Witness Service
The Witness Service coordinates time epochs and issues bearer tokens to sidecars.
Purpose
- Epoch management: Defines discrete time periods (default: 1 hour)
- Bearer tokens: Issues tokens that bind attestations to epochs
- Identity verification: Maintains witness-derived binary identity
- Freshness guarantee: Ensures attestations are current
Heartbeat Endpoint
// POST /api/v1/s3p/heartbeatconst response = await fetch('https://witness.glacis.io/api/v1/s3p/heartbeat', { method: 'POST', headers: { 'Authorization': 'Bearer glc_live_...', 'Content-Type': 'application/json' }, body: JSON.stringify({ sidecarId: 'sidecar_abc123', organizationId: 'org_xyz789' })});
const { epochId, bearerToken, expiresAt, witnessId } = await response.json();Response
{ "epochId": "epoch_2024010112", "bearerToken": "wt_abc123...", "expiresAt": 1704110400000, "witnessId": "witness_primary"}Token Lifecycle
- Sidecar requests token via heartbeat
- Witness issues epoch-bound token
- Token valid only for current epoch
- Sidecar must refresh before expiration
Best Practices
- Cache tokens and refresh 5 minutes before expiration
- Handle token refresh failures gracefully
- Log epoch IDs for debugging