Comment by ymyms

Building https://www.hessra.net/, an authorization system based on the Biscuit token format (decentralized, signed, and attenuable). The goal is to push beyond JWTs and Zanzibar-style policy engines by giving every machine-to-machine request its own embedded, verifiable authorization logic in a small capability token. These tokens can be delegated, restricted, and verified locally with no extra network calls required after getting the token.

Early use case is replacing API keys with identity tokens that expire, delegate, and prove possession and then can be used for easy step up to fine-grained authorization. There's some pretty interesting authorization stuff you can do, like having multiple parties sign off before a token is valid or requiring a series of micro-services sign a token for it to be valid.