Fly.io, a company that transforms containers into VMs, has developed a new security token system called Macaroons. Unlike stateless tokens, Macaroons are minimally-stateful bearer tokens that carry a user ID and can be used to look up the HMAC key for verification. The tokens consist of a series of claims called “caveats” that restrict the token’s authorization. Macaroons also support third-party caveats, allowing users to add additional authorization requirements from trusted third-party services. Overall, Macaroons provide a simple and flexible solution for scoping down API tokens and expressing role-based permissions without the need for complex permission systems.
https://fly.io/blog/macaroons-escalated-quickly/