4;
}