Add opener to Workload Identity API and Workload Attestationreference

strideynet · strideynet · commit 2196b3f98c54 · 2025-01-23T16:27:03.000Z
diff --git a/docs/pages/reference/workload-identity/workload-identity-api-service.mdx b/docs/pages/reference/workload-identity/workload-identity-api-service.mdx
@@ -3,7 +3,22 @@ title: Workload Identity API & Workload Attestation
 description: Information about the `tbot` Workload Identity API service and Workload Attestation functionality
 ---
 
-TODO: Brief Intro to the API
+The Workload Identity API service (`workload-identity-api`) is a configurable
+`tbot` services that allows workloads to request JWT and X509 workload identity
+credentials on-the-fly.
+
+It's a more secure alternative to writing credentials to disk and supports
+performing a process known as workload attestation to determine attributes of
+the workload before issuing credentials.
+
+The Workload Identity API is compatible with two standards:
+
+- [SPIFFE Workload API](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md)
+- [Envoy SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret)
+
+In addition to issuing credentials to workloads, the Workload Identity API can
+also provide the trust bundle necessary for workloads to validate the
+credentials of other workloads.
 
 ## Configuration
 
