Operationalizing Macaroons

Source: fly.io Date: 2025-04-10 URL: https://fly.io/blog/operationalizing-macaroons/

Summary

Engineering writeup documenting Fly.io’s operational Macaroon token infrastructure — not a release but a knowledge-transfer writeup as the internal project changes hands. Key details: token verification runs on tkdb, a ~5,000-line SQLite + LiteFS/Litestream system; Noise protocol over Anycast HTTP limits token minting to a small set of system components; caching achieves 98% hit rates to avoid transoceanic lookups; service tokens use Macaroon attenuation to scope privileges per-machine, limiting blast radius from exfiltrated tokens.

Implications

Infrastructure substrate / edge deployment economics. Macaroons enable a specific security pattern that matters for multi-tenant, globally distributed systems: tokens that can be attenuated by any holder, scoped to specific machines or instances. The 98% cache hit rate on verification is operationally significant — it means the token infrastructure doesn’t add meaningful latency to hot paths. For the radar, this is the security substrate that underlies Fly’s agent workload ambitions: if Sprites and MCP servers need scoped, attenuated credentials per-agent, Macaroons are the right primitive. Notably, the tkdb SQLite + Litestream architecture is a real-world proof that SQLite can handle high-QPS infrastructure workloads with geographic distribution.